Detecting process start/exit notifications in Mac OS X

[Volodymyr Shcherbyna]

Hello Everyone,

I am trying to port my Windows project to Mac OS X and it seems like I am experiencing problems with this task.

The main idea of the project is to show network usage by applications. Therefore, it is essential to know the following information about each connection:

1. IP, Port

2. Pid of the process making connection

3. File path of “Pid”

4. User Id of the process making connection

In Windows this is achievable by using PsSetLoadImageNotifyRoutine (…) in kernel driver and getting notifications about each process started/stopped. For the networking part one may use TDI, or LWF or/and NDIS IM filter. 

In Mac OS X it seems like I can use socket level NKE which is very well illustrated in tcplognke example. However, it seems like I cannot get process start/exit notifications. I checked this newsgroup for similar posts and I saw that there is no official way to accomplish this.

I would like to list alternatives I can follow, maybe someone may suggest a better way? So far, I have been thinking about the following directions:

1. Hooking SYS_execve and friends in my kext  (Very unstable and unreliable solution. I would like to avoid it)

2. Using NSWorkspace NSWorkspaceDidLaunchApplicationNotification notification in user mode application (Reports only “visible” applications and only per login session)

3. Using dtrace in user mode applicatioin (Can see everything, but libdtrace is non-documented and may alter in future)

For the given moment, I am playing with the solution №3: using libdtrace. It seems like it works, but a lot of research has to be done before actually making a commercial product based on quite unstable approach 

...

Did I miss something else? Any help or feedback is highly appriciated!

P.S. I could also have specified that one may use kauth approach, but the "process" scope has never been implemented by Apple :( It works though for file system scope which is good.

--
with best regards, Volodymyr

[Antoine Missout]

I made a feature request regarding this more than a year ago.

I don't expect anything soon...

Let me know if you find something stable.

Regards,

Antoine

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (Darwin...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/darwin-kernel/antoine.missout%40metakine.com

This email sent to antoine...@metakine.com

[Volodymyr Shcherbyna]

Salut Antoine,

Well, I hope Apple will implement this feature request, this will be great. But I still need to find a solution for older versions of Mac OS X (i.e., 10.5.x).

-- 
with best regards, Volodymyr

2011/11/28 Antoine Missout <antoine...@metakine.com>

[Stéphane Sudre]

On 28 nov. 11, at 10:26, Volodymyr Shcherbyna wrote:

>
> Hello Everyone,
>
>
>
> I am trying to port my Windows project to Mac OS X and it seems like
> I am experiencing problems with this task.
>
>
>
> The main idea of the project is to show network usage by
> applications. Therefore, it is essential to know the following
> information about each connection:
>
>

> [...]

http://hints.macworld.com/article.php?story=20110906200849542

And the implementation at the kernel level is visible in the xnu
source code correspond to the Mac OS X Lion release IIRC.

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (Darwin...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:

http://lists.apple.com/mailman/options/darwin-kernel/darwin-kernel-garchive-95844%40googlegroups.com

This email sent to darwin-kernel-...@googlegroups.com