【macOS】干掉 Crowdstrike

Posted by 西维蜀黍 on 2022-10-10, Last Modified on 2022-11-13
$ ps aux | grep crowdstrike
root               347   0.0  0.2 34322908  33944   ??  Ss    2:13PM   2:29.46 /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent

$ sudo chmod -R 777 /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension
$ l
total 0
drwxr-xr-x@ 3 root  wheel    96B Aug 30 07:17 .
drwxr-xr-x  8 root  wheel   256B Oct 10 22:19 ..
drwxrwxrwx@ 3 root  wheel    96B Feb 15  2022 com.crowdstrike.falcon.Agent.systemextension
$ l
total 0
drwxr-xr-x@ 3 root  wheel    96B Oct 11 11:13 .
drwxr-xr-x  8 root  wheel   256B Oct 10 22:19 ..
drwxrwxrwx@ 3 root  wheel    96B Feb 15  2022 com.crowdstrike.falcon123.Agent.systemextension
$ sudo cp -R /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon123.Agent.systemextension
$ sudo rm /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent
$ sudo touch /Library/SystemExtensions/a-b-c-d/com.crowdstrike.falcon.Agent.systemextension/Contents/MacOS/com.crowdstrike.falcon.Agent
$ tree
.
├── com.crowdstrike.falcon.Agent.systemextension
│   └── Contents
│       ├── Info.plist
│       ├── MacOS
│       │   └── com.crowdstrike.falcon.Agent
│       ├── _CodeSignature
│       │   └── CodeResources
│       └── embedded.provisionprofile
└── com.crowdstrike.falcon123.Agent.systemextension
    └── Contents
        ├── Info.plist
        ├── MacOS
        │   └── com.crowdstrike.falcon123.Agent
        ├── _CodeSignature
        │   └── CodeResources
        └── embedded.provisionprofile
8 directories, 8 files

# 重启
$ ps aux | grep crowdstrike
# 如果没有 crowdstrike,则说明成功disable了

Verifying that sensor components were installed

To verify the Falcon system extension is enabled and activated by the operating system, run the following command in Terminal:

systemextensionsctl list

Amongst the output, you should see something similar to the following line:

* * X9E956P446 com.crowdstrike.falcon.Agent (6.35/148.01) Agent [activated enabled]

Reference