Igor Delovski Board

[delovski]

apple.stackexchange - Now that El Capitan is 'rootless', is there any way
to get dtrace working?

"Copy the binary to a directory that is not 'restricted', for example, /tmp

csrutil disable does not work for dtruss to some degree. But as @J.J said chroot
works, this inspired me.

Still I don't know why this works. It may have something to do with the
'protected directories', I guess."

[delovski]

internals - DTrace vs. System Integrity Protection

(reboot, hold cmd+R until a progress bar appears; csrutil disable / enable)

"The Good

You're able to do anything you want with the OS, yay! ٩(⸝⸝⸝◕ั ௰ ◕ั⸝⸝⸝ )و

The Bad

You're not safe: there're plenty of rootkits in a wild which can infect your
system. Actually, you're as safe as on OS X 10.10 or 10.9, so judge for
yourself."


sudo dtrace -n 'syscall:::entry /execname == "securityd"/ { printf("%s %s",execname,copyinstr(arg0)); }'

[delovski]

dtrace_oneliners.txt - DTrace one liners. Handy commands

# Files opened by process,
dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

[delovski]

amazon - Advanced Apple Debugging & Reverse Engineering
Exploring Apple code through LLDB, Python and DTrace



"In Advanced Apple Debugging and Reverse Engineering, you'll come to
realize debugging is an enjoyable process to help you better understand
software. Not only will you learn to find bugs faster, but you'll also learn
how other developers have solved problems similar to yours. You'll also
learn how to create custom, powerful debugging scripts that will help you
quickly find the secrets behind any bit of code that piques your interest."

[delovski]

Mark Dalrymple - Hooked on DTrace, part 1

"What is this 'DTrace' thing? It stands for 'Dynamic Tracing', a way you can
attach 'probes' to a running system and peek inside as to what it is doing. It
was created by Sun for Solaris, and was ported to the Mac in the Mac OS X
10.5 'Leopard' time frame. DTrace is not available on iOS, but you can use it
in the simulator.

Imagine being able to say - whenever malloc is called in Safari, record the
amount of memory that's been asked for. Or - whenever anyone opens
Hasselhoff.mov on the system, tell me the app that's doing so. Or - show
me every message being sent to this particular object. Or - show me where
every NSUndoManager has been created, and tell me the address of that
object in memory.

See what files are being opened by Time Machine during a backup, including
the files being backed up:

Code:

# dtrace -n 'syscall::open*:entry /execname == "backupd"/ { printf ("%s", copyinstr(arg0)); }'

Replace 'backupd' with 'mdworker' to see what Spotlight is indexing on
your system."