堆栈内存溢出
  简体   繁体   English

哪些方法/调用执行磁盘I / O操作,以及如何找到它们?

[英]Which methods/calls perform the disk I/O operations and how to find them?

 原文  2015-07-23 07:23:58       macos/ assembly/ reverse-engineering/ system-calls/ ptrace

问题描述

  1. Which methods and system calls should I hook into, so I can replace 'how' an OS X app (the target) reads and writes to/from the HD?. 我应该使用哪些方法和系统调用,以便可以替换OS X应用程序(目标)如何从HD读取和写入HD?
  2. How may I determine that list of functions or system calls?. 如何确定功能或系统调用列表?

Adding more context: This is a final project and I'm looking for advise. 添加更多上下文:这是最终项目,我正在寻求建议。 The goal is to alter the behavior of an OS X app, adding it data encryption and decryption capabilities. 目的是改变OS X应用程序的行为,为其添加数据加密和解密功能。

  1. Which tools could I use to achieve my goal, and why? 我可以使用哪些工具来实现自己的目标,为什么?

For instance, assume the target app is Text Edit. 例如,假设目标应用是“文本编辑”。 Instead of saving "hello world" as plain text in a .txt file in the HD, it'll save: "ifmmnXxnpme". 而不是将“ hello world”以纯文本格式保存在HD的.txt文件中,而是保存:“ ifmmnXxnpme”。 Opening the file will show the original text. 打开文件将显示原始文本。

1 个解决方案

解决方案1
 0 已采纳  

I think its better to get more realistic or at least conscious of what you want to do. 我认为最好变得更现实或至少意识到您想做什么。

The lowest level in software is a kernel module on top of the storage modules, that "encrypt" the data. 软件中的最低级别是存储模块之上的内核模块,用于“加密”数据。
In Windows you can stack drivers, so conceptually you simply intercept the call for a read/write, edit it and pass it down the driver stack. 在Windows中,您可以堆叠驱动程序,因此从概念上讲,您只需拦截对读/写的调用,对其进行编辑并将其传递到驱动程序堆栈中即可。
Under BSD there is an equivalent mechanism surely, but I don't know precisely what it is. 在BSD下肯定有一个等效的机制,但是我不确切知道它是什么。

I don't think you want to dig into kernel programming. 我认为您不想深入研究内核编程。

At the lowest level from an user space application point of view, there are the system calls. 从用户空间应用程序的角度来看,最低级别是系统调用。
The system calls used to write and read are respectively the number 3 and 4 (see here ), in BSD derived OS, like OS X, they becomes 2000003h and 2000004h (see here ). 在BSD派生的OS(如OS X)中,用于写入和读取的系统调用分别为3和4(请参见此处 ),它们分别为2000003h2000004h (请参见此处 )。
This IA32e specific since you are using Apple computers. IA32e特定于此,因为您使用的是Apple计算机。

Files can be read/written by memory mapping them, so you would need to hijack the system call sys_mmap too. 可以通过内存映射文件来读取/写入文件,因此您也需要劫持系统调用sys_mmap
This is more complex as you need to detect page faults or any mechanism used to implement file mapping. 由于您需要检测页面错误或用于实现文件映射的任何机制,因此这更加复杂。

To hijack system calls you need a kernel module again. 要劫持系统调用,您需要再次使用内核模块。

The next upper level of abstraction is the runtime, that probably is the Obj C runtime (up to data, Swift still use Obj C runtime AFAIK). 下一个更高的抽象层是运行时,可能是Obj C运行时(在数据上,Swift仍使用Obj C运行时AFAIK)。

An Obj C application use the Cocoa Framework and can read/write to file with calls like [NSData dataWithContentOfFile: myFileName] or [myData writeToFile: myFileName atomically:myAtomicalBehavior] . Obj C应用程序使用Cocoa Framework,并可以通过[NSData dataWithContentOfFile: myFileName][myData writeToFile: myFileName atomically:myAtomicalBehavior]类的调用来读取/写入文件。
There are plenty of Cocoa methods that write to or read from file, but internally the framework will use few methods from the Obj C runtime. 有很多可写入或读取文件的Cocoa方法,但是在内部框架将仅使用Obj C运行时中的方法。 I'm not an expert of the internals of Cocoa, so you need to take a debugger and look what the invocation chain is. 我不是Cocoa内部专家,因此您需要使用调试器并查看调用链是什么。

Once you have found the "low level" methods that read or write to files you can use method swizzling . 找到可以读写文件的“低级”方法后,即可使用swizzling方法

If the target app load your code as part of a library, this is really simple, otherwise you need more clever techniques (like infecting or manipulating the memory of the other process directly). 如果目标应用程序将您的代码作为库的一部分加载,这确实很简单,否则您将需要更巧妙的技术(例如直接感染或操纵其他进程的内存)。 You can google around for more info. 您可以在Google周围搜索更多信息。

Again to be honest this is still a lot of work, although manageable. 再次说老实话,尽管可以管理,但是这仍然是很多工作。
You may consider to simply hijack a limited set of Cocoa methods, for example the writeToFile of NSData or similar for NSString and consider the project a work in progress demo. 您可以考虑简单地劫持一组有限的Cocoa方法,例如NSDatawriteToFileNSString类似方法,然后将该项目视为正在进行中的演示。

A similar question has been asked and answered here . 在这里已经提出了类似的问题并得到了回答。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 osx:如何找到磁盘I / O缓存的大小(例如,写入缓存) - osx: how do I find the size of the disk i/o cache (write cache, for example) 并行磁盘I / O. - Parallel Disk I/O 命令行 java 程序的磁盘 I/O - disk I/O of a command line java program AppleScript,它会调用“磁盘工具”以制作DMG文件 - AppleScript, which calls Disk Utility to make DMG file 如何捕获对硬盘的读/写并将其显示在OS X上? - How do I catch read/writes to the hard disk and display them on OS X? 如何查找磁盘卷的格式 - How to find the format of a disk volume OSX:列出包含Author:XXXX的文件,然后对它们进行grep以查找它们具有多少种方法 - OSX : list files that contains Author:XXXX then grep them to find how many methods they have 在为多个版本进行编译时,如何包含对仅在一个操作系统版本中存在的方法的调用? - How do I include calls to methods only present in one operating system version when compiling for multiple versions? 在XCode上使用I / O Kit中的方法时,构建失败 - Build fails when using methods from I/O Kit on XCode Flutter macOS 构建错误:访问构建数据库磁盘 I/O 错误 ** BUILD FAILED ** - flutter macOS build error: accessing build database disk I/O error ** BUILD FAILED **
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM