• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Determine port holder
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Determine port holder

  • Subject: Re: Determine port holder
  • From: Brian Bergstrand <email@hidden>
  • Date: Wed, 3 Mar 2004 11:29:16 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think Matt, wants something similar if functionality to ObDev's
Little Snitch. And to do that you have to do what they are doing, and
patch the kernel syscall table.

There is no reliable way to get a PID from a NKE filter.

The way little snitch does this, is by patching the kernel syscalls for
socket opens (sosend, socreate, others?). Since these calls exist in
the context of the BSD kernel the PID of the calling process is readily
available and Little Snitch can pull the PID (and check the dest addr
at the same time). If the check fails, it calls out to it's userland
daemon to handle the failure. Once in userland, you can find the
process name (or something close to it) from the process table.

Of course none of this is guaranteed to work, it just happens to at the
moment. In fact, Little Snitch ran into some panic problems with the
upgrade to 10.3 because it does patch the syscall table. Patching is a
very evil thing (as any 0S 9 developer and/or user can attest to).

Little Snitch panic (that was eventually fixed) :
<http://forums.macnn.com/showthread.php?
s=&threadid=195232&highlight=little+snitch>

HTH.

On Mar 3, 2004, at 1:14 AM, Justin Walker wrote:

> On Tuesday, March 2, 2004, at 10:45 PM, Matt Jaffa wrote:
>
>> Hi,
>>
>> Is there a way to determine which app that is running has control
>> over a certain port.
>>
>> This is dealing with sockets, I have intercepted a raw_packet going
>> out, and using the
>> src_port I would like to know which app is listening, or owns it.
>>
>> Is there a way to do this within the Kernel, and /or within a daemon
>> inside user space?
>
> The concept of "control" over a port does not exist. Ports in certain
> ranges are "allocated" by IANA to certain functions/services, but that
> is convention, and is locally dictated by things like "/etc/services"
> (if you decide to change that usage, of course, you end up breaking a
> lot of functionality, but that's a separate issue).
>
> In addition, an open socket can be handed to another process, and
> another UID, in a couple of ways:
> - parent forks, child and parent both have 'control' of an open
> socket
> - application execs a new executable (same process, different code)
> - process A can establish a local socket communication with process
> B,
> and then pass another open socket (say, INET4) to B
> - the UID of a process can change through system calls and the
> SETUID bit
> in the executable.
>
> Any number of processes, each running different code, can have the
> same socket open and be actively using it.
>
> Remember that a socket is a kernel structure that is treated like a
> file structure and shared among processes. Each proc table has an
> array of 'descriptors' that point to such things as socket structures,
> so the socket structure itself can't be "owned" by any one process.
>
> This has been discussed before, and you might benefit from trying to
> search the archives. For this kind of question, the ones to look at
> are darwin-kernel, darwin-development, and possibly the opendarwin
> lists.
>
> Depending on where your extension lives, you may be able to determine
> the identity of one of the users of the socket at the time it is
> accessed for read or write. That's the best you can hope for.
>
> Regards,
>
> Justin
>
> --
> Justin C. Walker, Curmudgeon-At-Large *
> Institute for General Semantics | Some people have a mental
> | horizon of radius zero, and
> | call it their point of view.
> | -- David Hilbert
> *--------------------------------------
> *-------------------------------*
> _______________________________________________
> darwin-kernel mailing list | email@hidden
> Help/Unsubscribe/Archives:
> http://www.lists.apple.com/mailman/listinfo/darwin-kernel
> Do not post admin requests to the list. They will be ignored.
>
>
>
Brian Bergstrand <http://www.bergstrand.org/brian/>, AIM: triryche206
PGP Key: <http://www.bergstrand.org/brian/misc/public_key.txt>
Conscience is the inner voice that warns us that someone might be
looking. - H. L. Mencken
As of 11:16:51 AM, iTunes is playing "The Shortest Straw" from "...And
Justice For All" by "Metallica"

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQEYH3nnR2Fu2x7aiEQIaPQCgvX4NLw4iXGw44weSHTEWBXnIwrgAnA8k
G0KUbNgGbs5QShJwYgfyB52M
=ESqs
-----END PGP SIGNATURE-----
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.

  • Follow-Ups:
    • Re: Determine port holder
      • From: Matt Jaffa <email@hidden>
References: 
 >Re: Determine port holder (From: Justin Walker <email@hidden>)

  • Prev by Date: auditing support
  • Next by Date: Re: Determine port holder
  • Previous by thread: Re: Determine port holder
  • Next by thread: Re: Determine port holder
  • Index(es):
    • Date
    • Thread