site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Why does the full path help you? What additional verification are you planning on doing? If the malware does system("/bin/mv /malware/utility /usr/bin/utility") and re-execs itself, how will you detect that case? Shantonu Sent from my MacBook On Feb 1, 2010, at 3:03 AM, Jakub Bednar wrote:

Hi list,

can please anyone help me to figure out how to get the executable path for current process from within a KEXT?

The Mac OS X Internals book points to p_textvp field of struct proc, but this is not a public API. I have also found a post that says that this field is not even set by exec system calls.

I have tried the proc_selfname(), but this is returning only the name, without the full path. It is returning the p_comm[] field of struct proc internally.

I have checked how the user-space lsof utility does its job, and it uses the proc_pidbsdinfo() call. This call returns the p_name[] field of struct proc as the name of the executable with full path. However the proc_pidbsdinfo() is not in the Kernel.framework headers so it probably can't be used in a KEXT.

Can anyone help me to solve this? I really need to distinguish between e.g. /usr/bin/utility and /malware/utility.

Thanks a lot,

Jakub

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/ssen%40apple.com

This email sent to ssen@apple.com

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com