问题描述

我正在尝试为Mac OS X编写kext，它将在启动任何进程时得到通知.

I am trying to write kext for Mac OS X which will get notified when any process is started.

在Windows中，您可以通过调用PsSetLoadImageNotifyRoutine(...)并指定将在进程启动时调用的回调来执行此操作.这是有据可查的，并且可以从Win 2k开始在所有Windows中使用.

In Windows you can do this by calling PsSetLoadImageNotifyRoutine(...) and specify callback which will be called when the process is starting. This is documented way and it works in all Windows starting from Win 2k.

Mac是否有类似功能?似乎可以使用kauth进程侦听器来实现，但是进程范围从未在OS X中实现.

Is there anything similar for Mac? It seems like this is possible to achieve using kauth process listeners, but process scope has never been implemented in OS X.

另一种选择是钩住SYS_execve和好友，但这是未记录且不受支持的方式.我真的不想走这条路.

Another alternative is to hook SYS_execve and friends, but this is undocumented and unsupported way. I really don't want to go this way.

我不需要任何取消-只是想在进程启动时得到通知，并获取它的pid&路径.

I don't need any cancelling - just want to be notified when process is started, and get it's pid & path.

推荐答案

好，您的问题有点模棱两可.

Well, your question is a bit ambiguous.

当任何进程启动时通知"恕我直言，它表示fork系统调用，而不是execve.但是我不知道是否可以通过任何官方API在fork上通知您.

Being "notified when any process is started" IMHO means the fork syscall, not execve. However I have no idea if you can be notified on fork by any official API.

如果您对execve感兴趣，请查看内核授权(kauth)API .

If the execve is what you are interested in, take a look at the kernel authorization (kauth) API.

您可以在KAUTH_SCOPE_VNODE中注册并跟踪KAUTH_VNODE_EXECUTE在execve执行之前得到通知(并可能通过回调返回值来拒绝它)；或在KAUTH_SCOPE_FILEOP中注册并跟踪执行execve()后要通知的KAUTH_FILEOP_EXEC.

You can register in KAUTH_SCOPE_VNODE and track for KAUTH_VNODE_EXECUTE to be notified before the execve performs (and possibly deny it to succeed by return value from your callback); or register in KAUTH_SCOPE_FILEOP and track for KAUTH_FILEOP_EXEC to be notified after the execve() is performed.

这篇关于在Mac OS X中获取流程创建通知的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！