tool to trace function calls

Used for discussing the various tools in the book as well as encouraging members to share tools

tool to trace function calls

Postby backendbilly » Thu Jul 30, 2015 2:34 am

Hi Jonathan,

With all the great tools you provide, there exist a need for a tool to trace function calls made by a process. As you're most definitely aware, there exist methods to hook objc_msgSend using third party tools like cycript, inspectiveC, itrace, etc. but unfortunately they're either 32-bit based, outdated, and/or only work (or seem to work) for GUI based apps and rely heavily on class-dumping headers from a process. From my humble experience, not all headers can be generated from a process. Take for example locationd. Other methods include hooking objc_msgsend from the debugger but its cumbersome and produces too much noise.

Your filemon tool is a very valuable tool. Thank you very much for providing such tool. Is it possible to have a filemon-like tool that can trace all function calls made by a process including arguments with possible data fed to said functions?

Your work is very much appreciated by the community.

Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: tool to trace function calls

Postby morpheus » Thu Jul 30, 2015 3:02 am

I hear you Billy. cycript is pretty amazing, but (at times) crude. I'd modify it, but I prefer writing stuff from scratch.

I mostly use my Coreruption, which is specifically designed so it can perform advanced interception and hooking. It's kind of like jtool, but on live processes (uses same libs). But it, too, is invasive.. And also the only tool that's not public.

One non-invasive tool of mine has been in the works for the longest time now - (k)DebugView. As usual, the name is homage to the great SysInternals tool, but this time the functionality is entirely different - it's based on the KDebug facility (what Apple itself uses) and functionality wise is somewhat reminiscent of Linux ftrace (entirely different implementation though). And it's about time it goes public, I guess. Won't be open source, but will be free. Wait a tad longer, though.. It's just that this week I'm in Android mode (and releasing a bunch of handy tools for that platform too :) So stay tuned.

Always great to hear nice feedback :-D You'd be surprised at how few people bother to stop and appreciate. Thank you ever so much.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: tool to trace function calls

Postby backendbilly » Mon Aug 10, 2015 2:58 am

I can't wait for your DebugView tool. I would love to be able to snoop on a process (PID style) and view functions being called at runtime to get a clear overview of function call hierarchy. Processes including system services. I can't believe there is nothing out there that would function as ftrace or the like in iOS without going through the hoops of class-dumping, hooking, etc. This is so underrated. People have gotten so used to hooking App store apps and gotten so comfortable with class-dumping. Well what if you don't get all class headers at runtime?

I want to thank you for giving this some thoughts. It's people like you that make reversing fun and a good learning experience.

Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: tool to trace function calls

Postby morpheus » Mon Aug 10, 2015 4:14 am

Haven't forgotten about you. Just been keeping busy, especially with the public training opening tomorrow here in SFO (http://Technologeeks.com/OSXRE).

It's still unstable, spewing out EVERYTHING unfiltered, and it WILL crash on you, but here's a taste of what it can do - kdv - in an Alpha, built for 64-bit only. And it won't id threads reliably. If you're missing the trace.codes, just grab /usr/share/misc/trace.codes from your Mac OS.

A MUCH better and more stable version will be up when I'm done here, as I've fixed all these issues (but encountered others). Wait for it. Or in time for MOXiI II Vol 1. Soon enough :)

Btw - JTool's next version supports objective-C fully. Lots to wait for.
Attachments
kdv.tar
No promises about stability.
(52.5 KiB) Downloaded 621 times
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: tool to trace function calls

Postby backendbilly » Mon Aug 10, 2015 2:19 pm

Thanks Jonathan. Much appreciated. I'll test it out and keep you posted.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: tool to trace function calls

Postby backendbilly » Fri Oct 16, 2015 7:10 pm

hey J,

Would you have a copy of kdv for armv7? I'm doing some hardware tracing on an older iPhone (cheaper than new iPhones). If not, don't worry about it.

Billy.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: tool to trace function calls

Postby jni » Sat Jan 02, 2016 10:30 pm

Hello,

I am trying to use this tool on an arm7 9.0.2 device and I get:

Code: Select all
# ./kdv all
Loaded 2471/2471 codes
KDSETUP: No space left on device


Any ideas?

Thanks,
jeni
jni
 
Posts: 11
Joined: Mon Jun 29, 2015 11:28 am

Re: tool to trace function calls

Postby morpheus » Thu Jan 07, 2016 9:39 pm

That's because kdv allocates a large amount of memory (a better version will be released soon). You can compile the tool with a smaller buffer size, and it will work (I tested it on 6/6S, which have in the 2G of RAM, so it wasn't a problem)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: tool to trace function calls

Postby jni » Sun Jan 10, 2016 2:04 pm

Thanks, got it working.
jni
 
Posts: 11
Joined: Mon Jun 29, 2015 11:28 am


Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests