I am writing a system extension and I want to get the command line. Back in kauth's days we used to get the csFlags and then the image_params, but I think that ES doesn't give us a pointer to the csFlags anymore. Tried like this:
unsigned int csFlags = event->process->codesigning_flags;
struct image_params* image = (struct image_params *)((char *) csFlags - __offsetof(struct image_params, ip_csflags));
But the csFlags is not a valid memory region.
Back in kauth's days we used to get the
csFlagsand then theimage_params
Well that’s a whole bunch of unsupported )-:
There are two ways you could approach this:
Watch for execs (ES_EVENT_TYPE_NOTIFY_EXEC) and cache the arguments supplied there. See the doc comments for es_event_exec_t.
Use libproc.
I think the first option is best because that values can be trusted. The problem with libproc is that it rummages around in the process’s high memory and the process can change that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Okay, got it. Thanks :)
Back in kauth's days we used to get the
csFlagsand then theimage_params
Well that’s a whole bunch of unsupported )-:
There are two ways you could approach this:
Watch for execs (ES_EVENT_TYPE_NOTIFY_EXEC) and cache the arguments supplied there. See the doc comments for es_event_exec_t.
Use libproc.
I think the first option is best because that values can be trusted. The problem with libproc is that it rummages around in the process’s high memory and the process can change that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Okay, got it. Thanks :)
