Onyx The Black Cat v0.2

Here it is with support for Leopard and extended attributes.
All calls related to extended attributes are traced and dumped to /var/log/system.log (I find it more useful than fs_usage for this specific calls).
Check the .c file for options related to this.

For Leopard support you need to edit the .c file and change the define. I’m still searching for a better way to detect Leopard or Tiger in XCode. Maybe a Makefile flag. Suggestions ?
The Info.plist file needs to be edited and key com.apple.kernel changed to 9.5.0 (for Leopard 10.5.5). Something to improve here too.

Currently I can’t get the name of the process while running on Leopard. Had no time to investigate why there’s no info from the structure while the same thing works on Tiger. To be fixed 🙂

So grab the source here: onyx-the-black-cat.v0.2.src.tgz

If you find any problems or have any suggestions or code improvements feel free to post a comment or mail me.

fG!

7 thoughts on “Onyx The Black Cat v0.2

  1. Hello

    You should make 2 different targets for the 2 systems, to build different kexts.

    A tool or a script may test the system version with uname and kextload the right kernel extension.

    About the process name issue, you can use the KPI proc_name() provided by Apple since Tiger :
    proc_name(pid,procnameString,procnameMaxLength);

    Thanks for the new version.

  2. I recall that function while I was searching for a way to convert pid to process name. Then I just noted I already had the proc structure passed to the function (it was puzzling me how the syscall could know which PID called it!) and I could grab the p_comm field.

    proc_name() implementation:

    void
    proc_name(int pid, char * buf, int size)
    {
    struct proc *p;

    if ((p = pfind(pid))!= (struct proc *)0) {
    strncpy(buf, &p->p_comm[0], size);
    buf[size-1] = 0;
    }
    }

    So it’s doing the same thing. I already changed to proc_name and will test with Leopard to see if it works 🙂

  3. i can build and load (after mod vers in Info.plist by hand) BUT

    [onyx-the-black-cat] Starting patching …
    [onyx-the-black-cat] Finding sysent table…
    [onyx-the-black-cat] Found nsysent at 0x61d780 (count 427), calculated sysent location at 0x61d7a0.
    [onyx-the-black-cat] Sanity check: verifying if number of syscalls arguments are the expected ones
    [onyx-the-black-cat] Sanity check: sanity check failed, could not find sysent table.
    [onyx-the-black-cat] Error: Cannot find sysent table

    can you please give a tipp! thx

  4. $ sudo kextload -t /System/Library/Extensions/onyx-the-black-cat.kext
    kextload: extension /System/Library/Extensions/onyx-the-black-cat.kext appears to be loadable
    kextload: kmod_control/start failed for com.reverse.put.as.kext.onyx_the_black_cat; destroying kmod
    kextload: a link/load error occured for kernel extension /System/Library/Extensions/onyx-the-black-cat.kext
    link/load failed for extension /System/Library/Extensions/onyx-the-black-cat.kext
    (run kextload with -t for diagnostic output)

    i mod the plist to 9.6.0 and compiles with Xcode 3, any ideas?

  5. Sure. I can bet you haven’t looked at the source code and haven’t modified it to be used on Leopard instead Tiger 😉

    Check it out and you will see !

Leave a Reply

Your email address will not be published. Required fields are marked *