0

I want to examine every system and external library call of a given application, together with the data structures that are passed around. (The application in question is some kind of packaged software based on OpenSSL and around OS X keychain, and I want to see if I could get a hold of the private key, which is marked as non-extractable in Keychain Access.)

How could I do that on OS X?

I think DTrace comes to mind, but I couldn't find any sample tricks to do the above.

Community
  • 1
  • 1
cnst
  • 25,870
  • 6
  • 90
  • 122
  • Note that I've also started a bounty for an application of this question: http://security.stackexchange.com/questions/64323/export-non-extractable-private-key-from-keychain-on-os-x – cnst Aug 01 '14 at 21:21
  • There's also another bounty for another application of this question: http://stackoverflow.com/questions/25044418/can-dtrace-find-non-extractable-private-key-from-keychain-on-os-x – cnst Aug 01 '14 at 21:39

1 Answers1

2

To examine every system call and external library call, the DTrace script is like this: 

#!/usr/sbin/dtrace -s

syscall:::entry
/ pid == $1 /
{
}

pid$1:lib*::entry
{
}

The usage is like: ./check.d pid (The process ID). For the input parameters, you can use arg0...argN (uint64_t type) to refer them.

But I think you should find the related syscall and library functions firstly, else the output is very huge and hard to debug.

Hope this can help!

Nan Xiao
  • 16,671
  • 18
  • 103
  • 164
  • Thanks! This seems to be working, but it's not printing the actual data structures at all. E.g. I see something like ` 2 112007 COpenSSLCertUtils::GetOpenSSLCertFromDER(unsigned int, unsigned char const*, COpenSSLCertificate*&):entry `, which sounds potentially interesting (I'm trying to find the private key for my cert from keychain), but what are the actual parameters that are being passed? Also, may I interest you in http://stackoverflow.com/questions/25044418/can-dtrace-find-non-extractable-private-key-from-keychain-on-os-x bounty? – cnst Aug 06 '14 at 03:52
  • @cnst: Because I am not familiar with your project, I can't tell you how to print the key directly. I think you can use print/copyinstr to print the key. – Nan Xiao Aug 11 '14 at 05:35
  • could you possibly provide a short snippet for doing that? – cnst Aug 11 '14 at 05:50
  • @cnst: maybe [http://stackoverflow.com/questions/1462547/how-to-view-call-stack-with-dtrace](http://stackoverflow.com/questions/1462547/how-to-view-call-stack-with-dtrace) and [https://blogs.oracle.com/peteh/entry/dereferencing_user_space_pointers_in](https://blogs.oracle.com/peteh/entry/dereferencing_user_space_pointers_in) can help you. – Nan Xiao Aug 11 '14 at 07:01