site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Carl Smith writes: Ah I see, said the blind man. Thanks Quinn, understand the concept a little more. and I get back: U _strcmp U _strcmp U _strcmp How does this tell me which KPI exports the symbol, I thought I was looking for something like, "com.apple.kernel.libkern" and so on? Thats way better than my grep -r suggestion. Note the "U", which means it is importing the symbol... Cheers, - Dean _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On Apr 11, 2005, at 08:55, Andrew Gallatin wrote: Ok so I ran the % find /System/Library/Extensions/System.kext/ PlugIns \ -type f -a ! -name "*.plist" | xargs nm | grep strcmp Try adding -o to nm. Eg: % find /System/Library/Extensions/System.kext/PlugIns -type f -a ! - name "*.plist" | xargs nm -o | grep strncmp /System/Library/Extensions/System.kext/PlugIns/Libkern.kext/ Libkern: U _strncmp /System/Library/Extensions/System.kext/PlugIns/Mach.kext/ Mach: U _strncmp /System/Library/Extensions/System.kext/PlugIns/System6.0.kext/ kernel.6.0: U _strncmp

From some discussions I had off-list, these files generally contain

imported symbols which they also re-export. But not always, and there isn't a 100% bullet proof way to figure out which "fake" kext supplies which symbols. The way this all works, any symbol which is imported by a fake kext is also exported by it, but it may be exported under a different name. So, if you see the symbol you want in a fake kext, then you know it is available, but possibly under a different name. There presently isn't an easy way to determine what the export name is without examining the .exports files in the kernel project (xnu). The good news is that this symbol renaming is very rarely done - it is primarily used so that we can provide two versions of the same function in the kernel, say foo_v1() and foo_v2(), which then both get exported as foo() in the appropriately versioned pseduo-kexts. In most cases where you would encounter the renaming, you'd still find the symbol you were looking for, but with a suffix. This email sent to site_archiver@lists.apple.com