I'm used to thinking that ps reads from a process's private memory in order to get the command arguments. Using the code below, I think that I have proved that this is false on OSX 10.6.8. That suggest that ps -f is reading from somewhere in the kernel. Would that be easy to walk down? Regards, James. ================ #include <stdio.h> #include <signal.h> int main(int argc, char *argv[]) /* hack every other argument into a pointer into unreadable low memory, * then sigstop myself */ { int i; for (i = argc; --i;) if (i%2) argv[i] = (char *)i; printf("Stopping ...\n"); kill(getpid(), SIGSTOP); return 0; } ================ $ make cc -g -g hackArgv.c -o hackArgv hackArgv.c: In function ‘main’: hackArgv.c:12: warning: cast to pointer from integer of different size $ ./hackArgv this that the other etc Stopping ... [1]+ Stopped ./hackArgv this that the other etc $ ps | fgrep hackArgv 82712 ttys002 0:00.00 ./hackArgv this that the other etc 82716 ttys002 0:00.00 fgrep hackArgv $ fg ./hackArgv this that the other etc $ ======================= On 11/13/14, darwin-kernel-request@lists.apple.com <darwin-kernel-request@lists.apple.com> wrote: <snip> Message: 7

Date: Wed, 12 Nov 2014 10:45:41 -0800 From: Peter Moody <pmoody@google.com> To: "Manu ." <gnork99@hotmail.com> Cc: darwin-kernel@lists.apple.com, markg@garetech.com.au Subject: Re: accessing argv on exec Message-ID: <r3nlhng1cmi.fsf@perdido.sfo.corp.google.com> Content-Type: text/plain

On Tue, Nov 11 2014 at 22:52, Manu . wrote:

...

You may also want to look at task_info. While it only gives you the all loaded images list, there is some code that you can find which can use task_info or get the offset of the structure in memory. There is a gContext variable in dyld that contains argv[] so if one can retrieve the loaded modules structure address, it should be possible to get the rest. Kind of wish that the arguments would be kept in the proc_t and made available (like on Windows EPROCESS -> PEB -> command line), alas it's not the case.

Hey Manu,

I'm probably missing something super obvious, but task_info() doesn't appear to be resolvable from a kext. Were you suggesting doing this from userspace?

...

Date: Tue, 11 Nov 2014 16:25:46 -0800 Subject: Re: accessing argv on exec From: meklort@gmail.com To: pmoody@google.com CC: darwin-kernel@lists.apple.com; markg@garetech.com.au

...

Hi Peter,Here's some simple code form the days of 10.6. I expect it should still work with minor tweaks (and commenting the printfs).

This is awesome! Thanks, Evan.

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com