xnu

Passing CFDictionary via IOKIt command

烈酒焚心 提交于 2019-12-11 07:29:14
问题 I'm looking for a universal method to configure parameters from userspace agent to kernel since there is no Mac equivalent to windows registry where driver can directly access any key in this table using ZwQueryValueKey command. Therefore, I'd like to pass a dynamic list of variables through CFDictionary . In IOConnectCallMethod there's a way to pass input pointer, but the question is if I can pass a CFDictionary or CFDictionaryRef instead of just a simple struct. I saw that there are some

XNU incudes in Kext

限于喜欢 提交于 2019-12-11 03:58:17
问题 I'm working on Kext which should have access to struct proc->p_pid field. The problem is the structure is defined in XNU sources only, so I faced incomplete definition of type 'struct proc' error during compilation. From my point of view, to include XNU headers into my own project is a bad smelling solution, but what is the alternative way? Is it to copy and to paste the structure into my own code? 回答1: You're supposed to use proc_pid(proc_t) for this. The structure is meant to be opaque as,

Generic kernel Extension Cannot release OSObject derived class

家住魔仙堡 提交于 2019-12-11 02:51:35
问题 I've got Generic Kernel Extension which is implemented in C++ example for the start and end routines, whereas all the other logic is stored within a dedicated class inherit from OSObject . it creates the class upon module start routine, and release it upon stop routine as can be shown in the code below : class com_my_driver : public OSObject { ... }; ... .. . com_my_driver *gDriver = NULL; extern "C" kern_return_t my_driver_start(kmod_info_t * ki, void *d) { gDriver = new com_my_driver;

Dtrace print parent process command

烂漫一生 提交于 2019-12-10 23:38:30
问题 I'd like to have a script that for each new running process, prints its starting command, as well as its parent process. i'm using the following probes : proc::posix_spawn:exec-success,proc::__mac_execve:exec-success From within the script body, command line string is built from curproc->p_dtrace_argv . parent pid (ppid) is also available, but so far I haven't managed to figure out how to extract the parent process name (preferably full name that can be taken from parent argv[0]). 回答1: You

vnode and file descriptor in xnu, where does the file operation vector is stored

丶灬走出姿态 提交于 2019-12-10 11:28:12
问题 In xnu we have the vnode_t entity which represent the file globally. Each process can access the file (assuming it has right permissions) by setting new file descriptor and set the vnode under fg_data fp->f_fglob->fg_data = vp; the vnode contain a list of basic actions for all relevant operations and is set in according to the file's FS. i.e. HFS+ driver implement such vector and set its vnode accordingly. int (**v_op)(void *); /* vnode operations vector */ this is a vector for function

How does OS X generate a crash report?

爱⌒轻易说出口 提交于 2019-12-06 05:54:44
问题 The material available from web, mail-list, books like Mac OS X Internals , and even source code is quite limited. Now I know that xnu kernel raise an EXC_CRASH, which notify launched to start "Problem Reporter.app" (prior is Crash Reporter.app). Is this app using some debugging interface to generate the crash report, or is it kernel already generating the report and just notify the app to open the already-generated report? 回答1: Every Mach thread and/or task (the underlying kernel object on

OS X kernel panic diagnostics. How to translate backtrace addresses

一曲冷凌霜 提交于 2019-12-04 12:00:51
I'm debugging a driver that cause kernel dump on my mac. It shows long backtrace composed out of series of addresses: panic(cpu 6 caller 0xffffff8004dc9986): trying to interlock destroyed mutex (0xffffff8049deedb0) Backtrace (CPU 6), Frame : Return Address 0xffffff93b1c8bb50 : 0xffffff8004ce5307 0xffffff93b1c8bbd0 : 0xffffff8004dc9986 0xffffff93b1c8bbe0 : 0xffffff8004d099eb 0xffffff93b1c8bc20 : 0xffffff7f85604899 0xffffff93b1c8bc50 : 0xffffff800519776b 0xffffff93b1c8bc90 : 0xffffff80051f336c 0xffffff93b1c8be00 : 0xffffff8005205fb3 0xffffff93b1c8bef0 : 0xffffff80052028a6 0xffffff93b1c8bf60 :

Where is the kprintf (kernel printf) log on Sierra?

巧了我就是萌 提交于 2019-12-02 02:46:39
There are lots of pages that explain it but I can't find it. Many of the articles I find only work on El Capitan and older systems. I cannot use the fwkpfv right now as I don't have the right dongles. My client is getting me a used MacBook that will support firewire. My kernel extension panics my box. Quite oddly if my coworker builds my extension, it works just fine. I remain flummoxed. You can get "live" local kernel logs using the command log stream --process 0 For looking at past logs, use log show instead, e.g.: log show --predicate 'processID == 0' --last 1h | less None of that will help

What is required for a Mach-O executable to load?

前提是你 提交于 2019-11-30 20:19:34
I am attempting to hand-write a Mach-O executable. There are three load commands: LC_SEGMENT_64 loading __PAGEZERO LC_SEGMENT_64 loading __TEXT , with a single __text section LC_UNIXTHREAD with an appropriately-set rip Every command matches the structs in mach/loader.h and related headers. otool -l lists the information as expected and doesn't report any errors. By all accounts it is a well-formed object file — yet OS X 10.10.5 terminates the task (SIGKILL). What features of a Mach-O executable are checked before OS X will load it? Where is this information located? Do these features change

What is required for a Mach-O executable to load?

爷,独闯天下 提交于 2019-11-30 04:28:36
问题 I am attempting to hand-write a Mach-O executable. There are three load commands: LC_SEGMENT_64 loading __PAGEZERO LC_SEGMENT_64 loading __TEXT , with a single __text section LC_UNIXTHREAD with an appropriately-set rip Every command matches the structs in mach/loader.h and related headers. otool -l lists the information as expected and doesn't report any errors. By all accounts it is a well-formed object file — yet OS X 10.10.5 terminates the task (SIGKILL). What features of a Mach-O
订阅 xnu