macOS

【macOS】干掉 Crowdstrike

Posted by 西维蜀黍 on 2022-10-10, Last Modified on 2024-08-17 
$ ps aux | grep crowdstrike
root               347   0.0  0.2 34322908  33944   ??  Ss    2:13PM   2:29.46 /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent

$ sudo chmod -R 777 /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension
$ cd /Library/SystemExtensions/a-b-c-d/
$ l
total 0
drwxr-xr-x@ 3 root  wheel    96B Aug 30 07:17 .
drwxr-xr-x  8 root  wheel   256B Oct 10 22:19 ..
drwxrwxrwx@ 3 root  wheel    96B Feb 15  2022 com.crowdstrike.falcon.Agent.systemextension
$ l
total 0
drwxr-xr-x@ 3 root  wheel    96B Oct 11 11:13 .
drwxr-xr-x  8 root  wheel   256B Oct 10 22:19 ..
drwxrwxrwx@ 3 root  wheel    96B Feb 15  2022 com.crowdstrike.falcon123.Agent.systemextension
$ sudo cp -R /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon123.Agent.systemextension
$ sudo rm /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent
$ sudo touch /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent
$ cd /Library/SystemExtensions/a-b-c-d/; tree
.
├── com.crowdstrike.falcon.Agent.systemextension
│   └── Contents
│       ├── Info.plist
│       ├── MacOS
│       │   └── com.crowdstrike.falcon.Agent
│       ├── _CodeSignature
│       │   └── CodeResources
│       └── embedded.provisionprofile
└── com.crowdstrike.falcon123.Agent.systemextension
    └── Contents
        ├── Info.plist
        ├── MacOS
        │   └── com.crowdstrike.falcon123.Agent
        ├── _CodeSignature
        │   └── CodeResources
        └── embedded.provisionprofile
8 directories, 8 files

# 重启
$ ps aux | grep crowdstrike
# 如果没有 crowdstrike,则说明成功disable了

Verifying that sensor components were installed

To verify the Falcon system extension is enabled and activated by the operating system, run the following command in Terminal:

systemextensionsctl list

Amongst the output, you should see something similar to the following line:

* * X9E956P446 com.crowdstrike.falcon.Agent (6.35/148.01) Agent [activated enabled]

Reference

FEATURED TAGS
algorithm algorithmproblem architecturalpattern architecture aws c# cachesystem codis compile concurrentcontrol database dataformat datastructure debug design designpattern distributedsystem django docker domain engineering freebsd git golang grafana hackintosh hadoop hardware hexo http hugo ios iot java javaee javascript kafka kubernetes linux linuxcommand linuxio lock macos markdown microservices mysql nas network networkprogramming nginx node.js npm oop openwrt operatingsystem padavan performance programming prometheus protobuf python redis router security shell software testing spring sql systemdesign truenas ubuntu vmware vpn windows wmware wordpress xml zookeeper
FRIENDS

TOC