Diagnostic Tools

Mac OS X includes a solid collection of development and diagnostic tools, many of which are invaluable for shellcode and exploit development. The list below describes some of the most commonly used tools and how they relate to shellcode development.

• Xcode: This package includes 'gdb', 'gcc', and 'as'. Sadly, objdump is not included and most disassembly needs to be done with 'gdb' or 'otool'.
• ktrace: The ktrace and kdump tools are equivalent to strace on Linux and truss on Solaris. There is no better tool for quickly diagnosing shellcode bugs.
• vmmap: If you were looking for the equivalent of /proc/pid/maps, you found it. Use vmmap to figure out where the heaps, libraries, and stacks are mapped.
• crashreporterd: This daemon runs by default and creates very nice crash dumps when a system service dies. Invaluable for finding 0-day in Mac OS X services. The crashdump logs can be found in /Library/Logs/CrashReporter.
• heap: Quickly list all active heaps in a process. This can be handy when the instruction cache prevents a direct return and you need to find an alternate shellcode location.
• otool: List all libraries linked to a given binary, disassemble mach-o binaries, and display the contents of any section of an executable or library. This is the equivalent of 'ldd' and 'objdump' rolled into a single utility.