• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: How to get current process executable from KEXT?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to get current process executable from KEXT?

  • Subject: Re: How to get current process executable from KEXT?
  • From: Jakub Bednar <email@hidden>
  • Date: Mon, 1 Feb 2010 13:24:22 +0100
Well yes, but the malware would need super-user permissions to do that. If your system is compromised, then there is nothing anyone can do. On the other hand, if you can't check the full path, than anyone (even a regular user) can create a binary with the name "utility" anywhere in the system and will be confused with the /usr/bin/utility in let's say "trusted and protected" path.

The best would be to do a code signature check, but I haven't found any kernel API to do this.

Jakub

On Feb 1, 2010, at 12:58 PM, Shantonu Sen wrote:

> Why does the full path help you? What additional verification are you planning on doing? If the malware does system("/bin/mv /malware/utility /usr/bin/utility") and re-execs itself, how will you detect that case?
>
> Shantonu
>
> Sent from my MacBook
>
> On Feb 1, 2010, at 3:03 AM, Jakub Bednar wrote:
>
>> Hi list,
>>
>> 	   can please anyone help me to figure out how to get the executable path for current process from within a KEXT?
>>
>> The Mac OS X Internals book points to p_textvp field of struct proc, but this is not a public API. I have also found a post that says that this field is not even set by exec system calls.
>>
>> I have tried the proc_selfname(), but this is returning only the name, without the full path. It is returning the p_comm[] field of struct proc internally.
>>
>> I have checked how the user-space lsof utility does its job, and it uses the proc_pidbsdinfo() call. This call returns the p_name[] field of struct proc as the name of the executable with full path. However the proc_pidbsdinfo() is not in the Kernel.framework headers so it probably can't be used in a KEXT.
>>
>> Can anyone help me to solve this? I really need to distinguish between e.g. /usr/bin/utility and /malware/utility.
>>
>> Thanks a lot,
>>
>> Jakub
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Darwin-dev mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: How to get current process executable from KEXT?
      • From: Brian Mastenbrook <email@hidden>
References: 
 >How to get current process executable from KEXT? (From: Jakub Bednar <email@hidden>)
 >Re: How to get current process executable from KEXT? (From: Shantonu Sen <email@hidden>)

  • Prev by Date: Re: How to get current process executable from KEXT?
  • Next by Date: Re: How to get current process executable from KEXT?
  • Previous by thread: Re: How to get current process executable from KEXT?
  • Next by thread: Re: How to get current process executable from KEXT?
  • Index(es):
    • Date
    • Thread