On Tue, Nov 11 2014 at 13:11, Jay O'Conor wrote:
Hi Peter,
Is this something that DTrace could handle instead of a custom kext? I’m curious if you’ve looked at the newproc.d command (dtrace script)?
Regards,
— Jay
Hi Jay, Maybe ..? It looks like newproc.d more or less has what I want, but it looks like running it full time incurs a fairly heavy performance penalty..
On Nov 10, 2014, at 3:02 PM, Peter Moody <pmoody@google.com> wrote:
Hey folks,
apologies for what will likely be a noobish question, I'm just getting acquainted with xnu and kexts and all that.
I'm interested in monitoring process creation (and termination) on the mac. It looks like I can use a kext that registers a listener for kauth_fileop_exec to be notified of an exec, and the callback is:
a) given a char* of the path the binary. b) run in the context of the newly executing binary (so proc_self() and the like work for getting pid/ppid, etc).
but is there anyway that I can actually access the argv that was passed to the execve call?
I'm trying to do this to help our incident response capabilities, where obviously just seeing that 'wget' was called is a lot less informative than seeing 'wget http://malware.badguy/rookkit.tgz'
Cheers, peter _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/joconor%40fastmail.fm
This email sent to joconor@fastmail.fm
_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com