stackshot example, now 10.11+ compatible

Used for discussing the various tools in the book as well as encouraging members to share tools

stackshot example, now 10.11+ compatible

Postby morpheus » Fri Nov 04, 2016 2:14 am

The /usr/libexec/stackshot utility, which I force-open-sourced in my 1st Ed of MOXiI ( ... snapshot.c), and Apple removed from iOS and later on MacOS 10.10, relied on syscall #365, stack_snapshot. Apple deprecated the syscall in 10.10, and removed it entirely later, which made procexp crash when showing threads. It also made it difficult to obtain stack snapshots of all threads in the system - an important functionality that my proceess explorer also provides.

But no more - Apple still supports stack snapshot, this time via syscall #491 , stack_snapshot_with_config. (There's also a microstackshot, that's for some other time). The code sample I posted here compiles cleanly on MacOS and iOS alike, and works as of 10.11/9. I'm sure people will find it useful. Especially all those kernel addresses floating around in the stack trace.

(don't get overly excited about KASLR leaks - most of these are properly slid addresses. You have to run this code as root anyway, and there's plenty of easier vectors for KASLR leaks if you get uid 0 :-)

Usage of the tool is extremely simple (no args = all, arg = pid), and - it's open source. I'll integrate with full symbolication into next release of process explorer.

I cover the internals of what exactly happens behind the scenes in MOXiI Vol. I (there's a chapter about debugging) and Vol. 2 (the kernel side), which aren't out yet. But this is just too darn useful. so enjoy it in the meanwhile :-) ... tackshot.c
Screen Shot 2016-11-03 at 9.54.51 PM.png
Screen Shot 2016-11-03 at 9.54.51 PM.png (82.73 KiB) Viewed 25215 times
Site Admin
Posts: 738
Joined: Thu Apr 11, 2013 6:24 pm

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests