Home/ Questions/Q 7837659
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T14:46:30+00:00

I am trying to write kext for Mac OS X which will get notified

  • 0

I am trying to write kext for Mac OS X which will get notified when any process is started.

In Windows you can do this by calling PsSetLoadImageNotifyRoutine(…) and specify callback which will be called when the process is starting. This is documented way and it works in all Windows starting from Win 2k.

Is there anything similar for Mac? It seems like this is possible to achieve using kauth process listeners, but process scope has never been implemented in OS X.

Another alternative is to hook SYS_execve and friends, but this is undocumented and unsupported way. I really don’t want to go this way.

I don’t need any cancelling – just want to be notified when process is started, and get it’s pid & path.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well, your question is a bit ambiguous.

    Being “notified when any process is started” IMHO means the fork syscall, not execve. However I have no idea if you can be notified on fork by any official API.

    If the execve is what you are interested in, take a look at the kernel authorization (kauth) API.

    You can register in KAUTH_SCOPE_VNODE and track for KAUTH_VNODE_EXECUTE to be notified before the execve performs (and possibly deny it to succeed by return value from your callback); or register in KAUTH_SCOPE_FILEOP and track for KAUTH_FILEOP_EXEC to be notified after the execve() is performed.

    • 0