KextViewr

View all modules on that are loaded in the OS kernel.
Modules that are loaded into the kernel are called kernel extension, or 'kexts.' They run at the OS's highest privilege level; ring-0. KextViewr displays all loaded kexts, along with their signing status, full path, VirusTotal detection ratios, and more!
compatibility: OS X 10.8 (lion)+
current version: 1.1.0 (change log)
zip's sha-1: 71fa27b36a2d64e298dd4e1e36dbdc926ae7f0ef


KextViewr is a utility with a simply goal; display all currently loaded kexts. While Apple's commandline tool 'kextstat' can provide similar information, it is (IMHO), somewhat lacking. For example, it does not provide file paths for loaded kernel extentions, or whether or not, the kext is signed. On the other hand, KextViewr provides a myriad of infomation about each loaded kext, including:
  • Full File Path
    displays the full path to the kext's on-disk file image

  • Signing Status
    shows whether the kext signed or unsigned, and if signed, by whom.

  • VirusTotal Integration
    provides invaluable information about persistent files and can automatically detect known malware

To use KextViewr, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:


To run the application and view all loaded kernel extensions, simply double click on 'KextViewr.app'. KextViewr will query the OS to display all loaded kernel extensions. By design, all kexts, including those signed by Apple are displayed. However, the display can be filtered (as described below).

Each row in the table contains a variety of information about a single loaded kernel extension. First, an icon indicates whether the kext belongs to Apple, , or a 3rd-party (but still signed) , or is unsigned . Following this, the kext's name, bundle id and full path are displayed, and then various informational and actionable buttons. These buttons provide information about item's VirusTotal (anti-virus) scan results, general information about the file, and the ability to view the item in Finder.


For each kernel extension, KextViewr automatically queries VirusTotal with a hash of the binary in order to retrieve any information. While VirusTotal is being queried, this button displays '■ ■ ■'. Once the query is complete, the title of the button is automatically updated with either the detection ratio, or a '?' if the binary is not known to VirusTotal.


With the query complete, the button can be clicked to reveal a popup containing VirusTotal-specific information about the file. If the file is unknown, clicking the 'submit?' button will submit the file for analysis. Known files contain a link to the full analysis report and a 'rescan?' button that will rescan the file. If known malware is detected, both the kext's name and VirusTotal button will be highlighted in red.

The 'info' button will display detailed information about the item, including its hash, size, timing informaation, and signed status:


Clicking on the final button ('show') in the item's row, will show the item in a Finder window.

The displayed kernel extensions can be filtered using the 'Filter Kexts' search box, found at the top right corner of the app. Simply begin typing to filter all tasks based on their names, paths, etc. For example, typing 'BSD' will show only kexts that contain 'BSD' in their name or path. KextViewr also contains special 'hash-tag' filters that can filter kexts based on concepts such as 'all non-Apple (3rd-party) kexts' or 'all unsigned kexts'.


The list of current support 'hash-tag' filters is:
  • #apple
    only display kexts that belong to the OS (e.g. signed soley by Apple proper)

  • #nonapple
    only display 3rd-party (non-OS) kexts

  • #signed
    only display signed kexts

  • #unsigned
    only display unsigned kexts

  • #flagged
    only display kexts flagged by VirusTotal

At the bottom of KextViewr's window are several buttons. The first, when clicked will refresh, or reload the list of loaded kexts. The second will save the KextViewr's results as JSON. On the right hand-side, unchecking the 'Show OS Kexts' will hide all Apple-signed kernel extension, leaving only 3rd-party ones visible:



Limitations
As with any security tool, it is important to understand the tool's limitations. In order to get information about loaded kernel extensions, one must possess the com.apple.private.kernel.get-kext-info entitlement. Since it is not possible for 3rd-party applications to obtain this entitlement, KextViewr simple makes use of the OS X utility kextstat, which has the required entitlement:
$ codesign --display --entitlements - /usr/sbin/kextstat
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
   <dict>
      <key>com.apple.private.kernel.get-kext-info</key>
      <true/>
   </dict>
</plist>

Since KextViewr leverages the capabilites of kextstat, if a kernel extension is not shown by (or is actively hiding from) kextstat, such a kext will also not be shown by KextViewr. In order words, don't expect KextViewr to reveal the presence of advanced OS X rootkit kexts!


FAQs
Q: Why does KextViewr access the network?
A: In order to detect known malware, KextViewr is integrated with the online malware detection service VirusTotal. Specifically, hashes of kexts that are enumerated by KextViewr, are automatically and securely sent to VirusTotal to determine if they are associated with known malware. A user can also manually resubmit or rescan a file, which will generate outgoing connections to VirusTotal as well. VirusTotal is the only network endpoint that KextViewr talks to; it has no other networking logic.