I wrote an article about extensions on macOS a few weeks ago, and have since written a couple of other extensions. The interesting thing about modern extensions is that different types of extensions can live in different places on a file system, become instantiated in different ways or with different mechanisms, and due to the way message traverse XPC, operate in very different ways. The tools Apple has made available make it possible to see what’s running are primarily geared towards protecting privacy. This leaves a small gap for those interested more in securing machines and preventing exfiltration. There isn’t a single binary that can provide a simple listing of…
-
-
Managing Core Dumps
The core dump is a memory image of a processes in-core state that is written to the /cores directory by default and is named core followed by a . and then the pid number. So if a process with pid 87 crashes a file is written by default at /cores/core.87. The feature can be turned off using sysctl, along with the kern.coredump MIB, setting it to 0 (by default it’s 1). sysctl kern.coredump=0 To turn it back on: sysctl kern.coredump=1 Additionally, you can change the path that the files are written into, using sysctl along with the kern.corefile MIB. The corefile is an expression that by defualt writes core.%P where…
-
Troubleshooting Mac OS X Kernels w/ dmesg
The first thing that loads in OS X is the kernel. The kernel is how users interface with hardware and sets the stage for interaction by probing for each driver that needs to be loaded and tracking what is found. The presence of everything about the system is tracked when the kernel loads as well as pertinent boot parameters. Even if you’re booting in verbose mode, most of this probably happens too fast to notice. You might be able to pause it, but you’re still trying to react to things too quickly in many cases. That’s where the dmesg command comes into play, which lets you review and control the…
-
Snow Leopard systemsetup Options
systemsetup is a great little command, for setting date and time, for wake on LAN, etc. But in Mac OS X 10.6, you can also set your kernel boot architecture? Weird, eh? Not as weird as the length of the option… systemsetup -getkernelbootarchitecturesetting Try saying it three times really fast. Now again with a French accent! Anyway, so then you want to set the kernel boot architecture to 32 bit, set it to i386 and if you want to set it to 64 bit, use x86_64 with the -setkernelbootarchitecture option (default is the default value). It edits the com.apple.Boot.plist located at /Library/Preferences/SystemConfiguration/com.apple.Boot.plist.