> For the complete documentation index, see [llms.txt](https://pellaeon.gitbook.io/mobile-forensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pellaeon.gitbook.io/mobile-forensics/mac/kernel.md). # Review Kernel Extensions Kernel extensions (often called kexts) are programs extending the features of the MacOS kernel and as such they are running with the highest privilege, which make them interesting for malware. The tool [KextViewr](https://objective-see.com/products/kextviewr.html) developed by Objective-See allows to list all loaded kernel extensions. ## Launching Kext Viewer To launch KextViewr, download it first from [its official page](https://objective-see.com/products/kextviewr.html). Then extract the program from the archive and double click on it : ![](/files/dBJ9VucNd3Is7bBE53IW) ## Analyzing Results ### 1. Verify Image Signatures Similarly than with other tools, KextViewr displays the signature status with a icon near the name, a green locked icons ![](/files/mtxBCxr7hWCCFJ1XHsR5) means that the extension is signed by Apple, a closed black lock ![](/files/ikLLlMphzOvihzsePyWL) means that the extension is signed by another company while an open orange lock ![](/files/ECif02DohHwic2vsAlSX) means that the extension is not signed. To view only 3rd party kernel extensions, you can uncheck the `Show OS Kexts` checkbox at the bottom of KextViewr window. ![](/files/VEkuWtNVRglLaubVeXgH) ### 2. Check Program Names Paths As with previous steps, you should check kexts name and paths. The name should give you an indication of the utility of the kext, any typo or random string here is suspicious. For the extension paths, OS Kexts should run from `/System` while non-OS Kexts should run from `/Library`. ### 3. Check VirusTotal Scan Results KextViewr also checks file fingerprint on VirusTotal. On the right of each task running, you will see two numbers representing first the number of antiviruses that identified this file as malicious and then the total number of antiviruses tested. An question mark will appear if this program is not known by VirusTotal. You should investigate further any task identified by at least one antivirus as malicious or not known by VirusTotal. **Please note:** the same considerations and warnings explained in the [previous section](/mobile-forensics/mac/autoruns.md) apply here too. Make sure to read them before proceeding. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://pellaeon.gitbook.io/mobile-forensics/mac/kernel.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.