void genExtension(const void *key, const void *value, void *results) { if (key == nullptr || value == nullptr || results == nullptr) { return; } // Make sure the extension value is a dictionary if (CFGetTypeID((CFTypeRef)value) != CFDictionaryGetTypeID()) { return; } // name CFDictionaryRef extension = (CFDictionaryRef)value; auto name = getKextString(extension, CFSTR("CFBundleIdentifier")); auto idx = getKextInt(extension, CFSTR("OSBundleLoadTag")); Row r; r["name"] = name; r["idx"] = INTEGER(idx); r["refs"] = getKextInt(extension, CFSTR("OSBundleRetainCount")); r["size"] = getKextBigInt(extension, CFSTR("OSBundleLoadSize")); r["version"] = getKextString(extension, CFSTR("CFBundleVersion")); r["linked_against"] = getKextLinked(extension, CFSTR("OSBundleDependencies")); r["path"] = getKextString(extension, CFSTR("OSBundlePath")); ((QueryData *)results)->push_back(r); }
QueryData genKextstat(QueryContext &context) { QueryData results; // Populate dict of kernel extensions. CFDictionaryRef dict = OSKextCopyLoadedKextInfo(NULL, NULL); CFIndex count = CFDictionaryGetCount(dict); // Allocate memory for each extension parse. auto values = (void **)malloc(sizeof(void *) * count); CFDictionaryGetKeysAndValues(dict, nullptr, (const void **)values); for (CFIndex j = 0; j < count; j++) { // name auto name = getKextString(values[j], CFSTR("CFBundleIdentifier")); auto kextTag = getKextInt(values[j], CFSTR("OSBundleLoadTag")); // Possibly limit expensive lookups. if (!context.constraints["name"].matches(name)) { continue; } if (!context.constraints["idx"].matches<int>(kextTag)) { continue; } auto references = getKextInt(values[j], CFSTR("OSBundleRetainCount")); // size auto load_size = getKextBigInt(values[j], CFSTR("OSBundleLoadSize")); auto wired_size = getKextBigInt(values[j], CFSTR("OSBundleWiredSize")); auto version = getKextString(values[j], CFSTR("CFBundleVersion")); // linked_against auto linked = getKextLinked(values[j], CFSTR("OSBundleDependencies")); Row r; r["idx"] = INTEGER(kextTag); r["refs"] = INTEGER(references); r["size"] = BIGINT(load_size); r["wired"] = BIGINT(wired_size); r["name"] = name; r["version"] = version; r["linked_against"] = linked; results.push_back(r); } CFRelease(dict); free(values); return results; }