Re: How to get current process executable from KEXT?
Re: How to get current process executable from KEXT?
- Subject: Re: How to get current process executable from KEXT?
- From: Brian Mastenbrook <email@hidden>
- Date: Mon, 01 Feb 2010 10:38:19 -0600
On 2/1/2010 6:24 AM, Jakub Bednar wrote:
Well yes, but the malware would need super-user permissions to do that. If your system is compromised, then there is nothing anyone can do. On the other hand, if you can't check the full path, than anyone (even a regular user) can create a binary with the name "utility" anywhere in the system and will be confused with the /usr/bin/utility in let's say "trusted and protected" path.
The best would be to do a code signature check, but I haven't found any kernel API to do this.
I'm not quite sure what you're trying to accomplish, but I'm pretty sure
that you're doing it wrong. Checking that the process being invoked is
/usr/bin/utility instead of /Users/ben/utility won't help if the action
you're scanning for can be carried out by /usr/bin/utility - either
intentionally or due to a flaw in how the utility is written. And there
are numerous methods that can be used from an ordinary user account to
cause a process running as that user to execute arbitrary code. If
executable path-based protection is central to your anti-malware
product, your product won't be much of a problem for malware authors at all.
--
Brian Mastenbrook
email@hidden
http://brian.mastenbrook.net/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden