首页 iOS.& Swift Books 高级Apple调试& Reverse Engineering

30
中级DTRACE. 由Derek Selander撰写

本章将作为更多的DTRACE基本面,破坏性行动(YAY!),以及如何使用SWIFT使用DTRACE。在进入理论之前,我会让你兴奋。我将首先使用DTRACE与SWIFT一起使用,然后进入睡眠诱导的概念,使您的眼睛水。不,相信我,这将很有趣!

In this chapter, you’LL学习其他方式DTrace可以配置文件代码,以及如何增强现有代码而不在实际可执行文件本身上铺设手指。 Magic!

入门

我们没有在Ray Wenderlich挑选。本章中包含的是另开奖结果3d电影标题启发项目,带有射线的名称拼接到其中。

打开 寻找射线 在申请中的应用 起动机 本章的目录。无需做任何特殊的设置。在iPhone X模拟器上构建并运行项目。

The majority of this project is written in Swift, though many Swift subclasses inherit from NSObject as they need to be visually displayed (if it’s an on-screen component, it must inherit from UIView, which inherits from NSObject, meaning Objective-C)

DTrace.is agnostic to whatever Swift code inherits from whatever class as it’s all the same to DTrace. You can still profile Objective-C code subclassed by a Swift object so long as it inherits from NSObject using the objc$target provider. The downside to this approach is if there are any new methods implemented or any overridden methods implemented by the Swift class, you’ll not see them in any Objective-C probes.

DTrace.& Swift in theory

让我们谈谈如何使用DTrace来配置SWIFT代码。有一些优点与一些缺点一起考虑。

pid$target:SomeTarget::entry
class ViewController: UIViewController {
  override func viewDidLoad() { 
    super.viewDidLoad()
  }
}
SomeTarget.ViewController.viewDidLoad() -> ()
pid$target:SomeTarget:*viewDidLoad*:entry

DTrace.& Swift in Practice

如果是 寻找射线 应用程序尚未运行,激发它。 iphone x plus模拟器。你知道怎么了。

sudo dtrace -n 'pid$target:Finding?Ray::entry' -p `pgrep "寻找射线"`

sudo dtrace -qn 'pid$target:Finding?Ray::entry { printf("%s\n", probefunc); } ' -p `pgrep "寻找射线"` 
sudo dtrace -qn 'pid$target:Finding?Ray::entry { printf("%s\n", probefunc); } ' -p `pgrep "寻找射线"` | grep -E "^[^@].*\."
QuickTouchPanGestureRecognizer.delaysTouchesBegan.getter
ViewController.handleGesture(panGesture:)
ViewController.dynamicAnimator.getter
ViewController.snapBehavior.getter
ViewController.containerView.getter
MotionView.animate(isSelected:)
sudo dtrace -qFn 'pid$target:Finding?Ray::*r* { printf("%s\n", probefunc); } ' -p `pgrep "寻找射线"` 

DTrace变量& control flow

现在,您现在将跳进一些理论,您需要剩余的本节。

标量变量

创建变量的第一种方法是使用a 标量变量。这些是简单的变量,蛋糕的固定大小。您没有Nee不要在DTRACE脚本中没有为此重要的盗版的Viablees或Iny vriapbles的类型。

#!/usr/sbin/dtrace -s
#pragma D option quiet  

dtrace:::BEGIN
{
    isSet = 0;
    object = 0;
}
objc$target:NSObject:-init:return / isSet == 0 /
{
    object = arg1;
    isSet = 1;
}
objc$target:::entry / isSet && object == arg0 /
{
    printf("0x%p %c[%s %s]\n", arg0, probefunc[0], probemod, (string)&probefunc[1]);
}

子句 - 局部变量

下一步是 条款 - 本地 变量。这些是由这个词表示的 这-> used right before the variable name and can take any type of value, including char*’s. 子句 - 局部变量 can survive across the 相同的 探测。如果您尝试在不同的探测器上引用它们,则不会工作。例如,考虑以下内容:

pid$target::objc_msgSend:entry 
{
  this->object = arg0;  
}

pid$target::objc_msgSend:entry / this->object != 0 / {
  /* Do some logic here */
}

obc$target:::entry {
  this-f = this->object; /* Won’t work since different probe */
}

线程局部变量

线程局部变量提供以速度为代价最大的灵活性。此外,您必须手动释放,否则你会泄漏内存。线程局部变量可以通过变量名前使用 self->.

objc$target:NSObject:init:entry {
  self->a = arg0;
}

objc$target::-dealloc:entry / arg0 == self->a / {
  self->a = 0; 
}

DTrace.conditions

DTrace有靠埃斯蒂蒂有限的条件逻辑Bult。 DTrace中的情况是/ else-state!这是开奖结果3d有意义的决策,因为DTrace脚本是快速的设计。

int b = 10;
int a = 0;

if (b == 10) {
  a = 5;
} else {
  a = 6;
}
b = 10;
a = 0;
a = b == 10 ? 5 : 6
int b = 10;
int a = 0;
if (b == 10) {
  a++;
}
b = 10; 
a = 0;
a = b == 10 ? a + 1 : a
#!/usr/sbin/dtrace -s
#pragma D option quiet  

dtrace:::BEGIN
{
  trace = 0;
}

objc$target:target:UIViewController:-initWithNibName?bundle?:entry {
  trace = 1
}

objc$target:target:::entry / trace / {
  printf("%s\n", probefunc);
}

objc$target:target:UIViewController:-initWithNibName?bundle?:return {
  trace = 0
}

检查过程内存

它可能会出现意外,但您写的DTrace脚本实际上是在内核本身中执行的。这就是为什么它们如此迅速,也是为什么您不需要在已经编译的程序中更改任何代码以执行动态跟踪。内核直接访问!

int open(const char *path, int oflag, ...);
int open_nocancel(const char *path, int flags, mode_t mode);
sudo dtrace -n 'syscall::open:entry { printf("%s", copyinstr(arg0)); }'

玩开放式系统

With the knowledge you need to inspect process memory, create a DTrace script that monitors the open family of system calls. In Terminal, type the following:

sudo dtrace -qn 'syscall::open*:entry { printf("%s opened %s\n", execname, copyinstr(arg0)); ustack(); }'
sudo dtrace -qn 'syscall::open*:entry / execname == "寻找射线" / { printf("%s opened %s\n", execname, copyinstr(arg0)); ustack(); }'

通过路径过滤打开的Syscalls

在 - 的里面 寻找射线 project, I remember I used the image named Ray.pdf for something, but I can’t remember where. Good thing I have DTrace along with grep to hunt down the location of where Ray.pdf is being opened.

sudo dtrace -qn 'syscall::open*:entry / execname == "寻找射线" / { printf("%s opened %s\n", execname, copyinstr(arg0)); ustack(); }' 2>/dev/null | grep Ray.png -A40
sudo dtrace -qn 'syscall::open*:entry / execname == "寻找射线" && strstr(copyinstr(arg0), "Ray.png") != NULL / { printf("%s opened %s\n", execname, copyinstr(arg0)); ustack(); }' 2>/dev/null

DTrace.& destructive actions

笔记:我要告诉你的是非常危险的。

/Users/derekselander/Library/Developer/CoreSimulator/Devices/97F8BE2C-4547-470C-955F-3654A8347C41/data/Containers/Bundle/Application/102BDE66-79CB-453C-BA71-4062B2BC5297/Finding Ray.app/Ray.png
/Users/derekselander/troll.png\0veloper/CoreSimulator/Devices/97F8BE2C-4547-470C-955F-3654A8347C41/data/Containers/Bundle/Application/102BDE66-79CB-453C-BA71-4062B2BC5297/Finding Ray.app/Ray.png
/Users/derekselander/troll.png

得到你的道路长度

When writing data out, you’ll need to figure out how many chars your fullpath is to the troll.png. I know the length of mine, but unfortunately, I don’t know your name nor the name of your computer’s home directory.

echo ~/troll.png
echo ~/troll.png | wc -m
sudo dtrace -wn 'syscall::open*:entry / execname == "寻找射线" && arg0 > 0xfffffffe && strstr(copyinstr(arg0), ".png") != NULL && strlen(copyinstr(arg0)) >= 32 / { this->a = "/Users/derekselander/troll.png"; copyoutstr(this->a, arg0, 32); }'

其他破坏性诉讼

In addition to copyoutstr and copyout, DTrace has some other destructive actions worth noting:

然后去哪儿?

There are many powerful DTrace scripts on your macOS machine. You can hunt for them using the man -k dtrace, then systematically man’ing what each script does. In addition, you can learn a lot by studying the code in them. Remember, these are 脚本,不是兼容的可执行文件,所以源代码公平游戏。

有开奖结果3d技术问题?想报告开奖结果3d错误吗? 您可以向官方书籍论坛中的书籍作者提出问题和报告错误 这里.

有反馈分享在线阅读体验吗? 如果您有关于UI,UX,突出显示或我们在线阅读器的其他功能的反馈,您可以将其发送到设计团队,其中表格如下所示:

© 2021 Razeware LLC

您可以免费读取,本章的部分显示为 混淆了 文本。解锁这本书,以及我们整个书籍和视频目录,带有Raywenderlich.com的专业订阅。

现在解锁

要突出或记笔记,您需要在订阅中拥有这本书或自行购买。