Tuesday, November 13, 2007

Instruments the built-in OSX hacking tool

Apple recently released their new operating system, Leopard. There are a few cool features to this OS but the one I am most excited about is a new development tool called Instruments. Instruments is a GUI tool and wrapper around a port of DTrace. What does this give us? Basically DTrace is a library that allows you to query kernel level events. For me I have been dying for something like FileMon or ProcessMon for the OSX platform now I have it but it is on steroids. Needless to say this made my day. What does Instruments look like? Kind of like this..



The above screen shot is showing a sample run looking at the file i/o of all processes on my system (looks like quicksilver is doing a scan). It is also possible to specify a specific process or to launch a new program you wish to monitor. So, what you say? You could see the file i/o of any process with the previous version of OSX with fsLogger (although it was kind of ugly, imho). Well Instruments is far more extendable (a later blog post) and there are a lot of default libraries that can be used.

There are 27 default "instruments" in the library that can be used. These range from monitoring network traffic, locks, i/o processes, memory usage and even UI recording. There are many libraries and some of them will only work for a single process while others will work for monitoring all processes. Since there are so many instruments it is a blog post in its own explaining all the different instruments.

Other things that are useful for Instruments is that you can do multiple runs and they will be shown side-by-side. Also, you can save your runs for later replaying or investigation.

So, why do I say this is a hacking tool and not a development tool? Because a lot of hacking (in my mind) is figuring out how programs work, how the person's mind works who wrote it and then finding the chinks in their thoughts or their laziness. Many development tools can be re-purposed for attacking the programs that were written with the same tools because when we get down to it we are just doing some weird ass debugging on the products :). Being able to see what files are being written/read from a program shows us some of the attack surface. But being able to view how the memory and other system resources from the program will show us even more of the attack surface. On top of that it gives anyone better insight into how a program or system resource works. Which means that Instruments is a development tool but I see it as being really really useful for "security research."

I will be posting a few more posts on this tool. I am not sure how many posts yet as I am still learning about this tool and OSX in general but if you liked this post stay tuned :).

Labels: , , ,

0 Comments:

Post a Comment

<< Home