Re: How to get current process executable from KEXT?
Re: How to get current process executable from KEXT?
- Subject: Re: How to get current process executable from KEXT?
- From: Shantonu Sen <email@hidden>
- Date: Mon, 1 Feb 2010 03:58:35 -0800
Why does the full path help you? What additional verification are you planning on doing? If the malware does system("/bin/mv /malware/utility /usr/bin/utility") and re-execs itself, how will you detect that case?
Shantonu
Sent from my MacBook
On Feb 1, 2010, at 3:03 AM, Jakub Bednar wrote:
> Hi list,
>
> can please anyone help me to figure out how to get the executable path for current process from within a KEXT?
>
> The Mac OS X Internals book points to p_textvp field of struct proc, but this is not a public API. I have also found a post that says that this field is not even set by exec system calls.
>
> I have tried the proc_selfname(), but this is returning only the name, without the full path. It is returning the p_comm[] field of struct proc internally.
>
> I have checked how the user-space lsof utility does its job, and it uses the proc_pidbsdinfo() call. This call returns the p_name[] field of struct proc as the name of the executable with full path. However the proc_pidbsdinfo() is not in the Kernel.framework headers so it probably can't be used in a KEXT.
>
> Can anyone help me to solve this? I really need to distinguish between e.g. /usr/bin/utility and /malware/utility.
>
> Thanks a lot,
>
> Jakub
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden