Macos 提取进程命令行时出现Dtrace无效地址错误_Macos_Parent Child_Dtrace_Mach_Xnu

Macos 提取进程命令行时出现Dtrace无效地址错误

macos

Macos 提取进程命令行时出现Dtrace无效地址错误,macos,parent-child,dtrace,mach,xnu,Macos,Parent Child,Dtrace,Mach,Xnu,我希望使用dtrace脚本打印新进程的cmdline及其匹配的父名称。i、 e:如果我从bash运行/Users/bla/myexec arg1 arg2 arg3 我会得到类似于：父进程是bash进程是-->/Users/bla/myexec arg1 arg2 arg3 经过搜索，我提出了以下解决方案： #!/usr/sbin/dtrace -s proc:::exec { self->pexecname = execname; } proc:::exec-success

我希望使用dtrace脚本打印新进程的cmdline及其匹配的父名称。i、 e:如果我从bash运行/Users/bla/myexec arg1 arg2 arg3 我会得到类似于：

父进程是bash进程是-->/Users/bla/myexec arg1 arg2 arg3

经过搜索，我提出了以下解决方案：

#!/usr/sbin/dtrace -s

proc:::exec
{
    self->pexecname = execname;
}

proc:::exec-success
/ self->pexecname != 0 /
{
    this->isx64=(curproc->p_flag & P_LP64)!=0;
    #define SELECT_64_86(x64, x86) (this->isx64 ? (x64) : (x86))
    #define GET_POINTER(base, offset) (user_addr_t)SELECT_64_86(*(uint64_t *)((base)+sizeof(uint64_t)*(offset)), *(uint32_t *)((base)+sizeof(uint32_t)*(offset)))


    this->ptrsize=SELECT_64_86(sizeof(uint64_t),sizeof(uint32_t));
    this->argc=curproc->p_argc;


    this->isClean=SELECT_64_86(1, (curproc->p_dtrace_argv==(uregs[R_SP]+sizeof(uint32_t)+sizeof(uint32_t))));
    this->argv=(uint64_t)copyin(curproc->p_dtrace_argv,this->ptrsize*this->argc);
    /* printf("%s with args:%d (%p, %p)\n",execname, this->argc, curproc->pdtraceargv, uregs\[R_SP\]); */



    printf("parent is %s process is -->  ", execname);
    printf("%s ", (0 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,0)) : "");
    printf("%s ", (1 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,1)) : "");
    printf("%s ", (2 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,2)) : "");
    printf("%s ", (3 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,3)) : "");
    printf("%s ", (4 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,4)) : "");
    printf("%s ", (5 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,5)) : "");
    printf("%s ", (6 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,6)) : "");
    printf("%s ", (7 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,7)) : "");
    printf("%s ", (8 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,8)) : "");
    printf("%s ", (9 < this->argc && this->isClean) ? copyinstr(GET_POINTER(this->argv,9)) : "");

    printf("\n");
    #undef GET_POINTER
    #undef SELECT_64_86
}

也许您可以告诉我脚本出了什么问题？

与其尝试在dtrace中取消对指针的引用，不如打印它们的值。然后编写一个小程序，只打印它的

argv

列表中的指针值，将该程序编译为32位和64位，然后查看dtrace的输出是否与程序本身匹配。感谢您的回复，我就是不知道如何直接打印argv值。我尝试过使用curpsinfo->pr_psargs，但它似乎已经过时了。我找到的唯一方法是使用可执行进程堆栈（curproc->p\u dtrace\u argv），也许您可以告诉我如何正确地执行它？

dtrace: script '/Users/zkabeli/procargs3.d' matched 4 probes
CPU     ID                    FUNCTION:NAME
 4   1212         posix_spawn:exec-success parent is Calendar process is --> /Applications/Calendar.app/Contents/MacOS/Calendar          

 6   1208        __mac_execve:exec-success parent is SFLIconTool process is -->  /System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framework/Versions/A/Support/SFLIconTool com.apple.recentitems RecentApplications        

dtrace: error on enabled probe ID 4 (ID 1208: proc:mach_kernel:__mac_execve:exec-success): invalid address (0x7fff59e82e08) in action #5 at DIF offset 320
 2   1212         posix_spawn:exec-success parent is kcm process is -->  /System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm --launchd