eval Posted April 22, 2009 Share Posted April 22, 2009 i'm trying to learn to parser the params of a syscall, for example to log which programs are being executed in my system, but i don't know how to do it. That's the source code, i'm testing inside a kext: struct h_execve_args { user_addr_t fname; user_addr_t argp; user_addr_t envp; }; static void hooked_execve(cp,uap,retval) register struct proc *cp; register struct h_execve_args *uap; register_t *retval; { char name[255]; copyin(uap->fname,&name,255); printf("Exec called: %s \n", name); return orig_execve(cp,uap,retval); } But, it always returns an empty name. Does anyone know what i should do? Thanks in advance Link to comment Share on other sites More sharing options...
Recommended Posts