I am trying to detect / receive a notification when a new process is created in the MAC. The easiest way is to interrogate all the processes and see if the new process has been started, but it is too long, and I wanted to know if I can somehow receive a notification when the new process starts using forked and execve Here is what I already found:
About how a new process starts in MAC:
OS X is a lot of Unix. New processes are created using the fork () system call. This creates an almost identical copy of the process that makes the call (the difference is that fork returns 0 in the child and pid of the child in the parent). Then it’s normal to use one of the exec () system calls in the child to convert the child into a process executing another executable.
How does a new application run on a Mac?
When listing all processes using a poll
http://www.cocoabuilder.com/archive/cocoa/92971-bsd-processes-with-code.html
I also went through kAuth kext, but it seems to be above my level if I don't have example code for simple so that I can understand how to generate kext and use it in an example application.
https://developer.apple.com/library/mac/technotes/tn2127/_index.html
NSWorkspace has a notifier, but this is true only for applications, not for all processes.
Any tutorial / sample code with some basic understanding of how to solve this problem would be greatly appreciated.
source
share