v0.9.5. RC: allow kernel traffic, process args in UI, gray listing im…

…proved

-traffic originated from the kernel (pid 0), allowed
  ...this fixes issues with SMB, etc.

-alert window now shows process args

-added more items to graylist (e.g. perl5)

-uninstaller invokes kextcache to rebuild kernel cache

-other UI tweaks/improvements

configure/Configure/Configure.m

@@ -338,7 +338,6 @@ -(BOOL)install
 
         //save result
         wasInstalled = (BOOL)(result.intValue == 0);
-
     };
 
     //install

configure/Configure/ConfigureWindowController.m

@@ -226,7 +226,7 @@ -(void)lifeCycleEvent:(NSInteger)event
         status = YES;
 
         //for install
-        // wait until kext cache rebuild is done
+        // wait until enum'ing of installed apps is done
         if(ACTION_INSTALL_FLAG == event)
         {
             //nap
@@ -259,34 +259,35 @@ -(void)lifeCycleEvent:(NSInteger)event
 
             //dbg msg
             logMsg(LOG_DEBUG, [NSString stringWithFormat:@"'%@' completed", SYSTEM_PROFILER]);
+        }
+
+        //update status msg
+        dispatch_async(dispatch_get_main_queue(),
+        ^{
+            //set status msg
+            [self.statusMsg setStringValue:@"Rebuilding kernel cache\n\t\t ...please wait!"];
+        });
+
+        //for both install and uninstall
+        //wait until 'kextcache' has exited
+        while(YES)
+        {
+            //dbg msg
+            logMsg(LOG_DEBUG, [NSString stringWithFormat:@"waiting for '%@' to complete", KEXT_CACHE]);
 
-            //update status msg
-            dispatch_async(dispatch_get_main_queue(),
-            ^{
-                //set status msg
-                [self.statusMsg setStringValue:@"Rebuilding kernel cache\n\t\t ...please wait!"];
-            });
+            //nap
+            [NSThread sleepForTimeInterval:1.0];
 
-            //wait until 'kextcache' has exited
-            while(YES)
+            //exit'd?
+            if(0 == [getProcessIDs(KEXT_CACHE, -1) count])
             {
-                //dbg msg
-                logMsg(LOG_DEBUG, [NSString stringWithFormat:@"waiting for '%@' to complete", KEXT_CACHE]);
-
-                //nap
-                [NSThread sleepForTimeInterval:1.0];
-
-                //exit'd?
-                if(0 == [getProcessIDs(KEXT_CACHE, -1) count])
-                {
-                    //bye
-                    break;
-                }
+                //bye
+                break;
             }
-
-            //dbg msg
-            logMsg(LOG_DEBUG, [NSString stringWithFormat:@"'%@' completed", KEXT_CACHE]);
         }
+
+        //dbg msg
+        logMsg(LOG_DEBUG, [NSString stringWithFormat:@"'%@' completed", KEXT_CACHE]);
     }
 
     //error occurred

configure/Configure/ErrorWindowController.m

@@ -88,7 +88,7 @@ -(void)display
     dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 100 * NSEC_PER_MSEC), dispatch_get_main_queue(), ^{
 
         //make close button active
-        [self.window makeFirstResponder:closeButton];
+        [self.window makeFirstResponder:self.closeButton];
 
     });
 

configure/Configure/Script/configure.sh

@@ -120,6 +120,9 @@ elif [ "${1}" == "-uninstall" ]; then
 
     echo "kext removed"
 
+    #rebuild cache, full path
+    /usr/sbin/kextcache -invalidate / &
+
     echo "uninstall complete"
     exit 0
 fi

configure/Configure/main.m

@@ -77,7 +77,8 @@ int main(int argc, char *argv[])
         goto bail;
     }
 
-    //kick main app logic
+    //default run mode
+    // just kick off main app logic
     status = NSApplicationMain(argc,  (const char **) argv);
 
 bail:
@@ -150,8 +151,6 @@ BOOL cmdlineInterface(int action)
                 break;
             }
         }
-
-
     }
 
     //happy

configure/configure.xcodeproj/project.pbxproj

@@ -312,7 +312,7 @@
 		29B97313FDCFA39411CA2CEA /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 0920;
+				LastUpgradeCheck = 0930;
 				TargetAttributes = {
 					4BE4905C10445E0A006BE471 = {
 						DevelopmentTeam = VBG97UB4TA;
@@ -541,6 +541,7 @@
 				CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES;
 				CLANG_WARN_INFINITE_RECURSION = YES;
 				CLANG_WARN_OBJC_IMPLICIT_ATOMIC_PROPERTIES = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
 				CLANG_WARN_STRICT_PROTOTYPES = YES;
 				CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES;
@@ -592,6 +593,7 @@
 				CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES;
 				CLANG_WARN_INFINITE_RECURSION = YES;
 				CLANG_WARN_OBJC_IMPLICIT_ATOMIC_PROPERTIES = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
 				CLANG_WARN_STRICT_PROTOTYPES = YES;
 				CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES;

configure/configure.xcodeproj/xcshareddata/xcschemes/configure.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "0920"
+   LastUpgradeVersion = "0930"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "NO"
@@ -82,7 +82,6 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      language = ""
       shouldUseLaunchSchemeArgsEnv = "YES">
       <Testables>
       </Testables>
@@ -102,7 +101,6 @@
       buildConfiguration = "Debug"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      language = ""
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       ignoresPersistentStateOnLaunch = "NO"

kernelExtension/kernelExtension.xcodeproj/project.pbxproj

@@ -138,7 +138,7 @@
 		7D5208E81E41C23900832F57 /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 0900;
+				LastUpgradeCheck = 0930;
 				ORGANIZATIONNAME = "Objective-See";
 				TargetAttributes = {
 					7D5208F01E41C23900832F57 = {
@@ -204,13 +204,15 @@
 				CLANG_WARN_BOOL_CONVERSION = YES;
 				CLANG_WARN_COMMA = YES;
 				CLANG_WARN_CONSTANT_CONVERSION = YES;
+				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
 				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
 				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
 				CLANG_WARN_EMPTY_BODY = YES;
 				CLANG_WARN_ENUM_CONVERSION = YES;
 				CLANG_WARN_INFINITE_RECURSION = YES;
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
 				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
@@ -258,13 +260,15 @@
 				CLANG_WARN_BOOL_CONVERSION = YES;
 				CLANG_WARN_COMMA = YES;
 				CLANG_WARN_CONSTANT_CONVERSION = YES;
+				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
 				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
 				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
 				CLANG_WARN_EMPTY_BODY = YES;
 				CLANG_WARN_ENUM_CONVERSION = YES;
 				CLANG_WARN_INFINITE_RECURSION = YES;
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
 				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;

kernelExtension/kernelExtension/socketEvents.cpp

@@ -680,6 +680,10 @@ static kern_return_t data_out(void *cookie, socket_t so, const struct sockaddr *
     // socket we're watching?
     if(NULL == cookie)
     {
+        //ignore
+        // but no errors
+        result = kIOReturnSuccess;
+
         //bail
         goto bail;
     }
@@ -722,6 +726,10 @@ static kern_return_t connect_out(void *cookie, socket_t so, const struct sockadd
     // socket we're watching?
     if(NULL == cookie)
     {
+        //ignore
+        // but no errors
+        result = kIOReturnSuccess;
+
         //bail
         goto bail;
     }

launchDaemon/launchDaemon.xcodeproj/project.pbxproj

@@ -270,7 +270,7 @@
 		7D7755C81F02DF9400D0017D /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 0900;
+				LastUpgradeCheck = 0930;
 				ORGANIZATIONNAME = "Objective-See";
 				TargetAttributes = {
 					7D7755CF1F02DF9500D0017D = {
@@ -367,13 +367,15 @@
 				CLANG_WARN_BOOL_CONVERSION = YES;
 				CLANG_WARN_COMMA = YES;
 				CLANG_WARN_CONSTANT_CONVERSION = YES;
+				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
 				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
 				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
 				CLANG_WARN_EMPTY_BODY = YES;
 				CLANG_WARN_ENUM_CONVERSION = YES;
 				CLANG_WARN_INFINITE_RECURSION = YES;
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
 				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
@@ -420,13 +422,15 @@
 				CLANG_WARN_BOOL_CONVERSION = YES;
 				CLANG_WARN_COMMA = YES;
 				CLANG_WARN_CONSTANT_CONVERSION = YES;
+				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
 				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
 				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
 				CLANG_WARN_EMPTY_BODY = YES;
 				CLANG_WARN_ENUM_CONVERSION = YES;
 				CLANG_WARN_INFINITE_RECURSION = YES;
 				CLANG_WARN_INT_CONVERSION = YES;
 				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
 				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;

launchDaemon/launchDaemon/Alerts.m

@@ -75,6 +75,13 @@ -(NSMutableDictionary*)create:(struct networkOutEvent_s*)event process:(Process*
     //add pid
     alert[ALERT_PID] = [NSNumber numberWithUnsignedInt:event->pid];
 
+    //add args
+    if(0 != process.arguments.count)
+    {
+        //add
+        alert[ALERT_ARGS] = process.arguments;
+    }
+
     //add path
     alert[ALERT_PATH] = process.path;
 

launchDaemon/launchDaemon/GrayList.m

@@ -20,7 +20,10 @@
     @"com.apple.curl",
     @"com.apple.ruby",
     @"com.apple.perl",
+    @"com.apple.perl5",
     @"com.apple.python",
+    @"com.apple.python2",
+    @"com.apple.pythonw",
     @"com.apple.openssh",
     @"com.apple.osascript"
 };
@@ -64,6 +67,9 @@ -(BOOL)isGrayListed:(Process*)process
     //process signing info
     NSDictionary* signingInfo = nil;
 
+    //dbg info
+    logMsg(LOG_DEBUG, [NSString stringWithFormat:@"checking if %@ is graylisted (signing info: %@)", process.path, process.binary.signingInfo]);
+
     //has to be apple
     if(YES != process.binary.isApple)
     {

launchDaemon/launchDaemon/KextListener.m

@@ -544,7 +544,7 @@ -(void)processNetworkOut:(struct networkOutEvent_s*)event
     logMsg(LOG_DEBUG, [NSString stringWithFormat:@"no (saved) rule found for %@ (%d)", process.binary.name, process.pid]);
 
     //if it's an apple process and that preference is set; allow!
-    // unless the binary is something like `curl` which malware could abuse (still alert!)
+    // unless the binary is something like 'curl' which malware could abuse (still alert!)
     if( (YES == [preferences.preferences[PREF_ALLOW_APPLE] boolValue]) &&
         (YES == process.binary.isApple))
     {
@@ -873,67 +873,4 @@ -(Process*)findProcess:(pid_t)pid
     return process;
 }
 
-//create an alert object
-// note: can treat sockaddr_in and sockaddr_in6 as 'same same' for family, port, etc
--(NSMutableDictionary*)createAlert:(struct networkOutEvent_s*)event process:(Process*)process
-{
-    //event for alert
-    NSMutableDictionary* alertInfo = nil;
-
-    //remote ip address
-    NSString* remoteAddress = nil;
-
-    //remote host name
-    NSString* remoteHost = nil;
-
-    //alloc
-    alertInfo = [NSMutableDictionary dictionary];
-
-    //covert IP address to string
-    remoteAddress = convertSocketAddr((struct sockaddr*)&(event->remoteAddress));
-
-    //add pid
-    alertInfo[ALERT_PID] = [NSNumber numberWithUnsignedInt:event->pid];
-
-    //add path
-    alertInfo[ALERT_PATH] = process.path;
-
-    //add (remote) ip
-    alertInfo[ALERT_IPADDR] = convertSocketAddr((struct sockaddr*)&(event->remoteAddress));
-
-    //try get host name from DNS cache
-    // since it's based on recv'ing data from kernel, try for a bit...
-    for(int i=0; i<5; i++)
-    {
-        //try grab host name
-        remoteHost = self.dnsCache[alertInfo[ALERT_IPADDR]];
-        if(nil != remoteHost)
-        {
-            //add
-            alertInfo[ALERT_HOSTNAME] = remoteHost;
-
-            //done
-            break;
-        }
-
-        //nap
-        [NSThread sleepForTimeInterval:0.10f];
-    }
-
-    //add (remote) port
-    alertInfo[ALERT_PORT] = [NSNumber numberWithUnsignedShort:ntohs(event->remoteAddress.sin6_port)];
-
-    //add protocol (socket type)
-    alertInfo[ALERT_PROTOCOL] = [NSNumber numberWithInt:event->socketType];
-
-    //add signing info
-    if(nil != process.binary.signingInfo)
-    {
-        //add
-        alertInfo[ALERT_SIGNINGINFO] = process.binary.signingInfo;
-    }
-
-    return alertInfo;
-}
-
 @end

launchDaemon/launchDaemon/ProcListener.h

@@ -34,5 +34,4 @@
 //setup/start process monitoring
 -(void)monitor;
 
-
 @end