Handling process information from a KEXT

Question

Inside a KEXT, I need to do some processing where I would get either a proc_t or just a pid. If I go the pid route, I would do a sysctl() of sorts.

Unfortunately, I can't do either. proc_t is undefined and sysctl() isn't either. sysctlbyname() can be called but kinfo_proc isn't defined. If I try to use proc_t, the compiler complains about forward definition of [struct proc]

I'm assuming that sysctl() is there to be used in user mode but is there any way I can use proc_t? I tried to use the XNU/osfmk/bsd include dir but then it won't compile because of redefinitions and other errors.

It's a little disconcerting and I'm still trying to wrap my head around what I can and cannot do. Surely this can be done but I just don't quite know how.

Answer 1

OK, I'm going to try and take a stab at the question I think you're asking.

As you've discovered, a proc_t is a pointer to an opaque struct proc. Don't write it off though, as there are various functions that operate on such pointers, so you don't need to gain direct access to the struct (which helps maintain binary compatibility). Most of these are declared in sys/proc.h in the Kernel.framework - i.e. /System/Library/Frameworks/Kernel.framework/Versions/A/Headers/sys/proc.h. You mention PID and parent PID, for which there are the following:

/* returns the pid of the given process */
extern int proc_pid(proc_t);
/* returns the pid of the parent of a given process */
extern int proc_ppid(proc_t);

There are also functions for going the other way - getting the proc_t for a PID etc.

Note that these functions are part of the BSD portion of the kernel, so your kext needs to declare a dependency on the BSD KPI bundle in its info.plist. (look up the kextlibs tool if you haven't come across this yet)

Coming from Windows, you'll probably have to get used to reading header files and source codes instead of documentation. Much of the OSX kernel API is undocumented.