Tools for analyzing EDR agents. For details, see our blog post.

• ESDump - macOS Endpoint Security client that dumps events to stdout
• NEDump - macOS content filter provider that dumps socket flow data to stdout
• attacks/phantom_v1 - A collection of POCs that bypass different Linux syscalls using the Phantom V1 TOCTOU vulnerability
• dump_ebpf.sh - Linux eBPF program and map enumeration script
• hook.py - Frida loader with scripts for inspecting key macOS monitoring functions

• ESDump and NEDump can be compiled on macOS using CMakeLists.txt or you can download a precompiled release.
  • SIP must be disabled on the host for ESDump to work.
  • The NEDump app bundle must be copied to /Applications/ to work.
• Any of the phantom_v1 can be compiled on Linux using the Makefile.
• To use dump_ebpf.sh, bpftool must be installed.
• The frida Python package is required by hook.py.

• NEDump is based on LuLu from Objective-See
• Phantom V1 was created by Rex Guo and Junyuan Zeng for DEF CON 29.
• The es_subscribe Frida script is heavily based on Red Canary's Mac Monitor wiki and es_subscribe script.