[英]Which methods/calls perform the disk I/O operations and how to find them?
Adding more context: This is a final project and I'm looking for advise. 添加更多上下文:这是最终项目,我正在寻求建议。 The goal is to alter the behavior of an OS X app, adding it data encryption and decryption capabilities.
目的是改变OS X应用程序的行为,为其添加数据加密和解密功能。
For instance, assume the target app is Text Edit. 例如,假设目标应用是“文本编辑”。 Instead of saving "hello world" as plain text in a .txt file in the HD, it'll save: "ifmmnXxnpme".
而不是将“ hello world”以纯文本格式保存在HD的.txt文件中,而是保存:“ ifmmnXxnpme”。 Opening the file will show the original text.
打开文件将显示原始文本。
I think its better to get more realistic or at least conscious of what you want to do. 我认为最好变得更现实或至少意识到您想做什么。
The lowest level in software is a kernel module on top of the storage modules, that "encrypt" the data. 软件中的最低级别是存储模块之上的内核模块,用于“加密”数据。
In Windows you can stack drivers, so conceptually you simply intercept the call for a read/write, edit it and pass it down the driver stack. 在Windows中,您可以堆叠驱动程序,因此从概念上讲,您只需拦截对读/写的调用,对其进行编辑并将其传递到驱动程序堆栈中即可。
Under BSD there is an equivalent mechanism surely, but I don't know precisely what it is. 在BSD下肯定有一个等效的机制,但是我不确切知道它是什么。
I don't think you want to dig into kernel programming. 我认为您不想深入研究内核编程。
At the lowest level from an user space application point of view, there are the system calls. 从用户空间应用程序的角度来看,最低级别是系统调用。
The system calls used to write and read are respectively the number 3 and 4 (see here ), in BSD derived OS, like OS X, they becomes 2000003h and 2000004h (see here ). 在BSD派生的OS(如OS X)中,用于写入和读取的系统调用分别为3和4(请参见此处 ),它们分别为2000003h和2000004h (请参见此处 )。
This IA32e specific since you are using Apple computers. IA32e特定于此,因为您使用的是Apple计算机。
Files can be read/written by memory mapping them, so you would need to hijack the system call sys_mmap too. 可以通过内存映射文件来读取/写入文件,因此您也需要劫持系统调用sys_mmap 。
This is more complex as you need to detect page faults or any mechanism used to implement file mapping. 由于您需要检测页面错误或用于实现文件映射的任何机制,因此这更加复杂。
To hijack system calls you need a kernel module again. 要劫持系统调用,您需要再次使用内核模块。
The next upper level of abstraction is the runtime, that probably is the Obj C runtime (up to data, Swift still use Obj C runtime AFAIK). 下一个更高的抽象层是运行时,可能是Obj C运行时(在数据上,Swift仍使用Obj C运行时AFAIK)。
An Obj C application use the Cocoa Framework and can read/write to file with calls like [NSData dataWithContentOfFile: myFileName]
or [myData writeToFile: myFileName atomically:myAtomicalBehavior]
. Obj C应用程序使用Cocoa Framework,并可以通过
[NSData dataWithContentOfFile: myFileName]
或[myData writeToFile: myFileName atomically:myAtomicalBehavior]
类的调用来读取/写入文件。
There are plenty of Cocoa methods that write to or read from file, but internally the framework will use few methods from the Obj C runtime. 有很多可写入或读取文件的Cocoa方法,但是在内部框架将仅使用Obj C运行时中的方法。 I'm not an expert of the internals of Cocoa, so you need to take a debugger and look what the invocation chain is.
我不是Cocoa内部专家,因此您需要使用调试器并查看调用链是什么。
Once you have found the "low level" methods that read or write to files you can use method swizzling . 找到可以读写文件的“低级”方法后,即可使用swizzling方法 。
If the target app load your code as part of a library, this is really simple, otherwise you need more clever techniques (like infecting or manipulating the memory of the other process directly). 如果目标应用程序将您的代码作为库的一部分加载,这确实很简单,否则您将需要更巧妙的技术(例如直接感染或操纵其他进程的内存)。 You can google around for more info.
您可以在Google周围搜索更多信息。
Again to be honest this is still a lot of work, although manageable. 再次说老实话,尽管可以管理,但是这仍然是很多工作。
You may consider to simply hijack a limited set of Cocoa methods, for example the writeToFile
of NSData
or similar for NSString
and consider the project a work in progress demo. 您可以考虑简单地劫持一组有限的Cocoa方法,例如
NSData
的writeToFile
或NSString
类似方法,然后将该项目视为正在进行中的演示。
A similar question has been asked and answered here . 在这里已经提出了类似的问题并得到了回答。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.