Execute an user program from the kernel mode
In OS X there is an API called KUNC (Kernel-User Notification Center). This API is used by the kernel (typically a kext) when it wants to display notifications to users or launch userland command.
There is a function,
KUNCExecute() which does this.
Its prototype can be found in xnu-xxxx.xx.x/osfmk/UserNotification/KUNCUserNotifications.h (available here) and looks like this.
#define kOpenApplicationPath 0 #define kOpenPreferencePanel 1 #define kOpenApplication 2 #define kOpenAppAsRoot 0 #define kOpenAppAsConsoleUser 1 kern_ret_t KUNCExecute(char *executionPath, int openAsUser, int pathExecutionType);
The function is really simple, here is a brief detail of the 3 parameters :
executionPath : Path to the program to execute.
openAsUser : Flag which takes the value
kOpenAppAsConsoleUserto execute the program with the rights of the logged user, or
kOpenAppAsRootto execute the program as root.
pathExecutionType : Flag which specifies the type of application to execute, one of the 3 flags defined at the beginning.
kOpenApplicationPath: Absolute path to a binary
kOpenPreferencePanel: Name of a Preference Pane in /System/Library/PreferencePanes
kOpenApplication: Name of an application in /Applications.
For example, if we wished to launch a backdoor located in /tmp, we’ll do :
KUNCExecute("/tmp/backdoor", kOpenAppAsRoot, kOpenApplicationPath);