I'm finding a way to hook vnode operations, following is a snippet of the code:
IOReturn
FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void)
{
//
// register our listener
//
this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope
FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback
this ); // give a cookie to callback
if( NULL == this->VnodeListener ){
DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) );
return kIOReturnInternalError;
}
return kIOReturnSuccess;
}
Here use kauth_listen_scope to get the newly created vnode object, then will hook on it.
But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity.
So is there any other way to get the newly created vnode object?