I am entirely new to dtruss, but familiar with strace.
Consider the following Hello World program:
#include <stdio.h>
int main(){
printf("hello world\n");
}
When I compile and run this on Linux with strace, I get several lines of output, including the following system call:
strace ./HelloWorld
...
write(1, "hello world\n", 12hello world
) = 12
When I compile and run this on macOS with dtruss, I do not get any system calls.
sudo dtruss -f ./Hello
Password:
dtrace: system integrity protection is on, some features will not be available
PID/THRD SYSCALL(args) = return
hello world
Why do I not see a write system call? How can I change my dtruss invocation to show me the system calls?
My understanding is that system integrity protection only applies to system binaries, but I'm happy to learn evidence to the contrary.
AFAIK, you need to disable SIP in order to use DTrace on macOS in any meaningful way. It does not matter if you are tracing system binaries or not. SIP seems to still limit DTrace.
If you take a look at the output of dtrace -l, then you'll see that there are no probes related to system call listed. At the same time, if you look at the output of grep 'syscall:.*:.*:.*' /usr/bin/dtruss, then you'll see that dtruss is using the syscall DTrace provider to attach to the system calls.