This articles is a simple collection of programm I use for understanding how a third party programm interact with the system.
List symbols of a binary
nm -g /bin/ls
U __DefaultRuneLocale
U ___assert_rtn
U ___bzero
U ___error
U ___maskrune
U ___snprintf_chk
U ___stack_chk_fail
U ___stack_chk_guard
# Show shared libraries used by a programm
otool -L /bin/ls
/bin/ls:
/usr/lib/libutil.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0)
Get asm code
otool -vt /bin/ls
List open file and network connections
lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root cwd DIR 1,2 1224 2 /
launchd 1 root txt REG 1,2 304240 21153870 /sbin/launchd
Based on Dtrace
dtrace is a powerfull tools for reverse engineer
iosnoop
iosnoop is a live trace of disk/io
sudo iosnoop
UID PID D BLOCK SIZE COMM PATHNAME
501 88892 R 440836400 4096 Google Chrome ??/Cache/data_2
501 88892 R 420909232 4096 Google Chrome ??/Cache/data_0
501 88892 R 439174816 4096 Google Chrome ??/Cache/data_2
## opensnoop
Live trace file opening
sudo opensnoop -ve
STRTIME UID PID COMM FD ERR PATH
2015 May 11 13:51:00 0 99 DisplayLinkMana 6 0 /Library/Application Support/DisplayLink/.dl.xml
2015 May 11 13:51:00 0 99 DisplayLinkMana 6 0 /Library/Application Support/DisplayLink/.dl.xml
## execsnoop
Live trace program execution
sudo execsnoop
UID PID PPID ARGS
501 52098 48099 sudo
## druss
dtruss allow you to show all system calls. You can filter by binary with the -n options.
sudo dtruss -n ls
PID/THRD SYSCALL(args) = return
52383/0x1e98b4: thread_selfid(0x7FFF5B281460, 0x7F93C18013F0, 0x7F93C060A7D0) = 2005172 0
52383/0x1e98b4: csops(0x0, 0x0, 0x7FFF5BF4FA08) = 0 0
52383/0x1e98b4: issetugid(0x0, 0x0, 0x7FFF5BF4FA08) = 0 0
errinfo
Show system calls errors
sudo errinfo
EXEC SYSCALL ERR DESC
iTerm read 35 Resource temporarily unavailable
iTerm read 35 Resource temporarily unavailable
iTerm read 35 Resource temporarily unavailable