Learn more about Russian war crimes in Ukraine.

How to watch system calls with dtruss

Most UNIX systems provide ways to see what your process is doing. This is called “tracing” the process. One important thing your process does is make system calls, and on macOS, you can trace this with a program called dtruss.

Take this C program:

int main() {
	return 0;
}

$ clang main.c
$ sudo dtruss ./a.out
dtrace: system integrity protection is on, some features will not be available

SYSCALL(args) 		 = return
open("/dev/dtracehelper\0", 0x2, 0x7FFF5A348930)		 = 3 0
ioctl(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 0 0
close(0x3)		 = 0 0
thread_selfid(0x3, 0x80086804, 0x7FFF5A3488B8)		 = 5420279 0
bsdthread_register(0x7FFFAF245080, 0x7FFFAF245070, 0x2000)		 = 1073741919 0
ulock_wake(0x1, 0x7FFF5A3480EC, 0x0)		 = -1 Err#2
issetugid(0x1, 0x7FFF5A3480EC, 0x0)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
mprotect(0x1058BC000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D2000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058D3000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058E9000, 0x1000, 0x0)		 = 0 0
mprotect(0x1058EA000, 0x1000, 0x1)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x3)		 = 0 0
mprotect(0x1058BA000, 0x88, 0x1)		 = 0 0
getpid(0x1058BA000, 0x88, 0x1)		 = 34146 0
stat64("/AppleInternal/XBS/.isChrooted\0", 0x7FFF5A347FA8, 0x1)		 = -1 Err#2
stat64("/AppleInternal\0", 0x7FFF5A348040, 0x1)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A347AD0)		 = -1 Err#22
dtrace: error on enabled probe ID 2158 (ID 552: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 40
ulock_wake(0x1, 0x7FFF5A348050, 0x0)		 = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A3473B0)		 = -1 Err#22

The first line indicates the format of all the subsequent lines:

SYSCALL(args) 		 = return

But mysteriously, all the lines show two return codes! What are they? I had to read the source code to find out: the first is the system call return value, and the second is the value of errno after the system call.

Also mysteriously, lots of these system calls don’t have man pages. What are thread_selfid, bsdthread_register, ulock_wake, csops, dtrace? I don’t know.

What can computers do? What are the limits of mathematics? And just how busy can a busy beaver be? This year, I’m writing Busy Beavers, a unique interactive book on computability theory. You and I will take a practical and modern approach to answering these questions — or at least learning why some questions are unanswerable!

It’s only $19, and you can get 50% off if you find the discount code ... Not quite. Hackers use the console!

After months of secret toil, I and Andrew Carr released Everyday Data Science, a unique interactive online course! You’ll make the perfect glass of lemonade using Thompson sampling. You’ll lose weight with differential equations. And you might just qualify for the Olympics with a bit of statistics!

It’s $29, but you can get 50% off if you find the discount code ... Not quite. Hackers use the console!

More by Jim

Tagged . All content copyright James Fisher 2017. This post is not associated with my employer. Found an error? Edit this page.

Jim Fisher
TigYog
Speaking
CV
Blogroll
RSS