ProcInfo - Process info/monitoring library for macOS
Proc Info is a open-source, user-mode, library for macOS. It provides simple interface to retrieve detailed information about running processes, plus allows one to asynchronously monitor process creation & exit events.
To use the Proc Info library:
- add the Proc Info library (
lib/libprocInfo.a) and Apple's OpenBSM library (libbsm.tbd) to your Xcode Project - import the Proc Info library header file (
procInfo.h) - instantiate a
Proc Infoobject - a) to retrieve information about a running process invoke the
init:method
b) to enumerate existing processes invoke thecurrentProcessesmethod
c) to monitor process events, declare a callback block and invoke thestart:method
...or just download the demo project, to take it for a spin!
#import "procInfo.h"
//init proc info object
ProcInfo* procInfo = [[ProcInfo alloc] init];
//dump process info for process 1337
NSLog(@"process: %@", [[Process alloc] init:1337]);
//dump process info for all processes
for(Process* process in [procInfo currentProcesses])
NSLog(@"new process: %@", process);
//block for process events
ProcessCallbackBlock block = ^(Process* process)
{
if(process.type != EVENT_EXIT)
NSLog(@"process start: %@\n", process);
else
NSLog(@"process exit: %d\n", process.pid);
};
//start monitoring
// ->block will be invoke upon process events!
[processInfo start:block];
Details
The Proc Info library provides an interface to:
- retrieve information about arbitrary processes (by pid)
- retrieve information about all running processes
- monitor for process start & exit events
The library is already used in various Objective-See's tools that:
- need to track process creation events (e.g. RansomWhere? BlockBlock, etc)
- classify running processes (based on their cryptographic signatures)
Moreover, it is an important component of tools designed to facilitate Mac malware analysis (e.g. OSX/FruitFly), and vulnerability hunting (e.g. Installers/Updaters).
Post a Comment