Skip to content

Instantly share code, notes, and snippets.

@sudocurse

sudocurse/osx_syscall_probes.txt

Last active September 11, 2017 03:03
Show Gist options
  • Save sudocurse/c9508a24ad9d3631b0da13829ba5297c to your computer and use it in GitHub Desktop.
Save sudocurse/c9508a24ad9d3631b0da13829ba5297c to your computer and use it in GitHub Desktop.
Download ZIP
OSX DTrace Probes
Raw
osx_syscall_probes.txt
# sudo dtrace -lvi "syscall:::" 2>&1 >/dev/null | grep syscall | tr -s " " | cut -d" " -f 4 | uniq > osx_syscall_probes.txt
syscall
exit
fork
read
write
open
close
wait4
#8
link
unlink
#11
chdir
fchdir
mknod
chmod
chown
#17
getfsstat
#19
getpid
#21
#22
setuid
getuid
geteuid
ptrace
recvmsg
sendmsg
recvfrom
accept
getpeername
getsockname
access
chflags
fchflags
sync
kill
#38
getppid
#40
dup
pipe
getegid
#44
#45
sigaction
getgid
sigprocmask
getlogin
setlogin
acct
sigpending
sigaltstack
ioctl
reboot
revoke
symlink
readlink
execve
umask
chroot
#62
#63
#64
msync
vfork
#67
#68
#69
#70
#71
#72
munmap
mprotect
madvise
#76
#77
mincore
getgroups
setgroups
getpgrp
setpgid
setitimer
#84
swapon
getitimer
#87
#88
getdtablesize
dup2
#91
fcntl
select
#94
fsync
setpriority
socket
connect
#99
getpriority
#101
#102
#103
bind
setsockopt
listen
#107
#108
#109
#110
sigsuspend
#112
#113
#114
#115
gettimeofday
getrusage
getsockopt
#119
readv
writev
settimeofday
fchown
fchmod
#125
setreuid
setregid
rename
#129
#130
flock
mkfifo
sendto
shutdown
socketpair
mkdir
rmdir
utimes
futimes
adjtime
#141
gethostuuid
#143
#144
#145
#146
setsid
#148
#149
#150
getpgid
setprivexec
pread
pwrite
nfssvc
#156
statfs
fstatfs
unmount
#160
getfh
#162
#163
#164
quotactl
#166
mount
#168
csops
csops_audittoken
#171
#172
waitid
#174
#175
#176
kdebug_typefilter
kdebug_trace_string
kdebug_trace64
kdebug_trace
setgid
setegid
seteuid
sigreturn
#185
#186
fdatasync
stat
fstat
lstat
pathconf
fpathconf
#193
getrlimit
setrlimit
getdirentries
mmap
#198
lseek
truncate
ftruncate
sysctl
mlock
munlock
undelete
#206
#207
#208
#209
#210
#211
#212
#213
#214
#215
open_dprotected_np
#217
#218
#219
getattrlist
setattrlist
getdirentriesattr
exchangedata
#224
searchfs
delete
copyfile
fgetattrlist
fsetattrlist
poll
watchevent
waitevent
modwatch
getxattr
fgetxattr
setxattr
fsetxattr
removexattr
fremovexattr
listxattr
flistxattr
fsctl
initgroups
posix_spawn
ffsctl
#246
nfsclnt
fhopen
#249
minherit
semsys
msgsys
shmsys
semctl
semget
semop
#257
msgctl
msgget
msgsnd
msgrcv
shmat
shmctl
shmdt
shmget
shm_open
shm_unlink
sem_open
sem_close
sem_unlink
sem_wait
sem_trywait
sem_post
sysctlbyname
#275
#276
open_extended
umask_extended
stat_extended
lstat_extended
fstat_extended
chmod_extended
fchmod_extended
access_extended
settid
gettid
setsgroups
getsgroups
setwgroups
getwgroups
mkfifo_extended
mkdir_extended
identitysvc
shared_region_check_np
#295
vm_pressure_monitor
psynch_rw_longrdlock
psynch_rw_yieldwrlock
psynch_rw_downgrade
psynch_rw_upgrade
psynch_mutexwait
psynch_mutexdrop
psynch_cvbroad
psynch_cvsignal
psynch_cvwait
psynch_rw_rdlock
psynch_rw_wrlock
psynch_rw_unlock
psynch_rw_unlock2
getsid
settid_with_pid
psynch_cvclrprepost
aio_fsync
aio_return
aio_suspend
aio_cancel
aio_error
aio_read
aio_write
lio_listio
#321
iopolicysys
process_policy
mlockall
munlockall
#326
issetugid
__pthread_kill
__pthread_sigmask
__sigwait
__disable_threadsignal
__pthread_markcancel
__pthread_canceled
__semwait_signal
#335
proc_info
sendfile
stat64
fstat64
lstat64
stat64_extended
lstat64_extended
fstat64_extended
getdirentries64
statfs64
fstatfs64
getfsstat64
__pthread_chdir
__pthread_fchdir
audit
auditon
#352
getauid
setauid
#355
#356
getaudit_addr
setaudit_addr
auditctl
bsdthread_create
bsdthread_terminate
kqueue
kevent
lchown
#365
bsdthread_register
workq_open
workq_kernreturn
kevent64
__old_semwait_signal
__old_semwait_signal_nocancel
thread_selfid
ledger
kevent_qos
#375
#376
#377
#378
#379
__mac_execve
__mac_syscall
__mac_get_file
__mac_set_file
__mac_get_link
__mac_set_link
__mac_get_proc
__mac_set_proc
__mac_get_fd
__mac_set_fd
__mac_get_pid
#391
#392
#393
pselect
pselect_nocancel
read_nocancel
write_nocancel
open_nocancel
close_nocancel
wait4_nocancel
recvmsg_nocancel
sendmsg_nocancel
recvfrom_nocancel
accept_nocancel
msync_nocancel
fcntl_nocancel
select_nocancel
fsync_nocancel
connect_nocancel
sigsuspend_nocancel
readv_nocancel
writev_nocancel
sendto_nocancel
pread_nocancel
pwrite_nocancel
waitid_nocancel
poll_nocancel
msgsnd_nocancel
msgrcv_nocancel
sem_wait_nocancel
aio_suspend_nocancel
__sigwait_nocancel
__semwait_signal_nocancel
__mac_mount
__mac_get_mount
__mac_getfsstat
fsgetpath
audit_session_self
audit_session_join
fileport_makeport
fileport_makefd
audit_session_port
pid_suspend
pid_resume
#435
#436
#437
shared_region_map_and_slide_np
kas_info
memorystatus_control
guarded_open_np
guarded_close_np
guarded_kqueue_np
change_fdguard_np
usrctl
proc_rlimit_control
connectx
disconnectx
peeloff
socket_delegate
telemetry
proc_uuid_policy
memorystatus_get_level
system_override
vfs_purge
sfi_ctl
sfi_pidctl
coalition
coalition_info
necp_match_policy
getattrlistbulk
clonefileat
openat
openat_nocancel
renameat
faccessat
fchmodat
fchownat
fstatat
fstatat64
linkat
unlinkat
readlinkat
symlinkat
mkdirat
getattrlistat
proc_trace_log
bsdthread_ctl
openbyid_np
recvmsg_x
sendmsg_x
thread_selfusage
csrctl
guarded_open_dprotected_np
guarded_write_np
guarded_pwrite_np
guarded_writev_np
renameatx_np
mremap_encrypted
netagent_trigger
stack_snapshot_with_config
microstackshot
grab_pgo_data
#494
#495
#496
#497
#498
work_interval_ctl
getentropy
necp_open
necp_client_action
__nexus_open
__nexus_register
__nexus_deregister
__nexus_create
__nexus_destroy
__nexus_get_opt
__nexus_set_opt
__channel_open
__channel_get_info
__channel_sync
__channel_get_opt
__channel_set_opt
ulock_wait
ulock_wake
fclonefileat
fs_snapshot
#519
terminate_with_payload
abort_with_payload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment