site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com A wise move. If I was doing this I'd probably choose option 1. S+E -- Quinn "The Eskimo!" <http://www.apple.com/developer/> Apple Developer Technical Support * Networking, Communications, Hardware _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... At 8:13 +0100 16/11/04, calcmach@actcom.net.il wrote: I would like be able to lunch ANY GIVEN application and gain full control over its file system calls (read, write, open, close, etc) Notes: 1) I have NO control over the building of the application I want to intercept..... 2) I have seen such an implementation which involves replacing the entire "mach_kernel", I'd prefer not going down that path. (a kernel extension is OK) You should be able to do this entirely from within user space, and I'd definitely recommend that rather than trying to hack around inside the kernel. I can think of two approaches that might work. 1. debug it -- You could do something similar to what GDB does, that is, run the process as your child and set 'breakpoints' on each of the system calls of interest. This wouldn't work for statically linked binaries, but that's not something that we support on Mac OS X anyway (except for dyld itself, of course). 2. VMM -- A much scarier prospect is to run the target process under Mac OS X's virtual machine monitor (VMM) support. This allows you to redirect all system calls (while the target process is in monitored mode) to the monitor, which is running within the same process. Scary stuff, and totally undocumented. This email sent to site_archiver@lists.apple.com