macOS Monitor new forked processes using kevents
Question
I'm trying to monitor all newly created processes using Kevents by monitoring EVFILT_PROC using launchd pid, which is 1:
struct kevent ke = { 0 };
const pid_t pid_of_launchd = 1;
EV_SET(&ke, pid_of_launchd, EVFILT_PROC, EV_ENABLE | EV_ADD | EV_CLEAR, NOTE_FORK | NOTE_EXEC, 0, NULL);
I do receive events when new processes are created by I can't retrieve the new process PID nor name:
struct kevent change = { 0 };
int next_event = kevent(kq, NULL, 0, &change, 1, NULL);
// change.ident always equal 1
Has anyone encountered this ?
Thanks!
1 answers
solution1
0 2020-09-09 14:18:57
the ident is the id (serial #) of the event. You should be checking the filter specific data (a uint64_t).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
python forked processes not executing with os.execlp
Monitor arguments of call to dylib in Macos
Metal on macOS – Monitor refresh sync?
Why can't I use cocoa frameworks in different forked processes?
How to monitor events from other processes
macOS - Background Image in NSView disappears on secondary monitor
Is there a way to monitor heap usage in C++/MacOS?
MacOS Activity Monitor commands (cached files) in Python
MacOS: Determine which monitor any window application is on?
Killing all descendent processes robustly on macOS
Related Tags