Re: accessing argv on exec
Re: accessing argv on exec
- Subject: Re: accessing argv on exec
- From: "Jay O'Conor" <email@hidden>
- Date: Tue, 11 Nov 2014 13:11:41 -0800
Hi Peter,
Is this something that DTrace could handle instead of a custom kext? I’m curious if you’ve looked at the newproc.d command (dtrace script)?
Regards,
— Jay
> On Nov 10, 2014, at 3:02 PM, Peter Moody <email@hidden> wrote:
>
> Hey folks,
>
> apologies for what will likely be a noobish question, I'm just getting
> acquainted with xnu and kexts and all that.
>
> I'm interested in monitoring process creation (and termination) on the
> mac. It looks like I can use a kext that registers a listener for
> kauth_fileop_exec to be notified of an exec, and the callback is:
>
> a) given a char* of the path the binary.
> b) run in the context of the newly executing binary (so proc_self()
> and the like work for getting pid/ppid, etc).
>
> but is there anyway that I can actually access the argv that was passed
> to the execve call?
>
> I'm trying to do this to help our incident response capabilities, where
> obviously just seeing that 'wget' was called is a lot less informative
> than seeing 'wget http://malware.badguy/rookkit.tgz'
>
> Cheers,
> peter
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-kernel mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden