How to watch system calls with dtruss

Most UNIX systems provide ways to see what your process is doing. This is called “tracing” the process. One important thing your process does is make system calls, and on macOS, you can trace this with a program called dtruss.

Take this C program:

int main() {
	return 0;
$ clang main.c
$ sudo dtruss ./a.out
dtrace: system integrity protection is on, some features will not be available

SYSCALL(args) 		 = return
open("/dev/dtracehelper\0", 0x2, 0x7FFF5A348930)		 = 3 0
ioctl(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 0 0
close(0x3)		 = 0 0
thread_selfid(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 5420279 0
bsdthread_register(0x7FFFAF245080, 0x7FFFAF245070, 0x2000)		 = 1073741919 0
ulock_wake(0x1, 0x7FFF5A3480EC, 0x0)		 = -1 Err#2
issetugid(0x1, 0x7FFF5A3480EC, 0x0)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
mprotect(0x1058BC000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D2000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D3000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058E9000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058EA000, 0x1000, 0x1)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x3)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
getpid(0x1058BA000, 0x88, 0x1)		 = 34146 0
stat64("/AppleInternal/XBS/.isChrooted\0", 0x7FFF5A347FA8, 0x1)		 = -1 Err#2
stat64("/AppleInternal\0", 0x7FFF5A348040, 0x1)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A347AD0)		 = -1 Err#22
dtrace: error on enabled probe ID 2158 (ID 552: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 40
ulock_wake(0x1, 0x7FFF5A348050, 0x0)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A3473B0)		 = -1 Err#22

The first line indicates the format of all the subsequent lines:

SYSCALL(args) 		 = return

But mysteriously, all the lines show two return codes! What are they? I had to read the source code to find out: the first is the system call return value, and the second is the value of errno after the system call.

Also mysteriously, lots of these system calls don’t have man pages. What are thread_selfid, bsdthread_register, ulock_wake, csops, dtrace? I don’t know.

I just released Vidrio, a free app for macOS and Windows to make your screen-sharing awesomely holographic. Vidrio shows your webcam video on your screen, just like a mirror. Then you just share or record your screen with Zoom, QuickTime, or any other app. Vidrio makes your presentations effortlessly engaging, showing your gestures, gazes, and expressions. #1 on Product Hunt. Available for macOS and Windows.

With Vidrio

With generic competitor

More by Jim

Tagged . All content copyright James Fisher 2017. This post is not associated with my employer. Found an error? Edit this page.