Skip to content

Instantly share code, notes, and snippets.

@juliuscanute

juliuscanute/README.md

Last active December 10, 2020 09:33
Show Gist options
  • Save juliuscanute/53dc24a47ecb99dd98262593d8cfa20c to your computer and use it in GitHub Desktop.
Save juliuscanute/53dc24a47ecb99dd98262593d8cfa20c to your computer and use it in GitHub Desktop.
Download ZIP
[PTRACE] #ptrace #calling #process #find #process #id #regex
Raw
README.md

Ptrace

A system call responsible for a process attaching itself to another process: ptrace.

List all syscalls in mac os x

sudo dtrace -ln 'syscall:::entry'

How PTRACE was called?

sudo dtrace -qn 'syscall::ptrace:entry { printf("%s(%d, %d, %d, %d) from %s\n", probefunc, arg0, arg1, arg2, arg3, execname); }

Use the calling proc

lldb -n Finder

Find process ID of a process

pgrep debugserver

Find how specific process was started

ps -fp `pgrep -x debugserver`

Find parent process

ps -o ppid= $(pgrep -x debugserver)
ps -a 856

Wait for debugger to attach to a specific program

sudo lldb -n "<program name>" -w

Regex breakpoint to stop at userland ptract

rb ptrace -s libsystem_kernel.dylib

Resume the debugger

continue

Return early from a function

thread return 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment