Post

Replies

Boosts

Views

Activity

Reply to execsnoop (dtrace based) no longer working in Monterey
After extensive digging in the XNU kernel side, and the userland of DTrace, it seems that recent versions of DTrace rely on the userland libdtrace to provide Kernel symbol information, necessary for the activation of SDT based probes (such as proc, sched, etc.. You can find a non-exhaustive list of these probes in this file). The default Monterey installation does not appear to contain all necessary symbols, only a subset. This can be verified by disabling system integrity protection (well, ideally protection against DTrace only, with csrutil enable --without dtrace in recovery mode), and listing all available probes which are supplied by the Kernel with sudo dtrace -l | grep mach_kern. The list won't be nearly as long as it should be. Furthermore, an other telltale sign is that disabling the usermode symbolication with the appropriate boot-args will make these probes disappear too. The solution to make these probes powering execsnoop available again is to install the Kernel Debug Kit for your specific Kernel build, which can be found with the sw_vers command.
Mar ’22