0

I'd like to to extract the file buffer data from a Vnode object.

I'm using BSD for MAC, and the link to the Vnode documention can be found here: https://opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/sys/vnode.h

Also, creating a read operation for each received callback as described here: https://stackoverflow.com/a/36217596/2452682 is not an option due to kernel memory limitations.

Community
  • 1
  • 1
IdoT
  • 2,831
  • 1
  • 24
  • 35

1 Answers1

0

What do you mean 'extract file buffer data' and what limitations do you have in mind?

In general, the use of a dedicated fs-specific read routine is unavoidable - the file content possibly is not even present in ram in the first place.

So, what are you doing?

  • What I mean is to read the file binary data. For example, during callback of scope 'KAUTH_FILEOP_EXEC', you should have all the data available. And lastly, I'd like to pass the file binary data to a user-mode daemon. – IdoT Nov 17 '16 at 09:50
  • No. First, according to http://fxr.watson.org/fxr/source/bsd/kern/kern_exec.c?v=xnu-2050.18.24#L1376 only the first page is *possibly* available at the time. I don't know what you are really trying to do, it sounds very wrong. If you need access to executed files (why?), I would suggest creating a file descriptor for each one and passing it to the listener. Then it can easily read files as needed. However, this sounds like an extremely misguided attempt at checksumming which is bound to fail - the kernel does not care what the listener returns. –  Nov 17 '16 at 11:52