Monitor arguments of call to dylib in Macos

Question

I'd like something similar to apimonitor but for Macos. Is there something like this already? Thank you. I'd like to be able to know the arguments used by an application when calling dylib functions.

Answer 1

You have several options:

Have you considered just attaching a debugger (i.e. lldb) to the app, setting a breakpoint on the function of interest, and observing the arguments? You could set the breakpoint to automaticaly print the arguments and then continue.

You can use the pid provider of DTrace. Much of DTrace is disabled by System Integrity Protection (SIP). I don't recall if the pid provider is or not. If it's disabled, you can enable it when booted to Recovery Mode using the csrutil command (csrutil enable --without dtrace).

Anyway, the command to use the pid provider is:

sudo dtrace -n 'pid$target:library pattern:function pattern:entry { actions }' -p <PID of target>

The patterns are file-glob-style, using * to match any characters and ? to match a single character.

An action can be something like ustack(); to dump the user stack, printf("%x\n", arg0); to print the first argument, etc. See a DTrace manual for more.

Finally, you can use the DYLD_INSERT_LIBRARIES environment variable to inject a library of your own. That library, in turn, can use dyld symbol interposing to install your own version of a given function or functions, which can do whatever you want. It can call through to the original and thus act as a wrapper.

Note that SIP can also interfere with passing DYLD_* environment variables through to the executable.