Mac OS X Hacking Tools
What is Mac OS X?
Mac OS X Hacking Tools
The Jargon File is a popular lexicographic resource amongst hackers (and non-hackers too). Although it might have some subjective definitions I may not agree with, I have conveniently quoted verbatim the definitions of the terms "hacker" and "tool" as a preface to the contents of this page.
It is eminently debatable whether one (that means me, you or whosoever else) is a "hacker", but such a debate would probably be fruitless anyway, even meaningless. I do enjoy exploring the details of all sorts of things, including operating systems. This page is a compendium of some programs you might come across while tinkering with Mac OS X. Documentation for most of these tools exists, therefore my aim is not to reproduce documentation, but simply to maintain a cache of relevant information. I believe this would be useful to those who are new to Mac OS X, but are interested in exploring the system at a low(er) level. Note that many of the tools listed here are ones that are either new to Mac OS X (as compared to Unix style systems), or are different from their Unix counterparts. In other words, I have avoided listing "standard" Unix/BSD tools. Moreover, do realize that some (like
dynamic_pager and various daemons) are not really tools.
The following list has not been fully updated for Panther (10.3.x).
/usr/sbin/KernelEventAgent handles one of the core system services (events such as file systems being mounted and unmounted, low disk space, network connections going down, etc.)
/sbin/SystemStarter is run during system initialization to handle "startup items". See "Mac OS X System Startup" for details.
/usr/sbin/aexml forwards XMLRPC and SOAP requests to the AppleEvent manager for further dispatching. More documentation is available on the Apple Developer Web Site.
/usr/bin/appleping exercises the AppleTalk network by sending packets to a named host.
/usr/sbin/ardbgd is the daemon for the Apple Remote Debugging Service.
/usr/sbin/asr (Apple Software Restore) efficiently copies disk images and volumes, and can also accurately clone volumes.
/usr/sbin/bless is used to set volume bootability characteristics for Macintoshes. The command can be used to select a folder on a mounted volume to act as the blessed system folder, and optionally update Open Firmware to boot from that volume. It can also be used to format and setup a volume for the first time. Finally, it can be used to query the folder(s) that are blessed on a volume. Try the following (non-destructive) commands:
% sudo bless -verbose -info / ... % sudo bless -verbose -plist -info /
/usr/sbin/blued is the Bluetooth daemon.
/usr/sbin/cac_* are scripts related to CAC (Common Access Card) support. A CAC can be thought of as a SmartCard that combines multiple cards (functions) into one. A CAC can enable physical access to buildings and controlled places, enable computer network and system access and serve as the primary platform for the PKI token.
/usr/bin/cmpdylib compares two dynamic shared libraries for compatibility.
/usr/sbin/createhomedir creates and populates local home directories.
ddb is a debugging mechanism that can be compiled into Mac OS X, similar to BSD's
gdb can be used over Ethernet (through a kernel stub),
ddb is compiled into the kernel and is used over a serial line. Most importantly,
ddb requires an actual built-in hardware serial line on the debug target. Fortunately,
gdb should suffice for almost all debugging needs unless one is trying to debug an Ethernet driver itself, say.
ddb is not present by default on Mac OS X. It must be compiled from source (
xnu/osfmk/ddb in the CVS tree).
/usr/bin/defaults is used to access (read, write and delete) Mac OS X user defaults from the command line. For example, the following will print out Desktop background settings (including the pathname for the desktop background image, if any):
% defaults read com.apple.desktop Background
/usr/sbin/dev_mkdb creates a hash access method database (based on Berkeley DB) in
/var/run/dev.db. This database contains the name of all devices under
/usr/sbin/diskarbitrationd is a daemon that listens for connections from clients, notifies clients of the appearance of disks and filesystems, and governs the mounting of filesystems and claiming of disks amongst clients.
/usr/sbin/disktool is a command line utility for disk arbitration. It can be used to rename, eject, mount or unmount disks and volumes.
/usr/sbin/diskutil is a utility for managing disks and volumes. It can be used to perform operations such as enabling/disabling HFS+ journaling, verifying and repairing permissions, erasing disks (including optical media), partitioning, creating and managing RAID sets etc. You typically need root access to use this utility.
/usr/bin/ditto copies files and directories to a destination directory.
ditto can be used to "thin" "fat" (multiple-architecture) exectuables. It can also copy files selectively based on the contents of a BOM ("Bill of Materials"). One of the most useful features of
ditto is that it can preserve resource fork and HFS meta-data information when copying files.
/usr/bin/drutil is a command line tool that uses the DiscRecording framework to interact with attached CD/DVD burning devices.
/usr/bin/dscl is the Directory Service command line utility.
/usr/bin/dsperfmonitor is a directory tool for testing plugin performance in Directory Services.
/sbin/dynamic_pager is started during system initialization to manage swap files. See Mac OS X System Startup for details.
/usr/sbin/fdisk displays or changes the DOS partition table found in the bootsector of x86 bootable disks.
/usr/bin/fixPrecomp is a tool for "fixing" precompiled header warnings that occur when headers get out-of-sync with their precompiled versions - after a system update, say.
/usr/bin/fixproc is a Perl script that "fixes" a named process by performing the specified action (which can be check, kill, restart, exist or fix).
/usr/bin/fs_usage presents an ongoing display of system call usage information pertaining to file system activity. By default this includes all system processes except the running
/usr/bin/fstat identifies open files (including sockets).
/usr/bin/heap lists all the malloc-allocated buffers in the specified process's heap.
/usr/bin/hdiutil uses the
DiskImages framework to manipulate disk image files.
/usr/sbin/hlfsd is the home-link file system daemon. It implements a file system containing a symbolic link to a subdirectory within a user's home directory, depending on the user which accessed that link.
/usr/sbin/installer is the Mac OS X system software and package installer tool.
/usr/bin/install_name_tool changes the dynamic shared library install names recorded in a Mach-O binary.
/usr/sbin/ioalloccount displays some accounting of memory allocated by
IOKit allocators, including object instances, in the kernel. This is useful for tracking memory leaks.
/usr/sbin/ioclasscount displays the instance count, offset by the number of direct subclasses that have at least one instance allocated, for the classes specified. This is useful for tracking leaks.
/usr/sbin/ioreg displays the
IOKit registry. Try
ioreg -l, for example, and you can see detailed registry information (including object properties) - such as details of various temperature sensors in the system (on the I2C bus).
/usr/sbin/iostat displays kernel I/O statistics on terminal, disk and cpu operations.
/usr/sbin/ipconfig can be used to get the number of network interfaces active (the
ifcount argument), and also to retrieve various options associated with these interfaces. For example, "
ipconfig getoption en1 lease_time" prints the DHCP lease time of
en1 if applicable. Finally,
ipconfig can also be used to set an interface for
/usr/bin/kdump displays the kernel trace files produced with
ktrace in human readable format.
/usr/sbin/kextcache creates or updates
kext caches, which are used to speed up kernel extension loading operations and to prepare
kexts for inclusion in such media as device ROM.
/sbin/kextload can be used to explicitly load kernel extensions, validate them to see that they can be loaded by other mechanisms, such as
kextd, and to generate symbol files for debugging the
kext in a running kernel.
/usr/sbin/kextstat displays the status of any kernel extensions currently loaded in the kernel.
/sbin/kextunload is used to terminate and unregister
IOKit objects associated with a kernel extension and to unload the code and personalities for that
/usr/sbin/kgmon generates a dump of the operating system's profile buffers for later analysis by
/usr/bin/ktrace enables kernel trace logging for the specified processes, causing trace data to be logged to a file. Traced kernel operations include system calls, namei translations, signal processing and I/O.
/usr/bin/latency is used for monitoring scheduling and interrupt latency. The tool can also be used to set real time or timeshare scheduling policies.
/usr/bin/ld is the (Mach) object file link editor.
/usr/bin/leaks examines a specified process for malloc-allocated buffers which are not referenced by the program.
/usr/bin/lipo creates or operates on multi-architecture ("fat") files. It can list the architecture types in a fat file, create a single fat file from one or more input files, thin out a single fat file to a specified architecture type, and extract, replace and/or remove architecture types from the input file.
/usr/bin/lockfile can be used to create one or more (conditional) semaphore files, with the provision of waiting for a specified number of seconds and a specified number of retries.
/usr/bin/lsbom interprets the contents of binary
bom (bill-of-materials) files.
bom is a file system used by the Mac OS X installer to determine which files to install, remove, or upgrade.
/usr/sbin/lsof lists information about files opened by processes.
/usr/bin/lsvfs lists known (currently loaded) virtual file systems.
/usr/sbin/mDNSResponder (Multicast DNS Responder) listens for and responds to DNS-format query packets sent via Multicast to UDP port 5353.
/sbin/mach_init is a daemon that maintains various mappings between service names and the Mach ports that provide access to those services.
/usr/bin/malloc_history inspects a given process and lists the malloc allocations performed by it. It relies on information provided by the standard malloc library when debugging options have been turned on.
/usr/bin/mig (Mach Interface Generator) is used to compile procedural interfaces to Mach's message-based APIs, based on descriptions of those APIs.
/usr/bin/mkbom creates a
bom (bill-of-materials) given a directory.
/usr/sbin/mkextunpack extracts the contents of a multikext (mkext) archive.
/usr/sbin/netstat symbolically displays the contents of various network-related data structures.
/usr/sbin/nibindd is a daemon that is responsible for finding, creating and destroying
/usr/bin/nibtool is used for printing, verifying and updating
/usr/bin/nicl is a general-purpose utility for operating on
NetInfo databases. Its commands allow one to create, read and manage
/usr/sbin/nidomain is an interface to
nibindd to which it sends all of its requests about the domains served on a given machine. It can also be used to create and destroy
/usr/bin/nifind finds a directory in the
/usr/bin/nigrep searches for a regular expression in the
/usr/bin/niload loads information from standard input into the given
/usr/bin/nireport prints tables from the
/usr/bin/niutil is used to do arbitrary reads and writes on the given
/usr/bin/nmedit is used to change global symbols to local symbols. It differs from
strip in that it also changes the symbolic debugging information for the global symbols it changes to static symbols so that the resulting object can still be used with a debugger.
/usr/sbin/notifyd is a daemon that facilitates processes to exchange stateless notification events.
/usr/sbin/nvram allows manipulation of Open Firmware non-volatile RAM variables.
objcopy is part of
binutils that you can download, compile and install. This utility copies the contents of an object file to another, using the GNU BFD (Binary File Descriptor) library to access the object files.
objdump is part of
binutils. It displays information (including disassembly, if required) about one or more object files.
/usr/bin/open is a command line utility to open a file (or a directory or URL), just as if you had double-clicked the file's icon.
/usr/bin/open-x11 is a wrapper shell script that provides
open functionality for X11 applications.
/usr/bin/orbd is the Object Request Broker Daemon. It is a tool to enable clients to transparently locate and invoke persistent objects on servers in the CORBA environment.
/usr/bin/osacompile compiles the given files, or standard input if non are listed, into a single output script.
/usr/bin/osalang prints information about installed OSA (Open Script Architecture) languages.
/usr/bin/osascript executes the given script file, or standard input if none is given. Scripts may be plain text or compiled scripts.
/usr/bin/otool displays specified parts of object files or libraries (similar to
ldd on Linux).
/usr/bin/pagestuff displays information about the specified logical pages of a file conforming to the Mach-O executable format.
/bin/pax is a tool for reading, writing, and listing members of an archive file. It is also used to copy directory hierarchies.
pax supports various archive formats such as
/usr/bin/pbcopy is used to copy standard input to the pasteboard buffer.
/usr/bin/pbpaste prints the contents of the pasteboard buffer.
/usr/sbin/pcscd is a daemon used to dynamically allocate/deallocate Smart Card reader drivers at runtime and manage connections to the readers. Related utilities include
/usr/bin/pcsctool. These tools are taken from the MUSCLE (Movement for the Use of Smart Cards in a Linux Environment) project, a project to coordinate the development of smart cards and applications under Linux.
/usr/sbin/pdisk is a menu driven program which partitions disks using the standard Apple disk partitioning scheme.
/usr/bin/plutil can be used to check the syntax of property list files, or convert a plist file from one format to another.
/usr/bin/pmset changes and reads power management settings such as idle sleep timing, wake on administrative access, automatic restart on power loss, etc.
/usr/sbin/pstat displays open file entry, swap space utilization, terminal state, and vnode data structures.
/usr/bin/redo_prebinding is used to redo the prebinding of an executable or dynamic library when one of the dependent dynamic library changes. The input file, executable or dynamic library, must have initially been prebound for this program to redo the prebinding.
/usr/bin/say uses the Speech Synthesis manager to convert input text to audible speech and either play it through the sound output device chosen in System Preferences or save it to an AIFF file.
/usr/sbin/screencapture captures the screen (a window selection or a mouse selection) to the clipboard or a file (as PDF).
/usr/sbin/scselect is used to change current network location, or to list defined locations.
/usr/bin/sc_usage displays an ongoing sample of system call and page fault usage statistics for a given process.
/usr/sbin/scutil is a tool to communicate with
configd, read and write from/to the configuration data store etc.
/usr/bin/security provides a command line interface to administer Keychains, manipulate keys and certificates, and do most things the Security framework is capable of.
/usr/bin/segedit extracts and/or replaces the named sections from the specified input file and creates an output.
/usr/bin/setregion is the command line utility for setting the DVD drive's "region".
/usr/bin/sips is a command line interface to the Scriptable Image Processing Server. The graphical abilities of Mac OS X are exposed through this image processing service. The SIPS architecture contains tools for performing basic image alterations and support various image formats. The goal is to provide quick, convenient, desktop automation of common image processing operations.
/usr/sbin/slpd is the Service Location Protocol daemon that advertises local services to the network.
/usr/sbin/slp_reg is a tool to register URLs via the Service Location Protocol in order for remote machines to discover locally registered services.
/usr/sbin/softwareupdate is a command line utility to perform software updates under Mac OS X.
/usr/bin/srm securely (by overwriting, renaming, and truncating before unlinking) removes files or directories.
/usr/bin/sw_vers prints the product name (such as Mac OS X), version and build number.
/usr/sbin/sysctl retrieves kernel state and allows processes with appropriate privilege to set kernel state.
/usr/sbin/system_profiler is the command line system profiling utility.
/usr/sbin/tcpdump dumps traffic on a network.
/usr/bin/top displays an ongoing sample of system usage statistics (such as cpu utilization, memory usage etc. for each process).
/usr/sbin/trpt interrogates the buffer of TCP trace records created when a socket is marked for debugging (via
setsockopt()) and prints a readable description of these records.
/usr/bin/update_prebinding tries to synchronize prebinding information for libraries and executables when new files are added to a system. Prebinding information is pre-calculated address information for libraries used by a given executable or library. By pre-determining where a function in another library is destined to be placed, the dynamic linker does not have to resolve symbols at application startup time.
/usr/bin/vm_stat displays Mach virtual memory statistics.
/usr/bin/vmmap displays the virtual memory regions allocated in a specified process, indicating how memory is being used, and what the purposes of memory at a given address might be.
/usr/sbin/vpnd is the Mac OS X VPN service daemon.
/usr/bin/xcode* are Xcode related commands.
/usr/bin/xxd creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form.