Onyx The Black Cat v0.2

November 16, 2008 in Mac Reversing, Tools | 7 comments

Here it is with support for Leopard and extended attributes.
All calls related to extended attributes are traced and dumped to /var/log/system.log (I find it more useful than fs_usage for this specific calls).
Check the .c file for options related to this.

For Leopard support you need to edit the .c file and change the define. I’m still searching for a better way to detect Leopard or Tiger in XCode. Maybe a Makefile flag. Suggestions ?
The Info.plist file needs to be edited and key com.apple.kernel changed to 9.5.0 (for Leopard 10.5.5). Something to improve here too.

Currently I can’t get the name of the process while running on Leopard. Had no time to investigate why there’s no info from the structure while the same thing works on Tiger. To be fixed :)

So grab the source here: onyx-the-black-cat.v0.2.src.tgz

If you find any problems or have any suggestions or code improvements feel free to post a comment or mail me.

fG!

  1. beowulf’s avatar

    beowulf on November 19, 2008 at 7:39 pm

    Hi!

    This module is great! I love it by now!
    As always, you did a great work!
    Thank you a lot! :)

    Reply

  2. Steve’s avatar

    Steve on November 21, 2008 at 10:03 am

    Hello

    You should make 2 different targets for the 2 systems, to build different kexts.

    A tool or a script may test the system version with uname and kextload the right kernel extension.

    About the process name issue, you can use the KPI proc_name() provided by Apple since Tiger :
    proc_name(pid,procnameString,procnameMaxLength);

    Thanks for the new version.

    Reply

  3. fG!’s avatar

    fG! on November 21, 2008 at 11:29 am

    I recall that function while I was searching for a way to convert pid to process name. Then I just noted I already had the proc structure passed to the function (it was puzzling me how the syscall could know which PID called it!) and I could grab the p_comm field.

    proc_name() implementation:

    void
    proc_name(int pid, char * buf, int size)
    {
    struct proc *p;

    if ((p = pfind(pid))!= (struct proc *)0) {
    strncpy(buf, &p->p_comm[0], size);
    buf[size-1] = 0;
    }
    }

    So it’s doing the same thing. I already changed to proc_name and will test with Leopard to see if it works :)

    Reply

  4. zorro’s avatar

    zorro on January 22, 2009 at 8:14 am

    i can build and load (after mod vers in Info.plist by hand) BUT

    [onyx-the-black-cat] Starting patching …
    [onyx-the-black-cat] Finding sysent table…
    [onyx-the-black-cat] Found nsysent at 0x61d780 (count 427), calculated sysent location at 0x61d7a0.
    [onyx-the-black-cat] Sanity check: verifying if number of syscalls arguments are the expected ones
    [onyx-the-black-cat] Sanity check: sanity check failed, could not find sysent table.
    [onyx-the-black-cat] Error: Cannot find sysent table

    can you please give a tipp! thx

    Reply

  5. fG!’s avatar

    fG! on January 22, 2009 at 5:06 pm

    Hello,

    Which OS X version are you using ? Leopard or Tiger ? If it’s Leopard, is it 10.5.6 ?

    fG!

    Reply

  6. Nah’s avatar

    Nah on March 5, 2009 at 10:47 pm

    $ sudo kextload -t /System/Library/Extensions/onyx-the-black-cat.kext
    kextload: extension /System/Library/Extensions/onyx-the-black-cat.kext appears to be loadable
    kextload: kmod_control/start failed for com.reverse.put.as.kext.onyx_the_black_cat; destroying kmod
    kextload: a link/load error occured for kernel extension /System/Library/Extensions/onyx-the-black-cat.kext
    link/load failed for extension /System/Library/Extensions/onyx-the-black-cat.kext
    (run kextload with -t for diagnostic output)

    i mod the plist to 9.6.0 and compiles with Xcode 3, any ideas?

    Reply

  7. fG!’s avatar

    fG! on March 6, 2009 at 12:52 am

    Sure. I can bet you haven’t looked at the source code and haven’t modified it to be used on Leopard instead Tiger ;)

    Check it out and you will see !

    Reply