consider doing a DBI approach

[kallsyms]

instead of trying to glue together an increasing number of subsystems, maybe statically finding syscall/mach trap instructions and patching them is actually the way to go. See NOTES.

potential issues:

• using breakpoints takes us back to the issue of thread scheduling. that is, when a non-leader thread is scheduled and hits a breakpoint, we don't receive the signal for it because the leader (which handles the signal) is suspended.
  • is there an API to denote another thread as the signal handler? we could forcefully add a new thread in the child which then takes this role.

see also https://arxiv.org/pdf/2105.12819.pdf ("Implementation of Live Reverse Debugging in LLDB")

[pmarkowsky]

Another thought would be could we just patch out the system call with jumps, may also want to look at code caves to jump to.

[pmarkowsky]

The REPT Paper also has some interesting approaches but also leverages Intel PT.