Georgy Buranov
Reputation: 1336
Subscribe on new process creation from kext and get the pid of this process
I am trying to get the notifications about newly created processes in my kext. According to Get process creation notification in Mac OS X I have subscribed to KAUTH_FILEOP_EXEC
But for some strange reason, I have only 2 arguments avaliable - vnode and file name (https://developer.apple.com/library/mac/technotes/tn2127/_index.html).
The process should be already created at that time and have a pid, but kernel does not give it to me.
Is it possible to get the pid at this time?
Are there other ways to subscribe on new process creation from kext and get the pid of this process?
Upvotes: 2
Views: 603
Answers (1)
TheDarkKnight
Reputation: 27611
Yes, you can definitely get the pid from the file scope: -
#include <sys/proc.h>
proc_t self = proc_self();
int pid = proc_pid(self);
// ensure you release the reference to self
proc_rele(self);
Upvotes: 2
Related Questions
- Detect new process creation instantly in linux
- Get process creation notification in Mac OS X
- Best way to communicate from KEXT to Daemon and block until result is returned from Daemon
- How to monitor process creation and statistics using kernel module
- How do you get the current process ID in Mac kernel extension code?
- Listening for new Processes in Linux Kernel Module
- XNU: getting process startup and cleanup notifications in kext
- Find out the process name by pid in osx kernel extension
- Handling process information from a KEXT
- Way to get a pid of process that calls system call?