Re: How to get current process executable from KEXT?
site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Well yes, but the malware would need super-user permissions to do that. If your system is compromised, then there is nothing anyone can do. On the other hand, if you can't check the full path, than anyone (even a regular user) can create a binary with the name "utility" anywhere in the system and will be confused with the /usr/bin/utility in let's say "trusted and protected" path. The best would be to do a code signature check, but I haven't found any kernel API to do this. Jakub On Feb 1, 2010, at 12:58 PM, Shantonu Sen wrote:
Why does the full path help you? What additional verification are you planning on doing? If the malware does system("/bin/mv /malware/utility /usr/bin/utility") and re-execs itself, how will you detect that case?
Shantonu
Sent from my MacBook
On Feb 1, 2010, at 3:03 AM, Jakub Bednar wrote:
Hi list,
can please anyone help me to figure out how to get the executable path for current process from within a KEXT?
The Mac OS X Internals book points to p_textvp field of struct proc, but this is not a public API. I have also found a post that says that this field is not even set by exec system calls.
I have tried the proc_selfname(), but this is returning only the name, without the full path. It is returning the p_comm[] field of struct proc internally.
I have checked how the user-space lsof utility does its job, and it uses the proc_pidbsdinfo() call. This call returns the p_name[] field of struct proc as the name of the executable with full path. However the proc_pidbsdinfo() is not in the Kernel.framework headers so it probably can't be used in a KEXT.
Can anyone help me to solve this? I really need to distinguish between e.g. /usr/bin/utility and /malware/utility.
Thanks a lot,
Jakub
_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/ssen%40apple.com
This email sent to ssen@apple.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com
participants (1)
-
Jakub Bednar