• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: accessing argv on exec
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: accessing argv on exec

  • Subject: RE: accessing argv on exec
  • From: "Manu ." <email@hidden>
  • Date: Tue, 11 Nov 2014 22:52:59 -0800
  • Importance: Normal
You may also want to look at task_info. While it only gives you the all loaded images list, there is some code that you can find which can use task_info or get the offset of the structure in memory. There is a gContext variable in dyld that contains argv[] so if one can retrieve the loaded modules structure address, it should be possible to get the rest. Kind of wish that the arguments would be kept in the proc_t and made available (like on Windows EPROCESS -> PEB -> command line), alas it's not the case.

Date: Tue, 11 Nov 2014 16:25:46 -0800
Subject: Re: accessing argv on exec
From: email@hidden
To: email@hidden
CC: email@hidden; email@hidden



On Tue, Nov 11, 2014 at 10:04 AM, Peter Moody <email@hidden> wrote:

On Tue, Nov 11 2014 at 07:18, Evan Lojewski wrote:
> Hi Pete,
>
> From my (limited) scan through kern_exec.c, it doesn't look like there is a
> good way get access to the full command line. Someone at Apple will
> probably be able to suggest a good option.
>
> *IF* this is a non-production kext, it is possible to update the execsw
> table to allow your kext to get access to this information, however it does
> require using private symbols. If you'd like an example on how to do that
> let me know and I'll send some code, but hopefully Apple has a better
> option that they can reply with first.

Hey Evan,

I'd love to see some code. I don't think I'll be able to convince our
macops team to support it, but seeing how it could be done is still
probably worthwhile.

re auditd: we're actually doing something like that right now, but AIUI
our IR team has found it lacking. I've spent the last year or so
implementing for linux what I'm looking to implement here for the mac,
hence the noobish question.

 Cheers,
 peter


Hi Peter,
Here's some simple code form the days of 10.6. I expect it should still work with minor tweaks (and commenting the printfs).

https://dl.dropboxusercontent.com/u/863180/kextcacheHelper/KextcacheHelper.cpp
https://dl.dropboxusercontent.com/u/863180/kextcacheHelper/kextcacheHelper.zip

Let me know if you have questions.

Evan Lojewski 

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden 
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: accessing argv on exec
      • From: Peter Moody <email@hidden>
References: 
 >accessing argv on exec (From: Peter Moody <email@hidden>)
 >Re: accessing argv on exec (From: Evan Lojewski <email@hidden>)
 >Re: accessing argv on exec (From: Peter Moody <email@hidden>)
 >Re: accessing argv on exec (From: Evan Lojewski <email@hidden>)

  • Prev by Date: Re: accessing argv on exec
  • Next by Date: KPI: socket filter’s sf_data_in not called for data over IPSec VPN
  • Previous by thread: Re: accessing argv on exec
  • Next by thread: Re: accessing argv on exec
  • Index(es):
    • Date
    • Thread