How can you catch a process that is about to be launched, if you don’t know the PID yet?
文章目录
- 引言
- I、通过LLDB实现连接
-
- 1.1 开发者模块:调试服务器模块
- 1.2 连接已运行进程
- 1.3 连接未来即将启动的过程
引言
How would you capture a process that is about to be launched, if you aren't aware of its PID?
该文章由认证作者「#公众号:iOS逆向」发布,并遵循采用Creative Commons Attribution-ShareAlike 4.0国际许可证。如需转载,请注明出处并附上本文链接及版权声明。
I、Attaching with LLDB
1.1 debugserver
The program, named debugserver and located within Xcode.app/Contents/SharedFrameworks/LLDB.framework/Resources, is dedicated to attaching to a target process.
devzkndeMacBook-Pro:Resources devzkn$ ls -lrt
total 32160
drwxr-xr-x 3 root wheel 96 Apr 13 2017 Clang
-rw-r--r-- 1 root wheel 1245 Apr 13 2017 Info.plist
drwxr-xr-x 3 root wheel 96 Apr 13 2017 Python
-rw-r--r-- 1 root wheel 463 Apr 13 2017 version.plist
-rwxr-xr-x 1 root wheel 24736 May 11 2017 darwin-debug
-rwxr-xr-x 1 root wheel 4719552 May 11 2017 debugserver
-rwxr-xr-x 1 root wheel 17904 May 11 2017 repl_swift
-rwxr-xr-x 1 root wheel 41952080 May 11 2017 lldb-server
-rwxr-xr-x 1 root wheel 132304 May 11 2017 lldb-argdumper
devzkndeMacBook-Pro:Resources devzkn$ pwd
/Applications/Xcode.app/Contents/SharedFrameworks/LLDB.framework/ResourcesWhen dealing with a distributed process involving iOS, watchOS or tvOS applications running on a remote device (DUT), the system automatically initiates the launch of a debug server on that DUT. The purpose of LLDB is to initiate the launch of a debug server on the device under test (DUT), establish communication with it using appropriate protocols like TCP/IP and HTTP/HTTPS, and manage coordination across all involved parties to ensure comprehensive interaction handling during application debugging.
<>
process connect connect://127.0.0.1:123451.2 Attaching to an existing process
lldb -n Xcode
devzkndeMacBook-Pro:Resources devzkn$ pgrep -x Xcode
2416
devzkndeMacBook-Pro:Resources devzkn$ lldb -p 24161.3 Attaching to a future process
How can one identify an incoming process when lacking knowledge of the PID?
You can perform this action via the -w option. LLDB is designed to wait for a process to launch whose PID or executable name meets the criteria specified by the -w option.
- For example
通过按下Ctrl+D键(退出终端窗口)来关闭现有的LLDB会话,请输入以下内容:
devzkndeMacBook-Pro:Resources devzkn$ lldb -n Finder -w
(lldb) process attach --name "Finder" --waitforThe action will instruct LLDB to establish a connection with the process identified as 'Finder' each time it resumes operation.
2、Next, open a new Terminal tab(control+N), and enter the following:
devzkndeMacBook-Pro:Resources devzkn$ pkill FinderOnce macOS encounters a system failure and terminates the Finder application, the system automatically relaunches it. After returning to your initial Terminal window, you will observe that LLDB has successfully associated itself with the freshly created Finder process.