site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=Vq6NnFHaq6ANoAvK8GbXf6q5o2g4RywyjYihCiqWEGrLWJW5QBOeXbaEMpugTLKIi/h9RXgFuWBe9xFx5Ioth/CYztFjkQtjja/YSLfMteNXvwtgEUnwUwsDn15CDGRP+Qni3egU79QBsdxuNVdMcoLJ5Y0ZZwN+JTXghmY/adM= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=WXAJImsi5Qb7ATZVJvjBOKM9LlTTUyYgY1qu9GdTwbyvyBoCY6StyirD4ro1gLOVoDU2bb0ODdK7P46M5YE3o3jHmSXfdG7SY9v1xOnJZu4fxzIYpPbZ3lm4udArTvPfQeeHW7G8GCPM+ZC5hI4BcScI4QtzBr9zTszdkXhmEVk= On Aug 15, 2007, at 6:24 PM, Terry Lambert wrote: I have 2 questions regarding IOKit KEXTs. Example HelloIOKit.cpp Code: ... extern "C" int execve(void *, void *, int *); ... IOLog("Found execve at %p\n",execve); ... Example kextload output: kextload: extension HelloIOKit.kext appears to be valid kld(): Undefined symbols: _execve ... _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... You didnt answer my question, and you jumped to conclusions. I all ready have functioning code to arbitrarily hook kernel functions. I didn't ask for help on how to do this, i just asked if there are any IOKit classes that implement features similar to mprotect/vm_protect, and why IOKit based KEXTs have issues resolving symbols in the kernel. Not answering these questions wont prevent me from accomplishing my task. - I can still use mprotect/vm_protect - For the symbols issue, i can at the very worst use some script hackery to resolve the symbols in user space and transfer their addresses to my KEXT. I know there are tables in the kernel where i could resolve the symbols manually as well. I would like to remind you that hurling insults at me such as "unscrupulous" (definition: having or showing no moral principles; not honest or fair) does nothing other than provoke me to release a SDK to the public which would allow people to hook kernel functions. On Aug 15, 2007, at 3:21 PM, Matt Burnett wrote: - How does IOMemoryDescriptor deal with memory protection (mprotect/vm_protect)? Is there a class available to check/change the protection of certain pages in memory or should i use mprotect/ vm_protect? - Why do IOKit KEXTs have issues resolving kernel symbols, and what can i do to work around it. For example if i create a KEXT in C, i can lookup the address of any symbol which is in /mach.sym, however I get unresolved symbol errors if i do the same in a IOKit KEXT. We hide system calls so someone unscrupulous does not overwrite their entry points with jump instructions to their own code, perhaps thinking that we do not change locking or other implementations details in software updates. If you need to trap and/or prevent this type of operation for legitimate reasons, use kauth instead. -- Terry This email sent to site_archiver@lists.apple.com