truss

UNIX/Linux系统取证之信息采集案例 在UNIX/Linux系统取证中，及时收集硬盘的信息至关重要，《Unix/Linux网络日志分析与流量监控》一书中，将详细讨论各种常见系统进程系统调用及镜像文件获取方法。下面简单举几个例子。 1.收集正在运行的进程 在UNIX/Linux取证时很多系统和网络信息是短时存在的可谓是转瞬即逝，如何准确的捕捉到哪些蛛丝马迹呢？网络安全人员需要具有敏锐的观察力和丰富的经验下面例举几个常用的方法。 首先，在收集主机上启动一个监听进程： #nc -l -p 10005 >ps_lsof_log 执行完这条命令后回车，系统打开10005端口等待接受，然后在被调查的另一主机上运行相应的ps 调用： #(ps aux; ps-auxeww; lsof)|nc 192.168.150.100 10005 -w 3 几秒钟后回到命令行提示符，需要注意的是这两条命令成对出现,发送完数据后开启的端口接收数据接收完毕即关闭端口，如果你第二次没有开启监听端口，继续发送ps数据就会出现连接访问拒绝。 #(ps aux;ps auxeww;losf) | nc 192.168.150.109 10005 –w 3 (UNKNOWN) [192.168.150.109] 10005 (?) : Conection refused 在上述命令中，有的命令产生长输出结果

I was trying to see which syscall ps uses to get the command line of a process on OS X 10.11 (El Capitan), and ran into the following error: # dtruss ps -p 43520 -o args dtrace: failed to execute ps: dtrace cannot control executables signed with restricted entitlements Googling resulted in the suggestion that making a copy of ps would allow me to bypass this, but that didn't work for me. Why can't I run dtruss on arbitrary binaries anymore, and is there any way for me to restore the old behavior? The issue has to do with the code signature. If you make a copy and then re-sign it with your own