开源软件名称(OpenSource Name):objective-see/ProcInfo开源软件地址(OpenSource Url):https://github.com/objective-see/ProcInfo开源编程语言(OpenSource Language):Objective-C 98.6%开源软件介绍(OpenSource Introduction):ProcInfoProc Info is a open-source, user-mode, library for macOS. It provides simple interface to retrieve detailed information about running processes, plus allows one to asynchronously monitor process creation & exit events. Love this library or want to support it? Check out my patreon page :) Quick Start (tl;dr)To use the Proc Info library:
...or just download the demo project, to take it for a spin! #import "procInfo.h"
//init proc info object
// YES: skip (CPU-intensive) generation of code-signing info
// NO: automatically generate code-signing info for each process
ProcInfo* procInfo = [[ProcInfo alloc] init:NO];
//dump process info for process 1337
NSLog(@"process: %@", [[Process alloc] init:1337]);
//dump process info for all processes
for(Process* process in [procInfo currentProcesses])
NSLog(@"new process: %@", process);
//block for process events
ProcessCallbackBlock block = ^(Process* process)
{
if(process.type != EVENT_EXIT)
NSLog(@"process start: %@\n", process);
else
NSLog(@"process exit: %d\n", process.pid);
};
//start monitoring
// ->block will be invoke upon process events!
[procInfo start:block]; DetailsThe Proc Info library provides an interface to:
The library is already used in various Objective-See's tools that:
Moreover, it is an important component of tools designed to facilitate Mac malware analysis (e.g. OSX/FruitFly), and vulnerability hunting (e.g. Installers/Updaters). As detailed in the 'Quick Start' section, to use Proc Info in your Xcode project perform the following steps. 1. Add the Proc Info library to your Xcode project: 2. Add Apple's OpenBSM library to your Xcode project: 3. Add the 'Proc Info' library header file to your project: Your Xcode project should now look something like this: Hit Product->Build to compile and link your project. Assuming it cleanly builds, now it's time to start writing code to unlock the power of the Proc Info library :) Before getting into coding specifics, its important to understand the
Each
The signing information includes:
With this information, one can use the library to answer questions such as:
Retrieving Information about an Arbitrary Process: Via the Proc Info library one can create //init process obj
Process* process = [[Process alloc] init:1337]; This will create a //dump process info
NSLog(@"process: %@", process);
//output
process:
pid: 1337
path: /Applications/Calculator.app/Contents/MacOS/Calculator
user: 501
args: (
"/Applications/Calculator.app/Contents/MacOS/Calculator"
)
ancestors: (
557,
554,
353,
1
)
binary:
name: Calculator
path: /Applications/Calculator.app/Contents/MacOS/Calculator
attributes: {
NSFileCreationDate = "2017-03-23 00:27:11 +0000";
NSFileExtensionHidden = 0;
NSFileGroupOwnerAccountID = 0;
NSFileGroupOwnerAccountName = wheel;
NSFileHFSCreatorCode = 0;
NSFileHFSTypeCode = 0;
NSFileModificationDate = "2017-03-23 00:27:11 +0000";
NSFileOwnerAccountID = 0;
NSFileOwnerAccountName = root;
NSFilePosixPermissions = 493;
NSFileReferenceCount = 1;
NSFileSize = 199520;
NSFileSystemFileNumber = 92435925;
NSFileSystemNumber = 16777220;
NSFileType = NSFileTypeRegular;
}
signing info: {
signatureStatus = 0;
signedByApple = 1;
signingAuthorities = (
"Software Signing",
"Apple Code Signing Certification Authority",
"Apple Root CA"
);
} (isApple: 1 / isAppStore: 0) Retrieving Information about all Running Processes:
The Proc Info library can also provide information about all running processes via the //enum all existing procs
for(Process* process in [processInfo currentProcesses])
{
//query/examine each process...
//dump process info
NSLog(@"process: %@", process);
} Note that this method may take a few seconds to execute, as generating and verifying the cryptographic signing information for all processes is somewhat time/CPU consuming. As such, it is recommended that you invoke this logic (i.e. the Monitoring Process Start and Exit Events:
One of the most powerful features of the Proc Info library is its ability to asynchronously monitor for process events such as creation ( In order to begin monitoring for such events first declare a block to pass to the library. This block's type should be typedef void (^ProcessCallbackBlock)(Process*); From this typedef, one can see this block will invoked with a pointer to a One can be query returned Below is some example code that will call into the Proc Info library to asynchronously monitor for process events. Once the library detects such events, it will automatically invoke the passed in //define block
// ->automatically invoked upon process events
ProcessCallbackBlock block = ^(Process* process)
{
//process start event
// ->fork, spawn, exec, etc.
if(process.type != EVENT_EXIT)
{
//print
NSLog(@"process start: %@\n", process);
}
//process exit event
else
{
//print
// ->only pid
NSLog(@"process exit: %d\n", process.pid);
}
};
//start monitoring
// ->pass in block for events
[processInfo start:block];
//run loop
// ->as don't want to exit
[[NSRunLoop currentRunLoop] run]; Executing this code, and starting a process such as # ./procInfoExample:
process start:
pid: 1337
path: /Applications/Calculator.app/Contents/MacOS/Calculator
user: 501
args: (
"/Applications/Calculator.app/Contents/MacOS/Calculator"
)
ancestors: (
557,
554,
353,
1
)
binary: name: Calculator
path: /Applications/Calculator.app/Contents/MacOS/Calculator
attributes: {
NSFileCreationDate = "2017-03-23 00:27:11 +0000";
NSFileExtensionHidden = 0;
NSFileGroupOwnerAccountID = 0;
NSFileGroupOwnerAccountName = wheel;
NSFileHFSCreatorCode = 0;
NSFileHFSTypeCode = 0;
NSFileModificationDate = "2017-03-23 00:27:11 +0000";
NSFileOwnerAccountID = 0;
NSFileOwnerAccountName = root;
NSFilePosixPermissions = 493;
NSFileReferenceCount = 1;
NSFileSize = 199520;
NSFileSystemFileNumber = 92435925;
NSFileSystemNumber = 16777220;
NSFileType = NSFileTypeRegular;
}
signing info: {
signatureStatus = 0;
signedByApple = 1;
signingAuthorities = (
"Software Signing",
"Apple Code Signing Certification Authority",
"Apple Root CA"
);
} (isApple: 1 / isAppStore: 0)
2017-08-07 08:49:02.199 procInfoExample[10393:3296896] process exit: 1337 It should be noted that if the Proc Info library is not running with root privileges, or is executed on an older version of macOS (pre 10.12.4) it will only monitor for application events (i.e. not terminal nor background processes). This is because in order to safely monitor for audit events, root and recent version of macOS is required. Mahalo!
Want to add your support? Check out my patreon page :) |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论