2

For ex- You have TextEdit Application, when you save the file , I want to know which objective-c methods get called. I have headers file of Textedit using class-dump.

Is there any is way to know which of these methods (which we output from class-dump) gets called at runtime?

is there any way to do it with dtrace??

hrishikesh chaudhari
  • 908
  • 1
  • 8
  • 15

1 Answers1

0

Assuming Objective-C methods translate directly to user-space function calls, you should be able to use the DTrace pid provider:

The pid Provider

The pid provider enables you to trace any instruction in a process. Unlike most other providers, pid probes are created on demand, based on the probe descriptions found in your D programs.

User Function Boundary Tracing

The simplest mode of operation for the pid provider is as the user space analogue to the fbt provider. The following example program traces all function entries and returns that are made from a single function. The $1 macro variable expands to the first operand on the command line. This macro variable is the process ID for the process to trace. The $2 macro variable expands to the second operand on the command line. This macro variable is the name of the function that all function calls are traced from.

Example 4–3 userfunc.d: Trace User Function Entry and Return

pid$1::$2:entry
{
  self->trace = 1;
}

pid$1::$2:return
/self->trace/
{
  self->trace = 0;
}

pid$1:::entry,
pid$1:::return
/self->trace/
{
}

This script produces output that is similar to the following example:

# ./userfunc.d 15032 execute
dtrace: script './userfunc.d' matched 11594 probes
  0  -> execute                               
  0    -> execute                             
  0      -> Dfix                              
  0      <- Dfix                              
  0      -> s_strsave                         
  0        -> malloc                          
  0        <- malloc                          
  0      <- s_strsave                         
  0      -> set                               
  0        -> malloc                          
  0        <- malloc                          
  0      <- set                               
  0      -> set1                              
  0        -> tglob                           
  0        <- tglob                           
  0      <- set1                              
  0      -> setq                              
  0        -> s_strcmp                        
  0        <- s_strcmp                        
...
Andrew Henle
  • 32,625
  • 3
  • 24
  • 56
  • Thanks for your information. But I need more. I have class-dump of TextEdit. In that I want to find out whether - (BOOL)validateMenuItem:(id)arg1; of class Document is executed or not. So I used your script and executed with dtrace -s userfunc.d 1102 *validateMenuItem* ... It says probe description does not match. What to do?? – hrishikesh chaudhari Nov 23 '16 at 12:58
  • @hrishikeshchaudhari The function name might not be exactly `validateMenuItem`. It's likely [mangled](https://en.wikipedia.org/wiki/Name_mangling). I'm not familiar with OS X to say what utilities are available to find actual mangled function names in binaries. `strings -a /bin/file | grep -i validateMenuItem` *might* work. This might help: http://stackoverflow.com/questions/4506121/how-to-print-a-list-of-symbols-exported-from-a-dynamic-library Shortening the DTrace script to something like `pid$1:::entry {}` might emit *all* function calls the process makes. I can't test that right now. – Andrew Henle Nov 23 '16 at 13:04
  • You are probably right, The functions are mangled. There is only way now to do it by reverse engineering or trial and error. I really wonder how people do swizzling. Reverse engineering probably will take days to find exact function to do swizzling. – hrishikesh chaudhari Nov 23 '16 at 14:22
  • @ Andrew Henle any comments on reverse engineering done in MAC OSX and how to do it?? I guess IDA and dtrace are some of the tools used for reverse engineering on mac. – hrishikesh chaudhari Nov 23 '16 at 17:02