找出在选择 mac 上下文菜单操作时调用的系统调用或函数?
Figure out what syscall or function is being invoked when a mac context menu action is selected?
我最近发现,如果你按下 Shift + Option 并点击 macos 右上角的蓝牙图标,你会得到一个额外的调试菜单。在这个调试菜单中有一个 "Reset bluetooth module" 选项。
我希望能够从终端调用它。有没有办法跟踪用户单击该图标时正在执行的系统调用?或者正在调用什么私有 API,并自己调用它,在 Swift 或通过 bash 甚至通过原始系统调用?
这是我得到的地方。
在ActivityMonitor I Sample进程中bluetoothd守护进程。
这让我很高兴:
Analysis of sampling bluetoothd (pid 7781) every 1 millisecond
Process: bluetoothd [7781]
Path: /usr/sbin/bluetoothd
Load Address: 0x10020b000
Identifier: bluetoothd
Version: 6014.1.3
Code Type: X86-64
Parent Process: debugserver [7821]
MacOS 64 位可执行二进制文件通常具有基地址 0x10000000。因此我们可以得出结论,ASLR 偏移正好是 0x20b000。我使用反汇编程序挑选了一些候选者来设置断点。反汇编程序报告的地址需要移动0x20b000。
由于这是一个由 root 拥有的进程,我们需要在终端中调试它
sudo lldb
attach 7781
br s -a <address>
经过反复试验,我遇到了断点。我的回溯是:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 7.1
* frame #0: 0x00000001004718f0 bluetoothd`___lldb_unnamed_symbol5143$$bluetoothd -[CBXPCManager hostControllerReset]:
frame #1: 0x000000010027215d bluetoothd`___lldb_unnamed_symbol941$$bluetoothd + 93 -[DaemonCore hostControllerReset:]:
frame #2: 0x00007fff44c5cb96 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
frame #3: 0x00007fff44c5cb10 CoreFoundation`___CFXRegistrationPost_block_invoke + 63
frame #4: 0x00007fff44c5ca7a CoreFoundation`_CFXRegistrationPost + 404
frame #5: 0x00007fff44c64f28 CoreFoundation`___CFXNotificationPost_block_invoke + 87
frame #6: 0x00007fff44bcd8b4 CoreFoundation`-[_CFXNotificationRegistrar find:object:observer:enumerator:] + 1642
frame #7: 0x00007fff44bccc67 CoreFoundation`_CFXNotificationPost + 732
frame #8: 0x00007fff46e52f5b Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 66
frame #9: 0x00007fff4739b533 IOBluetooth`BluetoothHCIControllerGeneralInterestNotification + 275
frame #10: 0x00007fff4750077a IOKit`IODispatchCalloutFromCFMessage + 323
frame #11: 0x00007fff4750062d IOKit`_IODispatchCalloutWithDispatch + 33
frame #12: 0x00007fff70b18bde libdispatch.dylib`dispatch_mig_server + 357
frame #13: 0x00007fff70b0263d libdispatch.dylib`_dispatch_client_callout + 8
frame #14: 0x00007fff70b04de6 libdispatch.dylib`_dispatch_continuation_pop + 414
frame #15: 0x00007fff70b13f42 libdispatch.dylib`_dispatch_source_invoke + 2056
frame #16: 0x00007fff70b0d54b libdispatch.dylib`_dispatch_main_queue_callback_4CF + 813
frame #17: 0x00007fff44bfa2d7 CoreFoundation`__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
frame #18: 0x00007fff44bf9a01 CoreFoundation`__CFRunLoopRun + 2289
frame #19: 0x00007fff44bf8ebe CoreFoundation`CFRunLoopRunSpecific + 455
frame #20: 0x00007fff46e5d7df Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280
frame #21: 0x00007fff46e5d6b4 Foundation`-[NSRunLoop(NSRunLoop) run] + 76
frame #22: 0x0000000100306827 bluetoothd`___lldb_unnamed_symbol2266$$bluetoothd + 2295 EntryPoint: /mainLoop?
frame #23: 0x00007fff70b4f3d5 libdyld.dylib`start + 1
发生在bluetoothd的相关事情好像是:
NSNotification @"IOBluetoothHostControllerDidResetNotification" object:nil userInfo:nil
-[DaemonCore hostControllerReset: notificationArg]: //NSConcreteNotification 0x7ffb656315d0 {name = IOBluetoothHostControllerDidResetNotification}
-[CBXPCManager hostControllerReset]:
我最近发现,如果你按下 Shift + Option 并点击 macos 右上角的蓝牙图标,你会得到一个额外的调试菜单。在这个调试菜单中有一个 "Reset bluetooth module" 选项。
我希望能够从终端调用它。有没有办法跟踪用户单击该图标时正在执行的系统调用?或者正在调用什么私有 API,并自己调用它,在 Swift 或通过 bash 甚至通过原始系统调用?
这是我得到的地方。
在ActivityMonitor I Sample进程中bluetoothd守护进程。
Analysis of sampling bluetoothd (pid 7781) every 1 millisecond
Process: bluetoothd [7781]
Path: /usr/sbin/bluetoothd
Load Address: 0x10020b000
Identifier: bluetoothd
Version: 6014.1.3
Code Type: X86-64
Parent Process: debugserver [7821]
MacOS 64 位可执行二进制文件通常具有基地址 0x10000000。因此我们可以得出结论,ASLR 偏移正好是 0x20b000。我使用反汇编程序挑选了一些候选者来设置断点。反汇编程序报告的地址需要移动0x20b000。
由于这是一个由 root 拥有的进程,我们需要在终端中调试它
sudo lldb
attach 7781
br s -a <address>
经过反复试验,我遇到了断点。我的回溯是:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 7.1
* frame #0: 0x00000001004718f0 bluetoothd`___lldb_unnamed_symbol5143$$bluetoothd -[CBXPCManager hostControllerReset]:
frame #1: 0x000000010027215d bluetoothd`___lldb_unnamed_symbol941$$bluetoothd + 93 -[DaemonCore hostControllerReset:]:
frame #2: 0x00007fff44c5cb96 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
frame #3: 0x00007fff44c5cb10 CoreFoundation`___CFXRegistrationPost_block_invoke + 63
frame #4: 0x00007fff44c5ca7a CoreFoundation`_CFXRegistrationPost + 404
frame #5: 0x00007fff44c64f28 CoreFoundation`___CFXNotificationPost_block_invoke + 87
frame #6: 0x00007fff44bcd8b4 CoreFoundation`-[_CFXNotificationRegistrar find:object:observer:enumerator:] + 1642
frame #7: 0x00007fff44bccc67 CoreFoundation`_CFXNotificationPost + 732
frame #8: 0x00007fff46e52f5b Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 66
frame #9: 0x00007fff4739b533 IOBluetooth`BluetoothHCIControllerGeneralInterestNotification + 275
frame #10: 0x00007fff4750077a IOKit`IODispatchCalloutFromCFMessage + 323
frame #11: 0x00007fff4750062d IOKit`_IODispatchCalloutWithDispatch + 33
frame #12: 0x00007fff70b18bde libdispatch.dylib`dispatch_mig_server + 357
frame #13: 0x00007fff70b0263d libdispatch.dylib`_dispatch_client_callout + 8
frame #14: 0x00007fff70b04de6 libdispatch.dylib`_dispatch_continuation_pop + 414
frame #15: 0x00007fff70b13f42 libdispatch.dylib`_dispatch_source_invoke + 2056
frame #16: 0x00007fff70b0d54b libdispatch.dylib`_dispatch_main_queue_callback_4CF + 813
frame #17: 0x00007fff44bfa2d7 CoreFoundation`__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
frame #18: 0x00007fff44bf9a01 CoreFoundation`__CFRunLoopRun + 2289
frame #19: 0x00007fff44bf8ebe CoreFoundation`CFRunLoopRunSpecific + 455
frame #20: 0x00007fff46e5d7df Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280
frame #21: 0x00007fff46e5d6b4 Foundation`-[NSRunLoop(NSRunLoop) run] + 76
frame #22: 0x0000000100306827 bluetoothd`___lldb_unnamed_symbol2266$$bluetoothd + 2295 EntryPoint: /mainLoop?
frame #23: 0x00007fff70b4f3d5 libdyld.dylib`start + 1
发生在bluetoothd的相关事情好像是:
NSNotification @"IOBluetoothHostControllerDidResetNotification" object:nil userInfo:nil
-[DaemonCore hostControllerReset: notificationArg]: //NSConcreteNotification 0x7ffb656315d0 {name = IOBluetoothHostControllerDidResetNotification}
-[CBXPCManager hostControllerReset]: