I wanted to trace the system calls made by the find command to debug some performance issues however I could not figure out how to do this on Mac OS X Yosemite. How can I trace system calls for an arbitrary program similarly to what strace does on FreeBSD? I am especially interested in tracing file-system related calls. Performing a Traceroute in Mac OS X If you are running Mac® OS X, you can use the Network Utility application, which is included with Mac OS X, to run the trace route. Launch Network Utility. Note: You can do this through Mac OS X Spotlight by typing Network Utility, and then clicking the Top Hit.
Linux
Tracing system calls on Linux is straightforward. The ptrace API letsone process trace all system calls made by another process, and thecommand-line program strace uses ptrace to allow a user to do thesame.
Mac OS X
Tracing system calls on Mac OS X is a little harder, but more powerful.The dtrace system ships with Macs starting with Mac OS X 10.5. Unlikestrace, however, support for dtrace has to be built in to programs. MacOS X ships with several thousand probes (the attachment points), and mostnormal monitoring is covered. Brendan Gregg's blog has a Mac OS X-specificdtrace page, as an example, and there are other useful tutorials
Apple added ptrace to Mac OS X, maybe. There's a man page for it, but nostrace program for user-level use. I'll have to try writing some code.
Inspired by the infamous Buscador VM, the Trace Labs OSINT VM was built in a similar way, to enable OSINT investigators participating in the Trace Labs Search Party CTF's a quick way to get started and have access to the most popular OSINT tools and scripts all neatly packaged under one roof.
There are ways to hook/override program and system functions at runtime.These work but aren't truly supported, so are of most use for debuggingsituations.
Amit Singh went the kernel extension approach to get access to system calls
Demonic digestion mac os. While there are definitely nefarious uses for this stuff, it can be used fordevelopers too. For example, this paper talks about rootkits, but the techniquesalso make for great developer tools.
BSD
The equivalent to ptrace on BSD is ktrace. Unfortunately, ktrace is notavailable on Mac OS X. That's annoying, because it is complementary toDTrace, which is an awesome sysop-level tool, but does not give completeaccess to all system calls. Mac OS X had ktrace in 10.4 and earlier.
Windows
There is the amazing Process Monitor, which traces all file and registryactions. However, this is strictly a user-level program, you work with it throughits GUI. It's very useful, but does not give you system-call level access fromyour own source code.
There is a fairly new project called StraceNT. It comes with source code. Hear hear tennis mac os.
Dr. Memory comes with 'strace for Windows' called drstrace.
Event Tracing for Windows (ETW) is the Microsoft official technique, and hasseveral programs layered on top.
There is Logger and LogView, also Microsoft tools
There is NtTrace
An article
fabricate
Trace (goldsmitha20) Mac Os Update
This is a python build tool that watches for files that have changed as a resultof running a command. It uses strace on Linux but does filetime watching onWindows, so maybe look for how to get Python on Windows to use one of the otherfile monitoring solutions?
tup
Trace (goldsmitha20) Mac Os X
The tup build tool uses DLL injection on Windows to detect file I/O.
ninja
The ninja tool also does filesystem watching, I think.
Google 'building in the cloud'
Mac Os Catalina
This is a FUSE-based approach, so not exactly tracing system calls. Long lad prototype mac os.
