dealing with mach_absolute_time

[kallsyms]

• The mach_absolute_time trap is handled separately https://github.com/apple-oss-distributions/xnu/blob/5c2921b07a2480ab43ec66f5b9e41cb872bc554f/osfmk/arm64/sleh.c#L1659 will probably need to do dylib injection and cross our fingers
  • Actually, dtrace to the rescue again
  • Hook the function in libsystem_kernel.dylib
  • Issue: dylib isn't loaded when we're paused at the first instruction
    • dtrace deals with this in a... complex way
      • Basically a few threads which listen to coresymbolication for dyld events (https://github.com/apple-oss-distributions/dtrace/blob/05b1f5b12ead47eb14e4712e24a1b1a981498020/lib/libproc/libproc.c#L144), kick an activity over to the control thread (https://github.com/apple-oss-distributions/dtrace/blob/05b1f5b12ead47eb14e4712e24a1b1a981498020/lib/libproc/libproc.c#L1187 -> https://github.com/apple-oss-distributions/dtrace/blob/05b1f5b12ead47eb14e4712e24a1b1a981498020/lib/libproc/libproc.c#L1240), uses a mock breakpoint (https://github.com/apple-oss-distributions/dtrace/blob/05b1f5b12ead47eb14e4712e24a1b1a981498020/lib/libproc/libproc.c#L1292) to eventually update symbols and create pid probes for the new symbols (https://github.com/apple-oss-distributions/dtrace/blob/05b1f5b12ead47eb14e4712e24a1b1a981498020/lib/libdtrace/common/dt_pid.c#L804)
    • Idea: dyld has a "magic" function (lldb_image_notifier) which LLDB uses to get notified when new images are loaded (by setting a bp on the func). can we retry pid{}:... probes whenever we hit this BP?
      • NOTE: that func name is not guaranteed to be stable as far as i can tell; a pointer to the func is set in the image info struct which is then read out by lldb.
        • BP set: https://github.com/llvm-mirror/lldb/blob/d01083a850f577b85501a0902b52fd0930de72c7/source/Plugins/DynamicLoader/MacOSX-DYLD/DynamicLoaderMacOSXDYLD.cpp#L999
        • load: https://github.com/llvm-mirror/lldb/blob/d01083a850f577b85501a0902b52fd0930de72c7/source/Plugins/DynamicLoader/MacOSX-DYLD/DynamicLoaderMacOSXDYLD.cpp#L481

ideally we could use an actual breakpoint to hook lldb_image_notifier, however 1) that's very tangential to the rest of the project and 2) i think dyld can relocate itself which complicates things. for now just ~ab~use dtrace even more and let it manage symbol resolution. pid{}:dyld:lldb_image_notifier:entry {} seems to work even on a fresh process.

[pmarkowsky]

Interposing on libsystem_kernel.dylib seems like the easiest thing here. It's exposed there as libc is the main contract for API stability vs. the kernel.