Determining which application is reading or writing data from within a Mac OS filter scheme driver

92 views Asked by At

I want to learn to develop a Mac OS filter scheme driver and I'm using a modified version of the SimpleCryptoDisk sample app from the book Mac OS X Internals. The source I am using is here.

As a next goal I want to modify this to track which applications are doing the reading and writing, and eventually print out a number of bytes that was read and written by each application.

I see in the read() call there is a pointer to the client (* IOService), however I haven't found any way to get the task/process from that object. I was thinking of calling an API to determine the current process, but since this code is running in a KEXT (in the kernel) I don't think that will help me identify a user-land process.

I found there an IOServer API called newUserClient() that contains task_t, which I assume is enough to get me the app name somehow. However I'm not sure how to link this call with the read() call.

Normally I'd just try a bunch of things experimentally, but since I am working in the kernel I want to tread carefully at first and avoid messing things up. So if someone can give me any hints to get the process name for a read or write that would be great.

1

There are 1 answers

2
pmdj On BEST ANSWER

I was thinking of calling an API to determine the current process, but since this code is running in a KEXT (in the kernel) I don't think that will help me identify a user-land process.

This is pretty much the best you're going to get; the API doesn't pass the ultimate originator of the I/O through. In most cases though, the call will be made as a result of file system activity triggered by a file I/O syscall, and will be running in the (kernel) context of a user-space process. So the proc_* APIs (from <sys/proc.h> will most of the time give you the information you seem to need.

IOService::newUserClient() deals with user processes directly interfacing with kernel IOService objects via the user-space IOKit libraries. This isn't how IOStorage I/O calls are invoked though, they go through the IOMediaBSDClient which provides the glue between block device files in /dev/ and the IOStorage stack.