Even when SIP is disabled.
It shows an error, and dumps the dtrace script to console!
Used to work fine until BigSur.
execsnoop (dtrace based) no longer working in Monterey
Add a Comment
Replies
I have the same issue even SIP disabled
# csrutil status
System Integrity Protection status: disabled.
execsnoop
dtrace: invalid probe specifier
/*
* Command line arguments
*/
inline int OPT_dump = 0;
inline int OPT_cmd = 0;
inline int OPT_time = 0;
inline int OPT_timestr = 0;
inline int OPT_zone = 0;
inline int OPT_safe = 0;
inline int OPT_proj = 0;
inline int FILTER = 0;
inline string COMMAND = ".";
#pragma D option quiet
#pragma D option switchrate=10hz
/*
* Print header
*/
dtrace:::BEGIN
{
/* print optional headers */
OPT_time ? printf("%-14s ", "TIME") : 1;
OPT_timestr ? printf("%-20s ", "STRTIME") : 1;
OPT_zone ? printf("%-10s ", "ZONE") : 1;
OPT_proj ? printf("%5s ", "PROJ") : 1;
/* print main headers */
/* APPLE: Removed "ZONE" header, it has no meaning in darwin */
OPT_dump ? printf("%s %s %s %s %s %s %s\n",
"TIME", "PROJ", "UID", "PID", "PPID", "COMM", "ARGS") :
printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS");
}
/*
* Print exec event
*/
/* SOLARIS: syscall::exec:return, syscall::exece:return */
proc:::exec-success
/(FILTER == 0) || (OPT_cmd == 1 && COMMAND == strstr(COMMAND, execname)) || (OPT_cmd == 1 && execname == strstr(execname, COMMAND))/
{
/* print optional fields */
OPT_time ? printf("%-14d ", timestamp/1000) : 1;
OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
OPT_zone ? printf("%-10s ", zonename) : 1;
OPT_proj ? printf("%5d ", curpsinfo->pr_projid) : 1;
/* print main data */
/* APPLE: Removed the zonename output, it has no meaning in darwin */
OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000,
curpsinfo->pr_projid, uid, pid, ppid, execname) :
printf("%5d %6d %6d ", uid, pid, ppid);
OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) :
printf("%s\n", curpsinfo->pr_psargs);
}
: probe description proc:::exec-success does not match any probes
Posted
by
Share this post
Copied to Clipboard
After extensive digging in the XNU kernel side, and the userland of DTrace, it seems that recent versions of DTrace rely on the userland libdtrace to provide Kernel symbol information, necessary for the activation of SDT based probes (such as proc, sched, etc.. You can find a non-exhaustive list of these probes in this file).
The default Monterey installation does not appear to contain all necessary symbols, only a subset.
This can be verified by disabling system integrity protection (well, ideally protection against DTrace only, with csrutil enable --without dtrace in recovery mode), and listing all available probes which are supplied by the Kernel with sudo dtrace -l | grep mach_kern. The list won't be nearly as long as it should be.
Furthermore, an other telltale sign is that disabling the usermode symbolication with the appropriate boot-args will make these probes disappear too.
The solution to make these probes powering execsnoop available again is to install the Kernel Debug Kit for your specific Kernel build, which can be found with the sw_vers command.
Posted
by
Share this post
Copied to Clipboard
-
And yet I do not find any libdtrace in the KDK. EDIT: my bad, it is in the shared dyld cache in default Monterey's installation. But I guess a debug kernel should be installed for traditional dtrace probes to work?
— -
How crucial is it that you match the kernel build with the KDK? I can never seem to find a kernel build that matches exactly with the released KDKs. Just two examples: right now, there is nothing available for the latest-released Ventura 13.2.1 (22D68) and if you go back to an end-of-life OS like Mojave, the latest released build was 18G9323 for 10.14.6. 10.14.6 has half a dozen KDKs available, but not for 18G9323.
—