Created
March 30, 2022 19:08
-
-
Save mentlerd/d0e58c3e23b95d5f4dafc7130005854a to your computer and use it in GitHub Desktop.
ImHex pattern to extract DTrace SDT probes from Apple XNU
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Powered by https://github.com/WerWolv/ImHex | |
| # | |
| # /System/Library/Kernels/kernel | |
| # uname -a -> xnu-8020.101.4 | |
| struct nullstr { | |
| char data[while(std::mem::read_unsigned($, 1) != 0x00)]; | |
| }; | |
| struct sdt_entry { | |
| u64 addr; | |
| u64 provider_addr [[hidden]]; | |
| u64 name_addr [[hidden]]; | |
| u8 anchor [[hidden]]; | |
| $ = provider_addr - 0xffffff8000c8df98 + 11067288; | |
| nullstr provider; | |
| $ = name_addr - 0xffffff8000c8df98 + 11067288; | |
| nullstr name; | |
| $ = addressof(anchor); | |
| } [[format("sdt_format")]]; | |
| fn sdt_format(sdt_entry e) { | |
| return e.provider.data + " " + e.name.data; | |
| }; | |
| sdt_entry probes[100] @ 11092120; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment