Learn more about Israeli war crimes in Gaza, funded by the USA, Germany, the UK and others.

How to watch system calls with dtruss

Most UNIX systems provide ways to see what your process is doing. This is called “tracing” the process. One important thing your process does is make system calls, and on macOS, you can trace this with a program called dtruss.

Take this C program:

int main() {
	return 0;
}
$ clang main.c
$ sudo dtruss ./a.out
dtrace: system integrity protection is on, some features will not be available

SYSCALL(args) 		 = return
open("/dev/dtracehelper\0", 0x2, 0x7FFF5A348930)		 = 3 0
ioctl(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 0 0
close(0x3)		 = 0 0
thread_selfid(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 5420279 0
bsdthread_register(0x7FFFAF245080, 0x7FFFAF245070, 0x2000)		 = 1073741919 0
ulock_wake(0x1, 0x7FFF5A3480EC, 0x0)		 = -1 Err#2
issetugid(0x1, 0x7FFF5A3480EC, 0x0)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
mprotect(0x1058BC000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D2000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D3000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058E9000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058EA000, 0x1000, 0x1)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x3)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
getpid(0x1058BA000, 0x88, 0x1)		 = 34146 0
stat64("/AppleInternal/XBS/.isChrooted\0", 0x7FFF5A347FA8, 0x1)		 = -1 Err#2
stat64("/AppleInternal\0", 0x7FFF5A348040, 0x1)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A347AD0)		 = -1 Err#22
dtrace: error on enabled probe ID 2158 (ID 552: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 40
ulock_wake(0x1, 0x7FFF5A348050, 0x0)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A3473B0)		 = -1 Err#22

The first line indicates the format of all the subsequent lines:

SYSCALL(args) 		 = return

But mysteriously, all the lines show two return codes! What are they? I had to read the source code to find out: the first is the system call return value, and the second is the value of errno after the system call.

Also mysteriously, lots of these system calls don’t have man pages. What are thread_selfid, bsdthread_register, ulock_wake, csops, dtrace? I don’t know.

Tagged .

Similar posts

More by Jim

Want to build a fantastic product using LLMs? I work at Granola where we're building the future IDE for knowledge work. Come and work with us! Read more or get in touch!

This page copyright James Fisher 2017. Content is not associated with my employer. Found an error? Edit this page.