System extensions in macOS

Question

Level 1

4 points

System extensions in macOS

How to work with system extensions in macOS? How, for example, can you find out which system extension was installed last? How do I remove it?

1. Double clicked on the shell (* .sh) script, the script was downloaded from the Internet, it did not have permission to execute (chmod + x).

2. As a result, the script, as expected, was opened in xcode (xcode had never been launched before).

3. But - before the script opened, there was a message that "something there" was blocked and the standard offer to go to "System settings" -> "Protection and security" and click "Allow".

4. After clicking on "Allow", a password was requested and after entering it, the system reported that a reboot was required to install the SYSTEM EXPANSION. After restarting, the macbook rebooted twice and - it is absolutely not clear what was installed, how to find and remove it now?

What was that anyway? After all, the script probably did not run, it just opened for editing. Then what is this system extension? And, most importantly, how do you even find out what was installed?

In the "System Preferences" -> "Extensions" section, nothing new has appeared.

Systemextensionsctl list command produces: 0 extension (s)

In the directories / System / Library / Extensions / and / Library / Extensions / there are no kext'ov with the date of modification when this extension was installed (for all the date coincides with the date of installation of macos, there are no newer ones)

Maybe it's Shell - the interpreter added something on first launch? Or xcode (also on first launch)?

But, the main thing is how to find out what has been established in such cases? And how to remove it? And how do you work with system extensions in general?

Please enlighten.

The script was a regular script from the uupdump site for building an iso image of a Windows 11 Insider Preview for ARM64 architecture (not for AMD64 !!) for use in a virtual machine on a macbook with an M1 processor (regular ISOs with a Windows distribution do not work with an M1 chip).

P.S.

OS: macOS Monterey 12.0.1

MacBook with chip M1 Pro

MacBook Pro 14″, macOS 12.0

Posted on Nov 20, 2021 7:04 AM

Reply

Answer 1

etresoft

Level 9

58,246 points

Nov 20, 2021 8:21 AM in response to iBubenok

You can use the "systemextensionsctl" tool in the terminal to perform some operations on System Extensions. It might be tricky to find out which was installed last. You don't want to go digging into those directories unless you know precisely what you are looking for.

For example, you asked about "System extensions", so I told you about the low-level tool for managing them. But then you are referencing some of the old directories that were sometimes used for Kernel extensions. I realize that Apple isn't helping here by calling everything "System extensions" but that's just what Apple does. They try to simplify things for the end user. But you are clearly going deeper than that. Don't try that without knowing those details.

There are a few different tools for inspecting Kernel extensions. You can find a few of them with "ls /usr/sbin/kext*"

As I re-read your post, I'm not sure what you are asking anymore. At first, I thought you were asking about system extensions and how they are different than kernel extensions. Now it looks like you've simply installed some kind of low-level malware perhaps. It's hard to say. My interest in the topic stems from an app I wrote that will report all of these low-level system modifications. So I thought I could be of some assistance. But alas, it looks like you might actually need to run my app instead. Unfortunately, the Apple Support Communities Use Agreement forbids me from posting a link to my own product.

Just what was that "script" you tried to run? Where did you get it? What was the system extension that you allowed? I see you mentioned the site. When I go there, I see the following, "This project is not affiliated with Microsoft Corporation." I strongly recommend you do not download or install any software from that site. Just a few minutes ago I posted a private post about a supposedly reputable web site that was illegally hosting my own app and displaying a fake virus scan to users. People simply don't understand how much of the internet is just a lawless, unreliable environment.

Reply

Answer 2

iBubenok Author

Level 1

4 points

Nov 20, 2021 5:22 PM in response to iBubenok

I will add:

Command output

sudo kextstat -l | grep -v com.apple

Executing: /usr/bin/kmutil showloaded --list-only
No variant specified, falling back to release
  238    0 0xfffffe0006f08660 0x4000     0x4000     com.samsung.portablessd.driverX (2.0.0) B0C78137-9AF5-30A1-8F8E-BFC8FA127735 <64 5 4 3 1>

com.samsung.portablessd.driverX - is an external SSD driver.

Does this mean that there are no third-party system extensions installed on the system?

Does this mean I have nothing to worry about?

Then what kind of system extension could I have installed?

Reply

Answer 3

iBubenok Author

Level 1

4 points

Nov 20, 2021 5:24 PM in response to etresoft

Here is the text of the script, after which the system extension was installed:

#!/bin/bash 
#Generated on 2021-11-20 12:59:58 GMT 
 
# Proxy configuration 
# If you need to configure a proxy to be able to connect to the internet, 
# then you can do this by configuring the all_proxy environment variable. 
# By default this variable is empty, configuring aria2c to not use any proxy. 
# 
# Usage: export all_proxy="proxy_address" 
# For example: export all_proxy="127.0.0.1:8888" 
# 
# More information how to use this can be found at: 
# https://aria2.github.io/manual/en/html/aria2c.html#cmdoption-all-proxy 
# https://aria2.github.io/manual/en/html/aria2c.html#environment 
 
export all_proxy="" 
 
# End of proxy configuration 
 
if ! which aria2c >/dev/null \ 
|| ! which cabextract >/dev/null \ 
|| ! which wimlib-imagex >/dev/null \ 
|| ! which chntpw >/dev/null \ 
|| ! which genisoimage >/dev/null \ 
&& ! which mkisofs >/dev/null; then 
  echo "One of required applications is not installed." 
  echo "The following applications need to be installed to use this script:" 
  echo " - aria2c" 
  echo " - cabextract" 
  echo " - wimlib-imagex" 
  echo " - chntpw" 
  echo " - genisoimage or mkisofs" 
  echo "" 
  if [ `uname` == "Linux" ]; then 
    # Linux 
    echo "If you use Debian or Ubuntu you can install these using:" 
    echo "sudo apt-get install aria2 cabextract wimtools chntpw genisoimage" 
    echo "" 
    echo "If you use Arch Linux you can install these using:" 
    echo "sudo pacman -S aria2 cabextract wimlib chntpw cdrtools" 
  elif [ `uname` == "Darwin" ]; then 
    # macOS 
    echo "macOS requires Homebrew (https://brew.sh) to install the prerequisite software." 
    echo "If you use Homebrew, you can install these using:" 
    echo "brew tap sidneys/homebrew" 
    echo "brew install aria2 cabextract wimlib cdrtools sidneys/homebrew/chntpw" 
  fi 
  exit 1 
fi 
 
destDir="UUPs" 
tempScript="aria2_script.$RANDOM.txt" 
 
echo "Retrieving aria2 script..." 
aria2c --no-conf --log-level=info --log="aria2_download.log" -o"$tempScript" --allow-overwrite=true --auto-file-renaming=false "https://uupdump.net/get.php?id=65b6f583-d9c4-4ef2-8259-7ca0d63c263b&pack=ru-ru&edition=professional&aria2=2" 
if [ $? != 0 ]; then 
  echo "Failed to retrieve aria2 script" 
  exit 1 
fi 
 
detectedError=`grep '#UUPDUMP_ERROR:' "$tempScript" | sed 's/#UUPDUMP_ERROR://g'` 
if [ ! -z $detectedError ]; then 
    echo "Unable to retrieve data from Windows Update servers. Reason: $detectedError" 
    echo "If this problem persists, most likely the set you are attempting to download was removed from Windows Update servers." 
    exit 1 
fi 
 
echo "" 
echo "Attempting to download files..." 
aria2c --no-conf --log-level=info --log="aria2_download.log" -x16 -s16 -j5 -c -R -d"$destDir" -i"$tempScript" 
if [ $? != 0 ]; then 
  echo "We have encountered an error while downloading files." 
  exit 1 
fi 
 
echo "" 
if [ -e ./files/convert.sh ]; then 
  chmod +x ./files/convert.sh 
  ./files/convert.sh wim "$destDir" 0 
fi

Reply

Answer 4

etresoft

Level 9

58,246 points

Nov 20, 2021 6:02 PM in response to iBubenok

I don't think you have anything to worry about, but I can't really say. I don't know why that would need a Samsung portable SSD kernel extension. I'm just really suspicious of sites like this. In theory, they claim to offer download scripts that download the legitimate installers directly from legitimate sources. There are similar things for Apple and other tools.

But this is a big infrastructure that relies on scripts that are far beyond the abilities of most of their users to really understand what is going on. It would be easy for the authors of those scripts to silently change the URL or the data served by a URL into something malicious. Granted, this kind of things doesn't happen often. And when it does happen, it's usually big news, at least in the hacker/admin communities.

For example, I remember hearing about one of these recently. I dug around for a couple of minutes on the MacAdmins slack channel and finally found it - https://www.rapid7.com/blog/post/2021/11/05/new-npm-library-hijacks-coa-and-rc/. There have been a few recent issues with npm system. On the whole, npm is far more legitimate than this site you are using.

If you are really tuned into these hacker communities and you haven't heard about any recent hacks from the sources you are using, then you are probably fine.

On a higher level, you have an M1 Mac. Why do you want to run Windows on it? If you want to run Windows, get an Intel Mac or use any of the far more legitimate ways to run Windows, either locally or remotely. They are all quick, easy, and inexpensive. You are literally trying the most challenging way to run Windows in the most difficult environment possible. Why do that?

Reply

System extensions in macOS

Similar questions