Even when SIP is disabled.
It shows an error, and dumps the dtrace script to console!
Used to work fine until BigSur.
Even when SIP is disabled.
It shows an error, and dumps the dtrace script to console!
Used to work fine until BigSur.
I have the same issue even SIP disabled
# csrutil status
System Integrity Protection status: disabled.
execsnoop
dtrace: invalid probe specifier
/*
* Command line arguments
*/
inline int OPT_dump = 0;
inline int OPT_cmd = 0;
inline int OPT_time = 0;
inline int OPT_timestr = 0;
inline int OPT_zone = 0;
inline int OPT_safe = 0;
inline int OPT_proj = 0;
inline int FILTER = 0;
inline string COMMAND = ".";
#pragma D option quiet
#pragma D option switchrate=10hz
/*
* Print header
*/
dtrace:::BEGIN
{
/* print optional headers */
OPT_time ? printf("%-14s ", "TIME") : 1;
OPT_timestr ? printf("%-20s ", "STRTIME") : 1;
OPT_zone ? printf("%-10s ", "ZONE") : 1;
OPT_proj ? printf("%5s ", "PROJ") : 1;
/* print main headers */
/* APPLE: Removed "ZONE" header, it has no meaning in darwin */
OPT_dump ? printf("%s %s %s %s %s %s %s\n",
"TIME", "PROJ", "UID", "PID", "PPID", "COMM", "ARGS") :
printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS");
}
/*
* Print exec event
*/
/* SOLARIS: syscall::exec:return, syscall::exece:return */
proc:::exec-success
/(FILTER == 0) || (OPT_cmd == 1 && COMMAND == strstr(COMMAND, execname)) || (OPT_cmd == 1 && execname == strstr(execname, COMMAND))/
{
/* print optional fields */
OPT_time ? printf("%-14d ", timestamp/1000) : 1;
OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
OPT_zone ? printf("%-10s ", zonename) : 1;
OPT_proj ? printf("%5d ", curpsinfo->pr_projid) : 1;
/* print main data */
/* APPLE: Removed the zonename output, it has no meaning in darwin */
OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000,
curpsinfo->pr_projid, uid, pid, ppid, execname) :
printf("%5d %6d %6d ", uid, pid, ppid);
OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) :
printf("%s\n", curpsinfo->pr_psargs);
}
: probe description proc:::exec-success does not match any probes
After extensive digging in the XNU kernel side, and the userland of DTrace, it seems that recent versions of DTrace rely on the userland libdtrace
to provide Kernel symbol information, necessary for the activation of SDT based probes (such as proc
, sched
, etc.. You can find a non-exhaustive list of these probes in this file).
The default Monterey installation does not appear to contain all necessary symbols, only a subset.
This can be verified by disabling system integrity protection (well, ideally protection against DTrace only, with csrutil enable --without dtrace
in recovery mode), and listing all available probes which are supplied by the Kernel with sudo dtrace -l | grep mach_kern
. The list won't be nearly as long as it should be.
Furthermore, an other telltale sign is that disabling the usermode symbolication with the appropriate boot-args will make these probes disappear too.
The solution to make these probes powering execsnoop available again is to install the Kernel Debug Kit for your specific Kernel build, which can be found with the sw_vers
command.