Reputation: 1202
Reading the terminal input with EndpointSecurity
Intro
I am integrating EndpointSecurity Framework and observing ES_EVENT_TYPE_AUTH_EXEC event.
I able to see the command arguments, but I am not able to read the command input.
Assuming that the command is as follow:
thirdPartyApp do something < ~/Desktop/file.txt
My code is: (msg is a value of type es_event_exec_t *)
for (int i = 0; i < es_exec_arg_count(&msg->event.exec); i++) {
es_string_token_t arg = es_exec_arg(&msg->event.exec, i);
print("arg: %s",arg.data);
}
Challenge is
The code output is only:
thirdPartyApp do something , without < ~/Desktop/file.txt
The thing is, < ~/Desktop/file.txt is not an argument, its a redirect as described here
What did I try?
- I tried to read the env arguments too, but they were not helpful at all.
- I tried to read the file descriptors, and then to read the file using NSFileHandle but they all were empty, 0 bytes.
Waiting to here from you
Upvotes: 0
Views: 239
Answers (1)
Reputation: 7897
Redirects work by the shell open(2)ing the files you redirected and dup(2)ing them onto 0,1,2 (depending on redirect) before fork(2)ing or posix_spawn(2)ing, and allowing the child (spawned command). That means that EPS will not be able to see them as es_exec_args - because (as you correctly say) they're not arguments.
If you use
const es_fd_t * _Nonnull
es_exec_fd(const es_event_exec_t * _Nonnull event, uint32_t index);
you should be able to get back an es_fd_t - however the only relevant field will be the fdtype:
typedef struct {
int32_t fd;
uint32_t fdtype;
union {
struct {
uint64_t pipe_id;
} pipe;
};
} es_fd_t;
A better option is to thus leave the comfort of EPS and use proc_info(2) (via libproc.h) which can get you the full FD information for any process and fd (much like supraudit from http://newosxbook.com/tools/supraudit.html does).
Note, that STILL won't get you the input itself. That input is consumed by the process using read(2) (and output using write(2), of course), and neither EPS nor BSM (auditing) offers hooks for that.
Upvotes: 1
Related Questions
- Input from the keyboard in command line application
- How to use EndpointSecurity API properly in MacOS 10.15?
- Getting input from stdin in a Cocoa command-line app's sub process
- How can I access macOS API calls from C on Mac?
- NSTask/NSPipe read from Unix command
- Calling Cocoa APIs from C
- Sending CURL command using Objective-C for an OS X App
- Read input from console in OSX
- NSPipe and System() - iPhone SDK Cocoa
- Read input from a cocoa/foundation tool console?