5

I would like to find out if there's a sys call that gets remote process id and return it's command line in Mac OS X (the equivalent in linux is /proc/PID/cmdline.

I could use the following way of reading output of 'px ax PID' from file, but I believe there's a cleaner way.

enter code here
char sys_cmd[PATH_MAX];
snprintf(sys_cmd, PATH_MAX, "ps ax %d", pid);

fp = popen(sys_cmd, "r");
while (fgets(res, sizeof(res)-1, fp) != NULL) {
    printf("%s", res);
}
pclose(fp);
Nakilon
  • 34,866
  • 14
  • 107
  • 142
Zohar81
  • 4,554
  • 5
  • 29
  • 82

2 Answers2

4

Depending on exactly what you want to do, you could do something like the following with proc_pidinfo() (source code for the kernel implementation is here and header file with struct definitions is here):

$ cat procname.c 
#include <stdio.h>
#include <stdlib.h>
#include <sys/proc_info.h>

extern int proc_pidinfo(int pid, int flavor, uint64_t arg, user_addr_t buffer,
    uint32_t  buffersize);
#define SHOW_ZOMBIES 0

int main(int argc, char **argv) {
    if(argc != 2) {
        puts("Usage: procname <pid>");
        return 1;
    }

    struct proc_taskallinfo info;

    int ret = proc_pidinfo(atoi(argv[1]), PROC_PIDTASKALLINFO, SHOW_ZOMBIES,
        (user_addr_t) &info, sizeof(struct proc_taskallinfo));
    printf("ret=%d, result=%s\n", ret, (char *) info.pbsd.pbi_comm);

    return 0;
}
$ clang procname.c -o procname 2>/dev/null
$ sudo ./procname 29079
ret=232, result=Google Chrome

I would have used dtruss on ps -p ... -o args to get an exact syscall you could use to get the right information, but unfortunately on El Capitan dtruss doesn't seem to work with some binaries (including ps) because of the following error:

$ sudo dtruss ps -p 29079 -o args

dtrace: failed to execute ps: dtrace cannot control executables signed with restricted entitlements

Instead what I did was run sudo nm $(which ps) to see what library calls were happening from ps, then I looked through those to see what looked like the most likely candidates and Googled for their implementations in the xnu (Mac OS X kernel) source code.

KeksArmee
  • 1,349
  • 14
  • 21
Dan
  • 7,155
  • 2
  • 29
  • 54
  • 1
    Hmm, this doesn't give me the cmdline it just gives me the name of the process....anyone know how to get the actual cmdline? or at least the arguments passed to exec for the process? – horseyguy Sep 12 '19 at 13:55
  • @horseyguy https://github.com/wrp/examples/blob/master/c/procname.c To get the arguments. There's got to be a better way.... – William Pursell Jul 30 '20 at 19:33
0

The correct API to do this is the KERN_PROCARGS2 sysctl, however it is very hard to use correctly (I've checked every use of this API in public code and they're all wrong), so I wrote a library to wrap its use: https://getargv.narzt.cam

Camden Narzt
  • 2,271
  • 1
  • 23
  • 42