How to watch system calls with dtruss
Most UNIX systems provide ways to see what your process is doing. This is called “tracing” the process. One important thing your process does is make system calls, and on macOS, you can trace this with a program called dtruss.
Take this C program:
int main() {
return 0;
}
$ clang main.c
$ sudo dtruss ./a.out
dtrace: system integrity protection is on, some features will not be available
SYSCALL(args) = return
open("/dev/dtracehelper\0", 0x2, 0x7FFF5A348930) = 3 0
ioctl(0x3, 0x80086804, 0x7FFF5A3488B8) = 0 0
close(0x3) = 0 0
thread_selfid(0x3, 0x80086804, 0x7FFF5A3488B8) = 5420279 0
bsdthread_register(0x7FFFAF245080, 0x7FFFAF245070, 0x2000) = 1073741919 0
ulock_wake(0x1, 0x7FFF5A3480EC, 0x0) = -1 Err#2
issetugid(0x1, 0x7FFF5A3480EC, 0x0) = 0 0
mprotect(0x1058BA000, 0x88, 0x1) = 0 0
mprotect(0x1058BC000, 0x1000, 0x0) = 0 0
mprotect(0x1058D2000, 0x1000, 0x0) = 0 0
mprotect(0x1058D3000, 0x1000, 0x0) = 0 0
mprotect(0x1058E9000, 0x1000, 0x0) = 0 0
mprotect(0x1058EA000, 0x1000, 0x1) = 0 0
mprotect(0x1058BA000, 0x88, 0x3) = 0 0
mprotect(0x1058BA000, 0x88, 0x1) = 0 0
getpid(0x1058BA000, 0x88, 0x1) = 34146 0
stat64("/AppleInternal/XBS/.isChrooted\0", 0x7FFF5A347FA8, 0x1) = -1 Err#2
stat64("/AppleInternal\0", 0x7FFF5A348040, 0x1) = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A347AD0) = -1 Err#22
dtrace: error on enabled probe ID 2158 (ID 552: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 40
ulock_wake(0x1, 0x7FFF5A348050, 0x0) = -1 Err#2
csops(0x8562, 0x7, 0x7FFF5A3473B0) = -1 Err#22
The first line indicates the format of all the subsequent lines:
SYSCALL(args) = return
But mysteriously, all the lines show two return codes! What are they? I had to read the source code to find out: the first is the system call return value, and the second is the value of errno after the system call.
Also mysteriously, lots of these system calls don’t have man pages. What are thread_selfid, bsdthread_register, ulock_wake, csops, dtrace? I don’t know.
Tagged . All content copyright James Fisher 2017. This post is not associated with my employer.
TigYog