Jump to content

Trying to parser a syscall param


  • Please log in to reply
No replies to this topic

#1
eval

eval

    InsanelyMac Protégé

  • Members
  • Pip
  • 15 posts
i'm trying to learn to parser the params of a syscall, for example to log which programs are being executed in my system, but i don't know how to do it.

That's the source code, i'm testing inside a kext:

struct h_execve_args {
user_addr_t fname;
user_addr_t argp;
user_addr_t envp;
};

static void hooked_execve(cp,uap,retval)
register struct proc *cp;
register struct h_execve_args *uap;
register_t *retval;
{
char name[255];
copyin(uap->fname,&name,255);
printf("Exec called: %s \n", name);
return orig_execve(cp,uap,retval);
}

But, it always returns an empty name.

Does anyone know what i should do?

Thanks in advance





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

© 2014 InsanelyMac  |   News  |   Forum  |   Downloads  |   OSx86 Wiki  |   Mac Netbook  |   PHP hosting by CatN  |   Designed by Ed Gain  |   Logo by irfan  |   Privacy Policy