• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
accessing argv on exec
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

accessing argv on exec

  • Subject: accessing argv on exec
  • From: James C <email@hidden>
  • Date: Thu, 13 Nov 2014 21:51:11 +1300
I'm used to thinking that ps reads from a process's private memory in
order to get the command arguments.  Using the code below, I think
that I have proved that this is false on OSX 10.6.8.  That suggest
that ps -f is reading from somewhere in the kernel.  Would that be
easy to walk down?

Regards,
James.

================
#include <stdio.h>
#include <signal.h>

int main(int argc, char *argv[])
  /* hack every other argument into a pointer into unreadable low memory,
   * then sigstop myself */
{
  int i;

  for (i = argc; --i;)
    if (i%2)
      argv[i] = (char *)i;

  printf("Stopping ...\n");
  kill(getpid(), SIGSTOP);

  return 0;
}
================
$ make
cc -g  -g  hackArgv.c   -o hackArgv
hackArgv.c: In function ‘main’:
hackArgv.c:12: warning: cast to pointer from integer of different size
$ ./hackArgv this that the other etc
Stopping ...

[1]+  Stopped                 ./hackArgv this that the other etc
$ ps | fgrep hackArgv
82712 ttys002    0:00.00 ./hackArgv this that the other etc
82716 ttys002    0:00.00 fgrep hackArgv
$ fg
./hackArgv this that the other etc
$
=======================
On 11/13/14, email@hidden
<email@hidden> wrote:
<snip> Message: 7
> Date: Wed, 12 Nov 2014 10:45:41 -0800
> From: Peter Moody <email@hidden>
> To: "Manu ." <email@hidden>
> Cc: email@hidden, email@hidden
> Subject: Re: accessing argv on exec
> Message-ID: <email@hidden>
> Content-Type: text/plain
>
>
> On Tue, Nov 11 2014 at 22:52, Manu . wrote:
>> You may also want to look at task_info. While it only gives you the all
>> loaded images list, there is some code that
>> you can find which can use task_info or get the offset of the structure in
>> memory. There is a gContext variable in
>> dyld that contains argv[] so if one can retrieve the loaded modules
>> structure address, it should be possible to get
>> the rest. Kind of wish that the arguments would be kept in the proc_t and
>> made available (like on Windows EPROCESS
>> -> PEB -> command line), alas it's not the case.
>
> Hey Manu,
>
> I'm probably missing something super obvious, but task_info() doesn't
> appear to be resolvable from a kext. Were you suggesting doing this from
> userspace?
>
>> Date: Tue, 11 Nov 2014 16:25:46 -0800
>> Subject: Re: accessing argv on exec
>> From: email@hidden
>> To: email@hidden
>> CC: email@hidden; email@hidden
>
>
>> Hi Peter,Here's some simple code form the days of 10.6. I expect it should
>> still work with minor tweaks (and
>> commenting the printfs).
>
> This is awesome! Thanks, Evan.
>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: accessing argv on exec
      • From: "Quinn \"The Eskimo!\"" <email@hidden>
  • Prev by Date: RE: accessing argv on exec
  • Next by Date: Re: accessing argv on exec
  • Previous by thread: Re: accessing argv on exec
  • Next by thread: Re: accessing argv on exec
  • Index(es):
    • Date
    • Thread