I've been messing around with intercepting system calls. Finding examples of kernel extension code that intercepts syscalls is not easy, especially on Mountain Lion. The few that I've found use a hardcoded memory address for the _nsysent variable and use that to track down sysent. From there you can replace the pointer to whatever syscall you please. The location of _nsysent can be found by running "nm -g /mach_kernel | grep _nsysent". The value at *_nsysent should be decimal 440 (the number of system calls in Mountain Lion). I've verified that that number is stored in /mach_kernel at that address. Using the "pt_deny_attach" kernel extension as an example (here) I defined the following items at the start of my program: Code: #define _NSYSENT_OSX_10_8_0_ 0xffffff8000839818 static int *_nsysent = (int *)_NSYSENT_OSX_10_8_0_; When I put the following code inside my kernel extensions "start" procedure: Code: printf("Found nsysent at %p\n", _nsysent); And I put "com.apple.kpi.libkern" in the extensions plist file as an OSBundledLibrary. Everything loads fine and I see the 0xffffff8000839818 value listed in my system logs. But when I change it to: Code: printf("Found nsysent at %p (count %d)\n", _nsysent, *_nsysent); The kernel crashes hard. As I try to access the value at _nsysent the kernel crashes. Can anyone tell me what I'm doing wrong? Could this be due to ASLR? I figured even if ASLR moved the location of _nsysent there should still be some number at that memory address that would be returned.