I am writing a system extension and I want to get the command line. Back in kauth's days we used to get the csFlags and then the image_params, but I think that ES doesn't give us a pointer to the csFlags anymore. Tried like this:
unsigned int csFlags = event->process->codesigning_flags;
struct image_params* image = (struct image_params *)((char *) csFlags - __offsetof(struct image_params, ip_csflags));
But the csFlags is not a valid memory region.
