GithubHelp home page GithubHelp logo

suprhackersteve / crescendo Goto Github PK

View Code? Open in Web Editor NEW
991.0 21.0 64.0 7.02 MB

Crescendo is a swift based, real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework.

License: Other

Swift 98.70% Objective-C 1.16% C++ 0.14%
macos endpointsecurity swift

crescendo's Introduction

Cover

Table of Contents

  1. Getting Started
  2. Requirements
  3. Components
  4. Testing and Development
  5. Signing
  6. Building
  7. Issues/Bugs/Features
  8. Troubleshooting
  9. TODO

Crescendo Demo

Getting Started

Apple has introduced some new security mechanisms that we need to enable to get Crescendo running.

  1. Ensure that you have moved the app to your /Applications director or the system extension will fail to load.

  2. For the first run you will be prompted to approve the system extension, after clicking the "Start" button.

    NOTE: I have noticed that there is an issue where System Preferences won't show an allow button. I assume this is some internal issue Apple needs to workout. Clicking back to System Preferences and navigating forward again seems to fix the issue.

    Sysext Allow

  3. You will need to enable Full Disk Access for the system extension.

    FullDisk

Requirements

Crescendo is only compatible with >=10.15.X and at least Xcode 10.

Components

This project consists of three main components:

  1. A system extension (CrescendoExtension)
  2. A Framework wrapper around the Endpoint Security Framework (Crescendo)
  3. An app for viewing events in a nice little user interface (CrescendoApp)

Testing and Development

It is highly recommended to test this code in a virtual machine with SIP disabled, since this project requires the endpoint-security entitlement, TCC, and proper signing when SIP is enabled.

  1. Boot into Recovery mode on macOS
  2. Disable SIP and AMFI
csrutil disable
nvram boot-args="amfi_get_out_of_my_way=0x1"
  1. Reboot
  2. Enable developer mode so our extensions will reload everytime we call OSSystemExtensionManager.shared.submitRequest
systemextensionsctl developer on

Signing

If you wish to sign your own application, it is highly recommend to read Apple's documentation on System Extension requirements and Notorization.

Signing and entitlement is a non-trivial exercise.

Building

I have included my .xproj file in this release to get folks started. In the future I will likely move to using the new xcconfig file as this seems much more sane of an approach instead of commiting xproj files. If you wish to simply build the example cli application you can do so with Xcode.

In order to build this application and run it on a production macOS system, you will need the endpoint-security entitlement and a developer certificate from Apple.

The Crescendo framework can easily be bundled with any Swift application. I may move to CocoaPods in the future, but I am unfamiliar with them right now.

Issues/Bugs/Features

Please feel free to raise an issue if you wish to see a feature added or encounter an issue. If you wish to contribute a pull request, please just ensure you run swiftlint over your code before contributing.

I will cut releases for the compiled + signed app and include them in the Releases tab as needed.

Troubleshooting

  • If you are running on a production Mac, you should NOT disable SIP or AMFI. Those instructions are for developers wishing to make code changes.

  • Did you enable the system extension by clicking the "Allow" button in System Preferences -> Security & Privacy? If not, you will not see any events.

  • Did you enable full disk access in System Preferences -> Security & Privacy -> Privacy Tab? If not, you will not see any events.

  • If you encounter any issues, open Console.app and search for crescendo or <your_bundle_id>/com.suprhackersteve as a filter, that should assist you in troubleshooting any potential issues. It is also a good idea to check in CrashReporter and see if the extension has crashed or exited with fatalError.

  • If you wish to forcefully unload the system extension, there is a menu item named "Unload System Extension" that will unload it. This action may lead to odd side effects, only do it if you know what you are doing.

  • If you have added a process to the blacklist and it is still allowed to execute, remember to check the real full path. Simply using /Applications/Foo.app, will not be enough to prevent the execution. Also, many macOS applications are launched via xpcproxy.

TODO

  1. Unit tests (need to figure out a reasonable way of running them)
  2. Network events (tracking in this issue)
  3. Better filtering and searching support for event data
  4. Choose a packaging system for framework (Cocoapods, Swift Package Manager, etc)
  5. Try to distribute system extension by itself using the new redistributable entitlement?

crescendo's People

Contributors

proactiveservices avatar suprhackersteve avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

sathishdsgithub blue-infosec kernullist doc22940 nico johnjohnsp1 joydo jhftss willingbug heruix youngjun-chang fireeye hhy5277 jurbz2019 yujinqiu p07r0457 foolzzz masums rajivraj 5l1v3r1 timothyrlamora734 dothanthitiendiettiende abdul fengjixuchui avineshwar bhaduriu thorjeus trietptm-on-coding-algorithms ogcraft kernal-gh bigbrobro kharos102 asnblock kaka77 meshyamsundar marcelvdh slyd0g jarvis-ai kant hartescout jymcheong webvul optimusbits safe3 cutler-mamba yodamaster gvc0461082002 gg-big-org kikeenrique c-viorel seahop havoclabs thinkst-cs kevleyski sszth cowens

crescendo's Issues

Expanded window

When highlighting an event to view details, the app auto expands outside of the screen if the event path is too long and will not collapse to inside the screen.

large icon

The crescendo icon is bigger than all other icons in dock.

no entries populating?

I suspect this is the same issue as #16, but I'm opening a new issue since I've never used Crescendo, can't swear I'm not just holding it wrong, and didn't want to spam the previous now-macless user with notifications.

I did "allow" the system extension and approve the FDE access. The program appears to load clean, but nothing shows up after I click on Start.

I captured the following from Console (filtered to a search for any:suprhackersteve):

default	17:03:10.772943-0500	com.suprhackersteve.crescendo.CrescendoExtension	App disconnected.
default	17:03:10.773333-0500	com.suprhackersteve.crescendo.CrescendoExtension	Crescendo disabled.
default	17:03:13.565418-0500	distnoted	register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.suprhackersteve.crescendo token: f49fe pid: 408
default	17:03:14.661448-0500	distnoted	register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.suprhackersteve.crescendo token: f4a6c pid: 383
default	17:03:14.707180-0500	launchservicesd	CHECKIN:0x0-0x829829 23798 com.suprhackersteve.crescendo
default	17:03:14.771110-0500	distnoted	register name: com.apple.xctest.FakeForceTouchDevice object: com.suprhackersteve.crescendo token: f4268 pid: 23798
default	17:03:14.799288-0500	distnoted	register name: com.apple.nsquiet_safe_quit_give_reason object: com.suprhackersteve.crescendo token: f426e pid: 23798
default	17:03:15.062985-0500	tccd	-[TCCDAccessIdentity staticCode]: static code for: identifier com.suprhackersteve.crescendo, type: 0: 0x7f8e5d51b0d0 at /Applications/Crescendo.app
default	17:03:15.233119-0500	tccd	-[TCCDAccessIdentity staticCode]: static code for: identifier com.suprhackersteve.crescendo, type: 0: 0x7f8e5d40e120 at /Applications/Crescendo.app
default	17:03:16.477370-0500	sysextd	attempting to realize extension with identifier com.suprhackersteve.crescendo.CrescendoExtension
default	17:03:16.523751-0500	Crescendo	Trying to connect to service: AD94776VX5.com.suprhackersteve.crescendo.CrescendoExtension.xpc
default	17:03:16.525305-0500	com.suprhackersteve.crescendo.CrescendoExtension	App client connected.
error	17:03:16.527503-0500	com.suprhackersteve.crescendo.CrescendoExtension	Failed to open service: -536870174
default	17:03:16.527627-0500	com.suprhackersteve.crescendo.CrescendoExtension	Failed to initialize ES client: es_new_client_result_t(rawValue: 4)
default	17:03:16.527699-0500	com.suprhackersteve.crescendo.CrescendoExtension	Enabled Crescendo subsystem.
default	17:03:16.527736-0500	com.suprhackersteve.crescendo.CrescendoExtension	Created esclient.
error	17:03:16.610629-0500	sandboxd	Sandbox: com.suprhackerst(23096) System Policy: deny(1) system-privilege 1016
Violation:       System Policy: deny(1) system-privilege 1016 
Process:         com.suprhackerst [23096]
Path:            /Library/SystemExtensions/AFA5F0E5-7297-456F-A988-1DE006192220/com.suprhackersteve.crescendo.CrescendoExtension.systemextension/Contents/MacOS/com.suprhackersteve.crescendo.CrescendoExtension
Load Address:    0x10a68d000
Identifier:      com.suprhackersteve.crescendo.CrescendoExtension
Version:         35 (1.0.4)
Code Type:       x86_64 (Native)
Parent Process:  launchd [1]
Responsible:     /Library/SystemExtensions/AFA5F0E5-7297-456F-A988-1DE006192220/com.suprhackersteve.crescendo.CrescendoExtension.systemextension/Contents/MacOS/com.suprhackersteve.crescendo.CrescendoExtension
User ID:         0

Date/Time:       2020-08-02 17:03:16.554 CDT
OS Version:      Mac OS X 10.15.5 (19F101)
Report Version:  8


MetaData: {"primary-filter":"privilege-id","target":1016,"profile-flags":0,"apple-internal":false,"platform-policy":true,"team-id":"AD94776VX5","pid":23096,"flags":1029,"platform-binary":false,"user-approval":"kTCCServiceSystemPolicyAllFiles","build":"Mac OS X 10.15.5 (19F101)","process":"com.suprhackerst","profile":"platform","responsible-process-user-uuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000","hardware":"Mac","operation":"system-privilege","uid":0,"responsible-process-path":"\/Library\/SystemExtensions\/AFA5F0E5-7297-456F-A988-1DE006192220\/com.suprhackersteve.crescendo.CrescendoExtension.systemextension\/Contents\/MacOS\/com.suprhackersteve.crescendo.CrescendoExtension","errno":1,"process-path":"\/Library\/SystemExtensions\/AFA5F0E5-7297-456F-A988-1DE006192220\/com.suprhackersteve.crescendo.CrescendoExtension.systemextension\/Contents\/MacOS\/com.suprhackersteve.crescendo.CrescendoExtension","primary-filter-value":1016,"signing-id":"com.suprhackersteve.crescendo.CrescendoExtension","action":"deny","privilege-id":"PRIV_ENDPOINTSECURITY_CLIENT","summary":"deny(1) system-privilege 1016","platform_binary":"no","responsible-process-uid":0}

Thread 0 (id: 3453705):
0   libsystem_kernel.dylib        	0x00007fff6d107502 __sigsuspend_nocancel + 10
1   libdispatch.dylib             	0x00007fff6cf77476 _dispatch_sigsuspend + 0

Thread 1 (id: 3463850):
0   libsystem_kernel.dylib        	0x00007fff6d1034ce __workq_kernreturn + 10
1   libsystem_pthread.dylib       	0x00007fff6d1c0b77 start_wqthread + 15

Thread 2 (id: 3464271):
0   libsystem_kernel.dylib        	0x00007fff6d101dfa mach_msg_trap + 10
1   IOKit                         	0x00007fff35ed1472 io_service_open_extended + 137
2   IOKit                         	0x00007fff35ed13d8 IOServiceOpen + 39
3   libEndpointSecurity.dylib     	0x00007fff69ad4b6e es_new_client + 416
4   com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a695e78
5   com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a697e01
6   com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a6960fe
7   libdispatch.dylib             	0x00007fff6cf67658 _dispatch_client_callout + 8
8   libdispatch.dylib             	0x00007fff6cf736ec _dispatch_lane_barrier_sync_invoke_and_complete + 60
9   com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a695d82
10  com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a698147
11  com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a68ffc6
12  com.suprhackersteve.crescendo.CrescendoExtension	0x000000010a68f9d7
13  Foundation                    	0x00007fff35875413 __NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1__ + 10
14  Foundation                    	0x00007fff357ff8de -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 2363
15  Foundation                    	0x00007fff357b6a49 message_handler + 210
16  libxpc.dylib                  	0x00007fff6d2052bc _xpc_connection_call_event_handler + 56
17  libxpc.dylib                  	0x00007fff6d2041cb _xpc_connection_mach_event + 934
18  libdispatch.dylib             	0x00007fff6cf676f8 _dispatch_client_callout4 + 9
19  libdispatch.dylib             	0x00007fff6cf7cbc9 _dispatch_mach_msg_invoke + 435
20  libdispatch.dylib             	0x00007fff6cf6caf6 _dispatch_lane_serial_drain + 263
21  libdispatch.dylib             	0x00007fff6cf7d71c _dispatch_mach_invoke + 481
22  libdispatch.dylib             	0x00007fff6cf6caf6 _dispatch_lane_serial_drain + 263
23  libdispatch.dylib             	0x00007fff6cf6d609 _dispatch_lane_invoke + 414
24  libdispatch.dylib             	0x00007fff6cf76c09 _dispatch_workloop_worker_thread + 596
25  libsystem_pthread.dylib       	0x00007fff6d1c1a3d _pthread_wqthread + 290
26  libsystem_pthread.dylib       	0x00007fff6d1c0b77 start_wqthread + 15

Binary Images:
       0x10a68d000 -        0x10a69afff  com.suprhackersteve.crescendo.CrescendoExtension (1.0.4 - 35) <dec7cffa-8c18-3618-a3f4-4df4da7d0d05> /Library/SystemExtensions/AFA5F0E5-7297-456F-A988-1DE006192220/com.suprhackersteve.crescendo.CrescendoExtension.systemextension/Contents/MacOS/com.suprhackersteve.crescendo.CrescendoExtension
    0x7fff35795000 -     0x7fff35b5afff  com.apple.Foundation (6.9 - 1676.105) <1fa28bab-7296-3a09-8e1e-e62a7d233db8> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    0x7fff35ece000 -     0x7fff35f72ff3  com.apple.framework.IOKit (2.0.2) <a0f54725-036f-3279-a46e-c2abdbfd479b> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
    0x7fff69ad3000 -     0x7fff69ae1ffb  libEndpointSecurity.dylib (63.120.3) <be3a6f29-a0f1-3250-94f6-283b97a2b7de> /usr/lib/libEndpointSecurity.dylib
    0x7fff6cf65000 -     0x7fff6cfa5ff0  libdispatch.dylib (1173.100.2) <201edbf3-0b36-31ba-a7cb-443ce35c05d4> /usr/lib/system/libdispatch.dylib
    0x7fff6d101000 -     0x7fff6d12dff7  libsystem_kernel.dylib (6153.121.2) <9f9902c9-a46f-3ca9-b7f9-5ccfe98fbf75> /usr/lib/system/libsystem_kernel.dylib
    0x7fff6d1bf000 -     0x7fff6d1c9fff  libsystem_pthread.dylib (416.100.3) <77488669-19a3-3993-ad65-ca5377e2475a> /usr/lib/system/libsystem_pthread.dylib
    0x7fff6d1f8000 -     0x7fff6d22dffe  libxpc.dylib (1738.120.8) <68d433b6-dcff-385d-8620-f847fb7d4a5a> /usr/lib/system/libxpc.dylib

Uninstall

How to uninstall? Remove manually to Trash?
com.superhacker.crescendo.CrescendoExtension
com.superhacker.crescendo.CrescendoRxtension.systemextension
This operation can't be completed because you don't have permission to access some of the items?

"Move to Applications folder" actually copies, not moves

If Crescendo is not in the Applications folder on first run, it throws up this dialog:
image

I was running it from my downloads folder, so I clicked "Move to Applications Folder."

It did create a copy in my Applications folder, but the original (in Downloads) remained. I quit the app, thinking maybe it couldn't delete itself while it was running, but it still remained.

If this is the intended behavior, then the dialog box should be worded differently. Perhaps, "Copy to Applications Folder?"

If this is not the intended behavior, then it's a bug that needs fixing.

Events not populating after running Crescendo in developer mode in VM Catalina 10.15.7

This post is divided in 5 secions:

  1. High Level Idea
  2. Problem
  3. Questions
  4. Setup: What I did to run the project
  5. Logs: Useful logs to help debug the Problem

High Level Idea

I'm trying to add support for File Open Events ES_EVENT_TYPE_NOTIFY_OPEN, but before I make any changes I wanted to run the default "git cloned" version of Crescendo, but it isn't loading any events.

Problem

After doing the Setup listed below, I try to run the Crescendo App locally for development. The thing is when I click the "Start" button a spinner shows for a second and then it stops and there's not events loading at all. After debugging and investigating for a while I come across 2 errors related to the TCC Daemon in the Console.app logs.

error	16:34:06.391530-0700	tccd	-[TCCDAccessIdentity initWithMessage:]: self.bundle=0x0, bundle:(null); for: com.suprhackersteve.crescendo.CrescendoExtension
error	16:34:06.394319-0700	tccd	-[TCCDAccessIdentity initWithMessage:]: self.bundle=0x0, bundle:(null); for: com.suprhackersteve.crescendo.CrescendoExtension

(Complete logs listed below in "Logs" section)

First thing I notice on top of my mind is that bundle is null. Second thing I notice in the Console.app's UI is that the category is of type access. As seen here:
image

I had no idea what TCC even mean so after a quick investigation:

TCC (Transparency, Consent, and Control) is a mechanism in macOS to limit and control application access to certain features, usually from a privacy perspective. Source

AFAIK it's what MacOS uses to give applications access to certain features "Full Disk Access" being one of those features. I decided to dig further into this and dumped the access table from TCC database.

TCC Access Table Dump
image
but to my surprise only the weather App is registered there.

So this brings me to my first conclusion:

  1. For some reason access is not being given to Crescendo System Extension and/or for Crescendo Application and somehow this is causing it to fail.

And my second conclusion is:

By reading the Console.app log I also encountered the following line:

default	16:34:07.413908-0700	Crescendo	Failed to register with the provider: Couldn’t communicate with a helper application.

To my understanding this means that the Crescendo Application is unable to communicate with the Crescendo System Extension so it can't communicate via IPC so there's no way in which the Application can get the System Events and in consequence can't show them in the UI.

My second conclusion is that:
2. A signing/account-related error? Since I'm using a Free brand-new Personal Apple Developer Account this might be preventing me from running the System Extension locally and it somehow creates all those errors that I'm seeing.

Question

  1. Has anyone come across this issue and has any feedback on how I could approach it?

I've tried to find information online about this but it seems to me there's not a lot of information available online yet, so any pointers to docs or resources would be amazing!

Thanks for your time!

Setup

I created an ISO of Catalina 10.15.7. Booted into recovery mode and disabled SIP and AMFI using the following commands:

csrutil disable
nvram boot-args="amfi_get_out_of_my_way=0x1"

after reboot I also turned on developer mode just as the README.md stated:

systemextensionsctl developer on

I enabled the System Extension by clicking "Allow" button in System Preferences -> Security & Privacy.

Full Disk Access for both the System Extension and The Application (I added the Application manually)
image

I also changed project Build Settings for Crescendo App, Crescendo Extension and libCrescendo to "Sign to Run Locally" so that it could run locally, I was thrown a lot of errors if I didn't do this (I'm new to macOS dev this might be wrong)
image

Logs

The following is the log after everytime I click the "Start" button:
Console.app Log

default	16:34:04.627684-0700	runningboardd	Acquiring assertion targeting executable<Crescendo(501)> from originator [daemon<com.apple.coreservices.launchservicesd>:121] with description <RBSAssertionDescriptor; frontmost:3626; ID: 227-121-547; target: 3626> attributes = {
    <RBSDomainAttribute: 0x7f99a2f221c0; domain: com.apple.launchservicesd; name: RoleUserInteractiveFocal; sourceEnvironment: 0x0>;
}
default	16:34:04.627820-0700	runningboardd	Assertion 227-121-547 (target:executable<Crescendo(501)>) will be created as active
default	16:34:04.642024-0700	runningboardd	[executable<Crescendo(501)>:3626] Ignoring jetsam update because this process is not memory-managed
default	16:34:04.643547-0700	runningboardd	[executable<Crescendo(501)>:3626] Set darwin role to: UserInteractiveFocal
default	16:34:04.646393-0700	runningboardd	[executable<Crescendo(501)>:3626] Ignoring GPU update because this process is not GPU managed
default	16:34:04.647804-0700	runningboardd	Finished acquiring assertion 227-121-547 (target:executable<Crescendo(501)>)
default	16:34:06.314364-0700	sysextd	attempting to realize extension with identifier com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.319736-0700	Crescendo	Replacing extension com.suprhackersteve.crescendo.CrescendoExtension version 1.0.4 with version 1.0.4
default	16:34:06.319951-0700	sysextd	attempting to realize properties with identifier com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.326344-0700	sysextd	staging extension with identifier com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.336467-0700	sysextd	Making activation decision for extension with teamID none, identifier com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.336572-0700	sysextd	validating extension with identifier com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.367588-0700	sysextd	waiting for external validation of extension with identifier com.suprhackersteve.crescendo.CrescendoExtension
error	16:34:06.391530-0700	tccd	-[TCCDAccessIdentity initWithMessage:]: self.bundle=0x0, bundle:(null); for: com.suprhackersteve.crescendo.CrescendoExtension
error	16:34:06.394319-0700	tccd	-[TCCDAccessIdentity initWithMessage:]: self.bundle=0x0, bundle:(null); for: com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.397275-0700	sysextd	Upgrading extension com.suprhackersteve.crescendo.CrescendoExtension/none version 35 (activated_enabled) to version 35
default	16:34:06.398542-0700	sysextd	Starting upgrade of com.suprhackersteve.crescendo.CrescendoExtension/none version 35
default	16:34:06.398593-0700	sysextd	Notifying delegates about replacement of com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:06.399451-0700	sysextd	Starting disable of com.suprhackersteve.crescendo.CrescendoExtension/none version 35 for upgrade, state: activated_enabled
default	16:34:06.400932-0700	sysextd	notifying categories that extension com.suprhackersteve.crescendo.CrescendoExtension will terminate
default	16:34:06.401247-0700	sysextd	terminating extension com.suprhackersteve.crescendo.CrescendoExtension via owning category
default	16:34:07.404159-0700	sysextd	marked extension for uninstall on next reboot: com.suprhackersteve.crescendo.CrescendoExtension
default	16:34:07.406008-0700	sysextd	Extension com.suprhackersteve.crescendo.CrescendoExtension/none version 35 uninstalled
default	16:34:07.406047-0700	sysextd	Starting enablement of com.suprhackersteve.crescendo.CrescendoExtension/none version 35
default	16:34:07.407946-0700	sysextd	notifying categories that extension com.suprhackersteve.crescendo.CrescendoExtension will start
default	16:34:07.408274-0700	sysextd	starting extension com.suprhackersteve.crescendo.CrescendoExtension via owning category
default	16:34:07.411782-0700	sysextd	Extension point confirmed that extension com.suprhackersteve.crescendo.CrescendoExtension is runnable.
default	16:34:07.411823-0700	sysextd	changing state of extension com.suprhackersteve.crescendo.CrescendoExtension to activated_enabled.
default	16:34:07.413510-0700	Crescendo	Trying to connect to service: AD94776VX5.com.suprhackersteve.crescendo.CrescendoExtension.xpc
default	16:34:07.413908-0700	Crescendo	Failed to register with the provider: Couldn’t communicate with a helper application.
default	16:34:07.425595-0700	com.suprhackersteve.crescendo.CrescendoExtension	Init Crescendo system extension
default	16:34:07.429502-0700	com.suprhackersteve.crescendo.CrescendoExtension	Enabled Crescendo subsystem.
default	16:34:07.434137-0700	com.suprhackersteve.crescendo.CrescendoExtension	Starting XPC listener for mach service.
default	16:34:07.909442-0700	runningboardd	Invalidating assertion 227-121-547 (target:executable<Crescendo(501)>) from originator 121
default	16:34:08.018090-0700	runningboardd	[executable<Crescendo(501)>:3626] Ignoring jetsam update because this process is not memory-managed
default	16:34:08.018141-0700	runningboardd	[executable<Crescendo(501)>:3626] Set darwin role to: UserInteractiveNonFocal
default	16:34:08.018161-0700	runningboardd	[executable<Crescendo(501)>:3626] Ignoring GPU update because this process is not GPU managed

Running systemextensionsctl list
image

ISTM that there is an entitlement missing

{ID: com.suprhackersteve.crescendo, PID[76089], auid: 501, euid: 501, binary path: '/Applications/Utilities/Crescendo.app/Contents/MacOS/Crescendo'} attempted to call TCCAccessRequest without the com.apple.private.tcc.manager.check-by-audit-token entitlement

Apple silicon (M1) support

"In order to build this application and run it on a production macOS system, you will need the endpoint-security entitlement and a developer certificate from Apple."

...which is a blocking issue for many users. 😢 Any chance of an ARM64 release ?

Unload extension after use?

Thanks for creating this! It's been incredibly useful for tracking down a few rogue processes on my Mac.

One question: is there any way to unload the Crescendo Extension after it's been activated? (short of a full system restart)

I tried a few systemextensionsctl commands but nothing worked.

$ systemextensionsctl list
1 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
*	*	AD94776VX5	com.suprhackersteve.crescendo.CrescendoExtension (1.0.4/35)	Crescendo System Extension	[activated enabled]

$ systemextensionsctl reset
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!

$ systemextensionsctl uninstall com.suprhackersteve.crescendo.CrescendoExtension
At this time, this tool cannot be used if System Integrity Protection is enabled.
This limitation will be removed in the near future.
Please remember to re-enable System Integrity Protection!

High CPU Usage by System Extension even when main app is not open

During a round of App Store updates today, the installd process pegged a cpu core (expected, sadly), but the com.superhackersteve extension also started taking up ~40% of one core (unexpected!). I assume this is due to a high volume of installd/EndpointSecurity events being generated; it was certainly surprising when the app wasn't open, however.

Is there any way to unload the extension when the app isn't open? Thanks!

Additional human readable timestamp column for visual grouping

Having the Timestamp column is nice, but there are times when a more human readable localized timestamp would also be useful (ie, 2020-03-21 (20:41:34)). Could you please implement this column as well just beside the timestamp for more convenient referencing?

The reason that this becomes helpful is that if we're looking at a large number of matched items it is associatively hard to see the time differential with the current format since one cannot readily discern what events occur minutes or hours apart without very close examination.

Network events missing

Crescendo does not currently capture network and DNS events. This data should be added via a Network Extension.

Sorting is not working

I'm trying to sort the columns but nothing happens. For example ascending or descending PIDs.

No events shown

When I click on the start button, nothing happens except the circular progress bar that's spinning. No events are shown, even after waiting for half an hour.
I've moved the app to the Applications folder and also allowed the kernel extension. It doesn't have a CPU load either.

Running on 10.15.3

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.