On 13 Nov 2014, at 08:51, James C <james.from.wellington@gmail.com> wrote:
I'm used to thinking that ps reads from a process's private memory in order to get the command arguments.
You are, in fact, correct [1]. The problem here is that you're not testing this correctly. Consider the following: --------------------------------------------------------------------------- $ cat hackArgv.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char *argv[]) { int argIndex; for (argIndex = 0; argIndex < argc; argIndex++) { if (argIndex % 2) { if (argv[argIndex][0] != 0) { argv[argIndex][0] = 'X'; } } } fprintf(stderr, "Stopping ...\n"); pause(); return EXIT_SUCCESS; } $ cc hackArgv.c -o hackArgv $ ./hackArgv hello cruel world Stopping ... ^Z [1]+ Stopped ./hackArgv hello cruel world $ ps | grep hackArgv 34719 ttys000 0:00.00 ./hackArgv Xello cruel Xorld 34721 ttys000 0:00.00 grep hackArgv $ ---------------------------------------------------------------------------
That suggest that ps -f is reading from somewhere in the kernel.
No it is not. The kernel does not keep a copy of the arguments passed to the process. Share and Enjoy -- Quinn "The Eskimo!" <http://www.apple.com/developer/> Apple Developer Relations, Developer Technical Support, Core OS/Hardware [1] Actually, modern versions of ps use libproc, but that in turn just grovels around in the process's address space. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com