Re: Obtaining non-exported symbol from kernel on runtime (without the debug symbols)
Re: Obtaining non-exported symbol from kernel on runtime (without the debug symbols)
- Subject: Re: Obtaining non-exported symbol from kernel on runtime (without the debug symbols)
- From: "John D." <email@hidden>
- Date: Mon, 15 Dec 2008 04:47:51 +0100
On Sun, Dec 14, 2008 at 8:33 PM, Terry Lambert <email@hidden> wrote:
> You file a bug report with DTS.
OK, thanks.
> This is something we intentionally do not permit. A lot of antivirus vendors
> were doing this and it broke our locking model. So we provided KPI to let
> them intercept operations (that is called "kauth" and you can find
> documentation on <http://developer.apple.com>). If we change locking in the
> future, we won't break them again.
Problem with kauth is that AFAIK it only let's you return 'deny' or
'pass' results. If, say, you want to return a ENOENT or special errno
to the syscall, it's not possible through kauth.
>> Most of the API used in unix_syscall isn't available in any KPI.
>
> Yes. On purpose. I personally made the syscall table a private symbol.
The problem is that it's a hassle for legitimate developers. People
trying to subvert the kernel might simply go and patch the IDT or do
something far more complex. Plus a memory search will yield sysent's
location easily.
>> That
>> leaves us with either patching its code on runtime (a hack, which
>> apparently isn't possible because that region isn't writable; I'm not
>> sure why kernel TEXT wouldn't be writable except for security reasons
>> I guess) or forgetting about implementing anything around it.
>
> We're mildly clever that way.
I was hoping we could vm_map_mprotect or alike the kernel text
temporarily. Do you know if this is feasible without resorting to a
non portable hack?
John.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden