<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote
cite="mid:43860.204.153.88.2.1207841031.squirrel@www.geekisp.com"
type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro]
<a class="moz-txt-link-freetext" href="http://rlz.cl/books/Books/BSD/blueprints.html">http://rlz.cl/books/Books/BSD/blueprints.html</a>
I think the second one actually explains that module_t business.
</pre>
</blockquote>
<pre wrap="">Yes, thank you. That one drops a big hint:
The 'module_t mod' structure is just a pointer to the module structure.
This structure is part of a linked list of currently loaded modules. It
contains links to the other modules loaded, KLD ID number and other such
useful information.
I'd still like to be able to find where that linked list is defined.
I guess I'll just keep reading Rootkits. Considering that hint, I'll
guess it's addressed later when he starts hiding things.
</pre>
</blockquote>
<pre wrap=""><!---->
Tim,
Just one suggestion if I may - try reading the kernel source (also).
That would probably give you more insight into how modules work
then a reference on how to rootkit them :)
</pre>
</blockquote>
<br>
Very true. But I've been walking around beating myself up with this
"Design & Implementation" book for so long it's depressing.<br>
Browsing sys/kern without any particular (or some obscure) purpose has
thoroughly boggled my brain and put me to sleep on numerous occasions.<br>
<br>
I *want* to understand it, but I think what I've been needing is a
lower / more defined point of entry.<br>
"Rootkits" has been excellent for that. An exciting sort of taboo
allure, with very well defined, fairly simple objectives with an
intimate exposure to (what I'm guessing to be) some of the most
significant aspects of the system internals.<br>
<br>
<blockquote
cite="mid:43860.204.153.88.2.1207841031.squirrel@www.geekisp.com"
type="cite">
<pre wrap="">
As for the module list, I think here it is in
sys/kern/kern_module.c:
...
typedef TAILQ_HEAD(, module) modulelist_t;
struct module {
TAILQ_ENTRY(module) link; /* chain together all modules */
TAILQ_ENTRY(module) flink; /* all modules in a file */
struct linker_file *file; /* file which contains this module */
int refs; /* reference count */
int id; /* unique id number */
char *name; /* module name */
modeventhand_t handler; /* event handler */
void *arg; /* argument for handler */
modspecific_t data; /* module specific data */
};
...
</pre>
</blockquote>
<br>
That is exactly what I was looking for.<br>
Thank you, so much! I owe you dinner :)<br>
<br>
I thought for sure it would have turned up in cscope by searching the
headers.<br>
<br>
<br>
</body>
</html>