├── LICENSE ├── syscalls_names.txt └── PacmanFinder.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Joseph Ravichandran, Weon Taek Na, Jay Lang, Mengjia Yan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /syscalls_names.txt: -------------------------------------------------------------------------------- 1 | nosys 2 | exit 3 | fork 4 | read 5 | write 6 | open 7 | sys_close 8 | wait4 9 | enosys 10 | link 11 | unlink 12 | enosys 13 | chdir 14 | fchdir 15 | mknod 16 | chmod 17 | chown 18 | enosys 19 | getfsstat 20 | enosys 21 | getpid 22 | enosys 23 | enosys 24 | setuid 25 | getuid 26 | geteuid 27 | ptrace 28 | recvmsg 29 | sendmsg 30 | recvfrom 31 | accept 32 | getpeername 33 | getsockname 34 | nosys 35 | nosys 36 | nosys 37 | nosys 38 | nosys 39 | nosys 40 | access 41 | chflags 42 | fchflags 43 | sync 44 | kill 45 | nosys 46 | getppid 47 | nosys 48 | sys_dup 49 | pipe 50 | getegid 51 | nosys 52 | nosys 53 | sigaction 54 | getgid 55 | sigprocmask 56 | getlogin 57 | setlogin 58 | acct 59 | sigpending 60 | sigaltstack 61 | ioctl 62 | reboot 63 | revoke 64 | symlink 65 | readlink 66 | execve 67 | umask 68 | chroot 69 | nosys 70 | nosys 71 | nosys 72 | msync 73 | vfork 74 | nosys 75 | nosys 76 | nosys 77 | nosys 78 | nosys 79 | nosys 80 | munmap 81 | mprotect 82 | madvise 83 | nosys 84 | nosys 85 | mincore 86 | getgroups 87 | setgroups 88 | getpgrp 89 | setpgid 90 | setitimer 91 | nosys 92 | swapon 93 | getitimer 94 | nosys 95 | nosys 96 | sys_getdtablesize 97 | sys_dup2 98 | nosys 99 | sys_fcntl 100 | select 101 | nosys 102 | fsync 103 | setpriority 104 | socket 105 | connect 106 | nosys 107 | nosys 108 | nosys 109 | getpriority 110 | nosys 111 | nosys 112 | nosys 113 | bind 114 | setsockopt 115 | listen 116 | nosys 117 | nosys 118 | nosys 119 | nosys 120 | nosys 121 | nosys 122 | nosys 123 | sigsuspend 124 | nosys 125 | nosys 126 | nosys 127 | nosys 128 | nosys 129 | nosys 130 | gettimeofday 131 | getrusage 132 | getsockopt 133 | nosys 134 | nosys 135 | readv 136 | writev 137 | settimeofday 138 | fchown 139 | fchmod 140 | nosys 141 | setreuid 142 | setregid 143 | rename 144 | nosys 145 | nosys 146 | sys_flock 147 | mkfifo 148 | sendto 149 | shutdown 150 | socketpair 151 | nosys 152 | nosys 153 | nosys 154 | mkdir 155 | rmdir 156 | utimes 157 | futimes 158 | adjtime 159 | nosys 160 | gethostuuid 161 | nosys 162 | nosys 163 | nosys 164 | nosys 165 | setsid 166 | nosys 167 | nosys 168 | nosys 169 | getpgid 170 | setprivexec 171 | pread 172 | pwrite 173 | nfssvc 174 | nosys 175 | statfs 176 | fstatfs 177 | unmount 178 | nosys 179 | getfh 180 | nosys 181 | nosys 182 | nosys 183 | quotactl 184 | nosys 185 | mount 186 | nosys 187 | csops 188 | csops_audittoken 189 | nosys 190 | nosys 191 | waitid 192 | nosys 193 | nosys 194 | nosys 195 | kdebug_typefilter 196 | kdebug_trace_string 197 | kdebug_trace64 198 | kdebug_trace 199 | setgid 200 | setegid 201 | seteuid 202 | sigreturn 203 | enosys 204 | thread_selfcounts 205 | fdatasync 206 | stat 207 | sys_fstat 208 | lstat 209 | pathconf 210 | sys_fpathconf 211 | nosys 212 | getrlimit 213 | setrlimit 214 | getdirentries 215 | mmap 216 | nosys 217 | lseek 218 | truncate 219 | ftruncate 220 | sysctl 221 | mlock 222 | munlock 223 | undelete 224 | nosys 225 | nosys 226 | nosys 227 | nosys 228 | nosys 229 | nosys 230 | nosys 231 | nosys 232 | nosys 233 | nosys 234 | open_dprotected_np 235 | fsgetpath_ext 236 | nosys 237 | nosys 238 | getattrlist 239 | setattrlist 240 | getdirentriesattr 241 | exchangedata 242 | nosys 243 | searchfs 244 | delete 245 | copyfile 246 | fgetattrlist 247 | fsetattrlist 248 | poll 249 | nosys 250 | nosys 251 | nosys 252 | getxattr 253 | fgetxattr 254 | setxattr 255 | fsetxattr 256 | removexattr 257 | fremovexattr 258 | listxattr 259 | flistxattr 260 | fsctl 261 | initgroups 262 | posix_spawn 263 | ffsctl 264 | nosys 265 | nfsclnt 266 | fhopen 267 | nosys 268 | minherit 269 | semsys 270 | msgsys 271 | shmsys 272 | semctl 273 | semget 274 | semop 275 | nosys 276 | msgctl 277 | msgget 278 | msgsnd 279 | msgrcv 280 | shmat 281 | shmctl 282 | shmdt 283 | shmget 284 | shm_open 285 | shm_unlink 286 | sem_open 287 | sem_close 288 | sem_unlink 289 | sem_wait 290 | sem_trywait 291 | sem_post 292 | sys_sysctlbyname 293 | enosys 294 | enosys 295 | open_extended 296 | umask_extended 297 | stat_extended 298 | lstat_extended 299 | sys_fstat_extended 300 | chmod_extended 301 | fchmod_extended 302 | access_extended 303 | settid 304 | gettid 305 | setsgroups 306 | getsgroups 307 | setwgroups 308 | getwgroups 309 | mkfifo_extended 310 | mkdir_extended 311 | identitysvc 312 | shared_region_check_np 313 | nosys 314 | vm_pressure_monitor 315 | psynch_rw_longrdlock 316 | psynch_rw_yieldwrlock 317 | psynch_rw_downgrade 318 | psynch_rw_upgrade 319 | psynch_mutexwait 320 | psynch_mutexdrop 321 | psynch_cvbroad 322 | psynch_cvsignal 323 | psynch_cvwait 324 | psynch_rw_rdlock 325 | psynch_rw_wrlock 326 | psynch_rw_unlock 327 | psynch_rw_unlock2 328 | getsid 329 | settid_with_pid 330 | psynch_cvclrprepost 331 | aio_fsync 332 | aio_return 333 | aio_suspend 334 | aio_cancel 335 | aio_error 336 | aio_read 337 | aio_write 338 | lio_listio 339 | nosys 340 | iopolicysys 341 | process_policy 342 | mlockall 343 | munlockall 344 | nosys 345 | issetugid 346 | __pthread_kill 347 | __pthread_sigmask 348 | __sigwait 349 | __disable_threadsignal 350 | __pthread_markcancel 351 | __pthread_canceled 352 | nosys 353 | proc_info 354 | sendfile 355 | stat64 356 | sys_fstat64 357 | lstat64 358 | stat64_extended 359 | lstat64_extended 360 | sys_fstat64_extended 361 | getdirentries64 362 | statfs64 363 | fstatfs64 364 | getfsstat64 365 | __pthread_chdir 366 | __pthread_fchdir 367 | audit 368 | auditon 369 | nosys 370 | getauid 371 | setauid 372 | nosys 373 | nosys 374 | getaudit_addr 375 | setaudit_addr 376 | auditctl 377 | bsdthread_create 378 | bsdthread_terminate 379 | nosys 380 | nosys 381 | kqueue 382 | kevent 383 | lchown 384 | nosys 385 | bsdthread_register 386 | workq_open 387 | workq_kernreturn 388 | nosys 389 | nosys 390 | nosys 391 | kevent64 392 | __old_semwait_signal 393 | __old_semwait_signal_nocancel 394 | nosys 395 | nosys 396 | thread_selfid 397 | ledger 398 | kevent_qos 399 | kevent_id 400 | nosys 401 | nosys 402 | nosys 403 | nosys 404 | __mac_execve 405 | __mac_syscall 406 | __mac_get_file 407 | __mac_set_file 408 | __mac_get_link 409 | __mac_set_link 410 | __mac_get_proc 411 | __mac_set_proc 412 | __mac_get_fd 413 | __mac_set_fd 414 | __mac_get_pid 415 | enosys 416 | nosys 417 | nosys 418 | nosys 419 | nosys 420 | nosys 421 | nosys 422 | nosys 423 | nosys 424 | nosys 425 | enosys 426 | enosys 427 | enosys 428 | pselect 429 | pselect_nocancel 430 | read_nocancel 431 | write_nocancel 432 | open_nocancel 433 | sys_close_nocancel 434 | wait4_nocancel 435 | recvmsg_nocancel 436 | sendmsg_nocancel 437 | recvfrom_nocancel 438 | accept_nocancel 439 | nosys 440 | nosys 441 | nosys 442 | nosys 443 | msync_nocancel 444 | sys_fcntl_nocancel 445 | select_nocancel 446 | fsync_nocancel 447 | connect_nocancel 448 | nosys 449 | sigsuspend_nocancel 450 | readv_nocancel 451 | writev_nocancel 452 | sendto_nocancel 453 | nosys 454 | pread_nocancel 455 | pwrite_nocancel 456 | waitid_nocancel 457 | poll_nocancel 458 | msgsnd_nocancel 459 | msgrcv_nocancel 460 | nosys 461 | nosys 462 | sem_wait_nocancel 463 | aio_suspend_nocancel 464 | __sigwait_nocancel 465 | nosys 466 | __semwait_signal_nocancel 467 | __mac_mount 468 | __mac_get_mount 469 | nosys 470 | __mac_getfsstat 471 | fsgetpath 472 | audit_session_self 473 | audit_session_join 474 | sys_fileport_makeport 475 | sys_fileport_makefd 476 | audit_session_port 477 | pid_suspend 478 | pid_resume 479 | pid_hibernate 480 | nosys 481 | pid_shutdown_sockets 482 | nosys 483 | nosys 484 | shared_region_map_and_slide_np 485 | kas_info 486 | memorystatus_control 487 | nosys 488 | guarded_open_np 489 | guarded_close_np 490 | guarded_kqueue_np 491 | change_fdguard_np 492 | usrctl 493 | proc_rlimit_control 494 | connectx 495 | disconnectx 496 | peeloff 497 | socket_delegate 498 | nosys 499 | nosys 500 | nosys 501 | nosys 502 | telemetry 503 | proc_uuid_policy 504 | nosys 505 | memorystatus_get_level 506 | nosys 507 | system_override 508 | vfs_purge 509 | sfi_ctl 510 | sfi_pidctl 511 | coalition 512 | coalition_info 513 | enosys 514 | enosys 515 | necp_match_policy 516 | nosys 517 | getattrlistbulk 518 | clonefileat 519 | openat 520 | openat_nocancel 521 | renameat 522 | faccessat 523 | fchmodat 524 | fchownat 525 | fstatat 526 | fstatat64 527 | linkat 528 | unlinkat 529 | readlinkat 530 | symlinkat 531 | mkdirat 532 | getattrlistat 533 | proc_trace_log 534 | bsdthread_ctl 535 | openbyid_np 536 | recvmsg_x 537 | sendmsg_x 538 | nosys 539 | nosys 540 | thread_selfusage 541 | csrctl 542 | enosys 543 | guarded_open_dprotected_np 544 | guarded_write_np 545 | guarded_pwrite_np 546 | guarded_writev_np 547 | renameatx_np 548 | mremap_encrypted 549 | enosys 550 | netagent_trigger 551 | nosys 552 | stack_snapshot_with_config 553 | microstackshot 554 | enosys 555 | grab_pgo_data 556 | enosys 557 | persona 558 | enosys 559 | enosys 560 | mach_eventlink_signal 561 | mach_eventlink_wait_until 562 | mach_eventlink_signal_wait_until 563 | work_interval_ctl 564 | getentropy 565 | necp_open 566 | necp_client_action 567 | enosys 568 | enosys 569 | enosys 570 | enosys 571 | enosys 572 | enosys 573 | enosys 574 | enosys 575 | enosys 576 | enosys 577 | enosys 578 | enosys 579 | enosys 580 | enosys 581 | ulock_wait 582 | ulock_wake 583 | fclonefileat 584 | fs_snapshot 585 | enosys 586 | terminate_with_payload 587 | abort_with_payload 588 | necp_session_open 589 | necp_session_action 590 | enosys 591 | enosys 592 | setattrlistat 593 | net_qos_guideline 594 | fmount 595 | ntp_adjtime 596 | ntp_gettime 597 | os_fault_with_payload 598 | kqueue_workloop_ctl 599 | enosys 600 | __mach_bridge_remote_time 601 | coalition_ledger 602 | enosys 603 | log_data 604 | memorystatus_available_memory 605 | enosys 606 | shared_region_map_and_slide_2_np 607 | pivot_root 608 | task_inspect_for_pid 609 | task_read_for_pid 610 | sys_preadv 611 | sys_pwritev 612 | sys_preadv_nocancel 613 | sys_pwritev_nocancel 614 | ulock_wait2 615 | proc_info_extended_id 616 | -------------------------------------------------------------------------------- /PacmanFinder.py: -------------------------------------------------------------------------------- 1 | # Return all branches that lead to gadgets within a given function 2 | # @category pacman 3 | # @author Joseph Ravichandran 4 | 5 | from ghidra.util.task import ConsoleTaskMonitor 6 | from ghidra.program.util import SymbolicPropogator 7 | 8 | # How many instructions deep should we scan? 9 | SIMULATED_ROB_DEPTH=32 10 | 11 | # Instructions that authenticate a PAC'd pointer 12 | PAC_INSN_NAMES = [ 13 | 'aut', 14 | ] 15 | 16 | # Instructions that are instant gadgets (auth and use) 17 | # Comment out any of these to ignore them (eg. to ignore BLRAA's) 18 | # Recall BLRAA will speculatively load incorrect PACs roughly 50% of the time due to a 19 | # race condition between the auth and load. Refer to the DEF CON 30 PACMAN talk for more info. 20 | PAC_AUTH_AND_USE_GADGET_NAMES = [ 21 | # 'retaa', 22 | # 'retab', 23 | 'blraa', 24 | 'blrab', 25 | 'blraaz', 26 | 'blrabz', 27 | ] 28 | 29 | # Collect metrics on the gadgets we found 30 | # average distance = TOTAL_DISTANCE / TOTAL_GADGETS 31 | TOTAL_GADGETS=0 32 | TOTAL_DISTANCE=0 33 | TOTAL_DATA_GADGETS=0 34 | TOTAL_INSN_GADGETS=0 35 | 36 | # Should we write to the output file? 37 | SHOULD_WRITE=True 38 | 39 | # Should we only limit the exploration to defined BSD syscalls? (AKA symbols returned by get_all_syscalls) 40 | LIMIT_TO_SYSCALLS=False 41 | 42 | # Where do we write our logs? 43 | OUTPUT_PATH="/tmp/setme" 44 | 45 | # Report all gadgets in the symbol `fn_in` (writing outputs to the file `file_to_write`) 46 | def find_gadgets_in(fn_in, file_to_write): 47 | global TOTAL_GADGETS, TOTAL_DISTANCE, SHOULD_WRITE, TOTAL_DATA_GADGETS, TOTAL_INSN_GADGETS 48 | 49 | target = fn_in 50 | startAddress = target.getBody().getMinAddress() 51 | endAddress = target.getBody().getMaxAddress() 52 | 53 | cond_branches = [] 54 | search_addrs = [] 55 | cur_inst = getInstructionAt(startAddress) 56 | while(cur_inst is not None and getFunctionContaining(cur_inst.getAddress()) == target): 57 | addr = cur_inst.getAddress() 58 | 59 | flows = cur_inst.getFlows() 60 | if len(flows) != 0: 61 | inst_name = cur_inst.getMnemonicString() 62 | 63 | if inst_name != 'b' and inst_name != 'bl' and inst_name not in PAC_INSN_NAMES and inst_name not in PAC_AUTH_AND_USE_GADGET_NAMES: 64 | search_addrs.append(getInstructionAfter(cur_inst).getAddress()) 65 | search_addrs.append(flows[0]) 66 | cond_branches.append(cur_inst) 67 | 68 | cur_inst = getInstructionAfter(cur_inst) 69 | 70 | gadgets_found = [] 71 | for search_start in search_addrs: 72 | cur_inst = getInstructionAt(search_start) 73 | 74 | # Track all addresses that are the result of PAC ops- these are inserted into 75 | # registers which we consider tained 76 | # TODO: Use the SymbolicPropogation engine here instead 77 | speculative_taint = [] 78 | taint_kinds=[] 79 | 80 | for i in range(SIMULATED_ROB_DEPTH): 81 | if cur_inst is None: 82 | break 83 | 84 | inst_name = cur_inst.getMnemonicString() 85 | if len(cur_inst.getFlows()) != 0 and inst_name not in PAC_INSN_NAMES and inst_name not in PAC_AUTH_AND_USE_GADGET_NAMES: 86 | # Found a second branch- stopping here 87 | break 88 | 89 | if 'ld' in inst_name: 90 | for input_reg in cur_inst.getInputObjects(): 91 | is_reg = str(input_reg)[0] == 'x' 92 | 93 | if is_reg: 94 | if str(input_reg) in speculative_taint: 95 | TOTAL_DISTANCE+=i 96 | 97 | gadget_kind = '?' 98 | if 'i' in taint_kinds: 99 | TOTAL_INSN_GADGETS += 1 100 | gadget_kind = 'i' 101 | if 'd' in taint_kinds: 102 | TOTAL_DATA_GADGETS += 1 103 | gadget_kind = 'd' 104 | if 'i' in taint_kinds and 'd' in taint_kinds: 105 | gadget_kind='x' 106 | # Something funky is going on 107 | print(taint_kinds) 108 | print("DOUBLE TROUBLE") 109 | gadgets_found.append((gadget_kind, search_start)) 110 | 111 | # No need to even do taint tracking, these instructions are instant gadgets 112 | # They also leave the function so we leave with them 113 | for instant_gadget_name in PAC_AUTH_AND_USE_GADGET_NAMES: 114 | if inst_name[0:len(instant_gadget_name)] == instant_gadget_name: 115 | TOTAL_DISTANCE += i 116 | gadgets_found.append(('i', search_start)) 117 | TOTAL_INSN_GADGETS += 1 118 | break 119 | 120 | for pac_name in PAC_INSN_NAMES: 121 | if inst_name[0:len(pac_name)] == pac_name: 122 | # Got PAC instruction: cur_inst, cur_inst.getInputObjects(), cur_inst.getPcode() 123 | for result in cur_inst.getResultObjects(): 124 | if 'd' in inst_name: 125 | taint_kinds.append('d') 126 | taint_kinds.append(inst_name) 127 | if 'i' in inst_name: 128 | taint_kinds.append('i') 129 | taint_kinds.append(inst_name) 130 | speculative_taint.append(result) 131 | 132 | if 'sp' in inst_name: 133 | speculative_taint.append('sp') 134 | if 'd' in inst_name: 135 | taint_kinds.append('d') 136 | taint_kinds.append(inst_name) 137 | if 'i' in inst_name: 138 | taint_kinds.append('i') 139 | taint_kinds.append(inst_name) 140 | else: 141 | result = str(cur_inst).split(',')[0].split(" ")[1] 142 | speculative_taint.append(result) 143 | if 'd' in inst_name: 144 | taint_kinds.append('d') 145 | taint_kinds.append(inst_name) 146 | if 'i' in inst_name: 147 | taint_kinds.append('i') 148 | taint_kinds.append(inst_name) 149 | 150 | if 'ret' in inst_name and inst_name not in PAC_AUTH_AND_USE_GADGET_NAMES: 151 | # Found a return- stop analysis here 152 | break 153 | 154 | cur_inst = getInstructionAfter(cur_inst) 155 | 156 | if len(gadgets_found) != 0: 157 | if SHOULD_WRITE: 158 | file_to_write.write("I found " + str(len(gadgets_found)) + " gadgets in " + str(fn_in) + " at " + str(gadgets_found) + "\n") 159 | TOTAL_GADGETS += len(gadgets_found) 160 | 161 | def main(): 162 | global LIMIT_TO_SYSCALLS, OUTPUT_PATH 163 | all_syscalls = get_all_syscalls() 164 | 165 | if OUTPUT_PATH == "/tmp/setme": 166 | print("You need to set the output path!") 167 | return 168 | 169 | with open(OUTPUT_PATH, "w") as file_w: 170 | if LIMIT_TO_SYSCALLS == False: 171 | # Look at everything 172 | for fn in currentProgram.getFunctionManager().getFunctions(True): 173 | find_gadgets_in(fn, file_w) 174 | 175 | if LIMIT_TO_SYSCALLS == True: 176 | for item in all_syscalls: 177 | potentialTargets = getGlobalFunctions("_" + item) 178 | if len(potentialTargets) == 0: 179 | print("The target method wasn't found") 180 | continue 181 | elif len(potentialTargets) > 1: 182 | print("Multiple targets found! Picking just one") 183 | target = potentialTargets[0] 184 | find_gadgets_in(target, file_w) 185 | 186 | print("In total there are", TOTAL_GADGETS, "gadgets in this program") 187 | print("On average there are", float(TOTAL_DISTANCE) / float(TOTAL_GADGETS), "instructions between a branch and the resulting gadget in this program") 188 | print("There are", TOTAL_INSN_GADGETS, "instruction gadgets") 189 | print("There are", TOTAL_DATA_GADGETS, "data gadgets") 190 | 191 | # Returns a list of all BSD system calls for exploration 192 | # You can put whatever symbols you want here and if LIMIT_TO_SYSCALLS is set, the analysis will be limited to just those 193 | def get_all_syscalls(): 194 | return set(["nosys", 195 | "exit", 196 | "fork", 197 | "read", 198 | "write", 199 | "open", 200 | "sys_close", 201 | "wait4", 202 | "enosys", 203 | "link", 204 | "unlink", 205 | "enosys", 206 | "chdir", 207 | "fchdir", 208 | "mknod", 209 | "chmod", 210 | "chown", 211 | "enosys", 212 | "getfsstat", 213 | "enosys", 214 | "getpid", 215 | "enosys", 216 | "enosys", 217 | "setuid", 218 | "getuid", 219 | "geteuid", 220 | "ptrace", 221 | "recvmsg", 222 | "sendmsg", 223 | "recvfrom", 224 | "accept", 225 | "getpeername", 226 | "getsockname", 227 | "nosys", 228 | "nosys", 229 | "nosys", 230 | "nosys", 231 | "nosys", 232 | "nosys", 233 | "access", 234 | "chflags", 235 | "fchflags", 236 | "sync", 237 | "kill", 238 | "nosys", 239 | "getppid", 240 | "nosys", 241 | "sys_dup", 242 | "pipe", 243 | "getegid", 244 | "nosys", 245 | "nosys", 246 | "sigaction", 247 | "getgid", 248 | "sigprocmask", 249 | "getlogin", 250 | "setlogin", 251 | "acct", 252 | "sigpending", 253 | "sigaltstack", 254 | "ioctl", 255 | "reboot", 256 | "revoke", 257 | "symlink", 258 | "readlink", 259 | "execve", 260 | "umask", 261 | "chroot", 262 | "nosys", 263 | "nosys", 264 | "nosys", 265 | "msync", 266 | "vfork", 267 | "nosys", 268 | "nosys", 269 | "nosys", 270 | "nosys", 271 | "nosys", 272 | "nosys", 273 | "munmap", 274 | "mprotect", 275 | "madvise", 276 | "nosys", 277 | "nosys", 278 | "mincore", 279 | "getgroups", 280 | "setgroups", 281 | "getpgrp", 282 | "setpgid", 283 | "setitimer", 284 | "nosys", 285 | "swapon", 286 | "getitimer", 287 | "nosys", 288 | "nosys", 289 | "sys_getdtablesize", 290 | "sys_dup2", 291 | "nosys", 292 | "sys_fcntl", 293 | "select", 294 | "nosys", 295 | "fsync", 296 | "setpriority", 297 | "socket", 298 | "connect", 299 | "nosys", 300 | "nosys", 301 | "nosys", 302 | "getpriority", 303 | "nosys", 304 | "nosys", 305 | "nosys", 306 | "bind", 307 | "setsockopt", 308 | "listen", 309 | "nosys", 310 | "nosys", 311 | "nosys", 312 | "nosys", 313 | "nosys", 314 | "nosys", 315 | "nosys", 316 | "sigsuspend", 317 | "nosys", 318 | "nosys", 319 | "nosys", 320 | "nosys", 321 | "nosys", 322 | "nosys", 323 | "gettimeofday", 324 | "getrusage", 325 | "getsockopt", 326 | "nosys", 327 | "nosys", 328 | "readv", 329 | "writev", 330 | "settimeofday", 331 | "fchown", 332 | "fchmod", 333 | "nosys", 334 | "setreuid", 335 | "setregid", 336 | "rename", 337 | "nosys", 338 | "nosys", 339 | "sys_flock", 340 | "mkfifo", 341 | "sendto", 342 | "shutdown", 343 | "socketpair", 344 | "nosys", 345 | "nosys", 346 | "nosys", 347 | "mkdir", 348 | "rmdir", 349 | "utimes", 350 | "futimes", 351 | "adjtime", 352 | "nosys", 353 | "gethostuuid", 354 | "nosys", 355 | "nosys", 356 | "nosys", 357 | "nosys", 358 | "setsid", 359 | "nosys", 360 | "nosys", 361 | "nosys", 362 | "getpgid", 363 | "setprivexec", 364 | "pread", 365 | "pwrite", 366 | "nfssvc", 367 | "nosys", 368 | "statfs", 369 | "fstatfs", 370 | "unmount", 371 | "nosys", 372 | "getfh", 373 | "nosys", 374 | "nosys", 375 | "nosys", 376 | "quotactl", 377 | "nosys", 378 | "mount", 379 | "nosys", 380 | "csops", 381 | "csops_audittoken", 382 | "nosys", 383 | "nosys", 384 | "waitid", 385 | "nosys", 386 | "nosys", 387 | "nosys", 388 | "kdebug_typefilter", 389 | "kdebug_trace_string", 390 | "kdebug_trace64", 391 | "kdebug_trace", 392 | "setgid", 393 | "setegid", 394 | "seteuid", 395 | "sigreturn", 396 | "enosys", 397 | "thread_selfcounts", 398 | "fdatasync", 399 | "stat", 400 | "sys_fstat", 401 | "lstat", 402 | "pathconf", 403 | "sys_fpathconf", 404 | "nosys", 405 | "getrlimit", 406 | "setrlimit", 407 | "getdirentries", 408 | "mmap", 409 | "nosys", 410 | "lseek", 411 | "truncate", 412 | "ftruncate", 413 | "sysctl", 414 | "mlock", 415 | "munlock", 416 | "undelete", 417 | "nosys", 418 | "nosys", 419 | "nosys", 420 | "nosys", 421 | "nosys", 422 | "nosys", 423 | "nosys", 424 | "nosys", 425 | "nosys", 426 | "nosys", 427 | "open_dprotected_np", 428 | "fsgetpath_ext", 429 | "nosys", 430 | "nosys", 431 | "getattrlist", 432 | "setattrlist", 433 | "getdirentriesattr", 434 | "exchangedata", 435 | "nosys", 436 | "searchfs", 437 | "delete", 438 | "copyfile", 439 | "fgetattrlist", 440 | "fsetattrlist", 441 | "poll", 442 | "nosys", 443 | "nosys", 444 | "nosys", 445 | "getxattr", 446 | "fgetxattr", 447 | "setxattr", 448 | "fsetxattr", 449 | "removexattr", 450 | "fremovexattr", 451 | "listxattr", 452 | "flistxattr", 453 | "fsctl", 454 | "initgroups", 455 | "posix_spawn", 456 | "ffsctl", 457 | "nosys", 458 | "nfsclnt", 459 | "fhopen", 460 | "nosys", 461 | "minherit", 462 | "semsys", 463 | "msgsys", 464 | "shmsys", 465 | "semctl", 466 | "semget", 467 | "semop", 468 | "nosys", 469 | "msgctl", 470 | "msgget", 471 | "msgsnd", 472 | "msgrcv", 473 | "shmat", 474 | "shmctl", 475 | "shmdt", 476 | "shmget", 477 | "shm_open", 478 | "shm_unlink", 479 | "sem_open", 480 | "sem_close", 481 | "sem_unlink", 482 | "sem_wait", 483 | "sem_trywait", 484 | "sem_post", 485 | "sys_sysctlbyname", 486 | "enosys", 487 | "enosys", 488 | "open_extended", 489 | "umask_extended", 490 | "stat_extended", 491 | "lstat_extended", 492 | "sys_fstat_extended", 493 | "chmod_extended", 494 | "fchmod_extended", 495 | "access_extended", 496 | "settid", 497 | "gettid", 498 | "setsgroups", 499 | "getsgroups", 500 | "setwgroups", 501 | "getwgroups", 502 | "mkfifo_extended", 503 | "mkdir_extended", 504 | "identitysvc", 505 | "shared_region_check_np", 506 | "nosys", 507 | "vm_pressure_monitor", 508 | "psynch_rw_longrdlock", 509 | "psynch_rw_yieldwrlock", 510 | "psynch_rw_downgrade", 511 | "psynch_rw_upgrade", 512 | "psynch_mutexwait", 513 | "psynch_mutexdrop", 514 | "psynch_cvbroad", 515 | "psynch_cvsignal", 516 | "psynch_cvwait", 517 | "psynch_rw_rdlock", 518 | "psynch_rw_wrlock", 519 | "psynch_rw_unlock", 520 | "psynch_rw_unlock2", 521 | "getsid", 522 | "settid_with_pid", 523 | "psynch_cvclrprepost", 524 | "aio_fsync", 525 | "aio_return", 526 | "aio_suspend", 527 | "aio_cancel", 528 | "aio_error", 529 | "aio_read", 530 | "aio_write", 531 | "lio_listio", 532 | "nosys", 533 | "iopolicysys", 534 | "process_policy", 535 | "mlockall", 536 | "munlockall", 537 | "nosys", 538 | "issetugid", 539 | "__pthread_kill", 540 | "__pthread_sigmask", 541 | "__sigwait", 542 | "__disable_threadsignal", 543 | "__pthread_markcancel", 544 | "__pthread_canceled", 545 | "nosys", 546 | "proc_info", 547 | "sendfile", 548 | "stat64", 549 | "sys_fstat64", 550 | "lstat64", 551 | "stat64_extended", 552 | "lstat64_extended", 553 | "sys_fstat64_extended", 554 | "getdirentries64", 555 | "statfs64", 556 | "fstatfs64", 557 | "getfsstat64", 558 | "__pthread_chdir", 559 | "__pthread_fchdir", 560 | "audit", 561 | "auditon", 562 | "nosys", 563 | "getauid", 564 | "setauid", 565 | "nosys", 566 | "nosys", 567 | "getaudit_addr", 568 | "setaudit_addr", 569 | "auditctl", 570 | "bsdthread_create", 571 | "bsdthread_terminate", 572 | "nosys", 573 | "nosys", 574 | "kqueue", 575 | "kevent", 576 | "lchown", 577 | "nosys", 578 | "bsdthread_register", 579 | "workq_open", 580 | "workq_kernreturn", 581 | "nosys", 582 | "nosys", 583 | "nosys", 584 | "kevent64", 585 | "__old_semwait_signal", 586 | "__old_semwait_signal_nocancel", 587 | "nosys", 588 | "nosys", 589 | "thread_selfid", 590 | "ledger", 591 | "kevent_qos", 592 | "kevent_id", 593 | "nosys", 594 | "nosys", 595 | "nosys", 596 | "nosys", 597 | "__mac_execve", 598 | "__mac_syscall", 599 | "__mac_get_file", 600 | "__mac_set_file", 601 | "__mac_get_link", 602 | "__mac_set_link", 603 | "__mac_get_proc", 604 | "__mac_set_proc", 605 | "__mac_get_fd", 606 | "__mac_set_fd", 607 | "__mac_get_pid", 608 | "enosys", 609 | "nosys", 610 | "nosys", 611 | "nosys", 612 | "nosys", 613 | "nosys", 614 | "nosys", 615 | "nosys", 616 | "nosys", 617 | "nosys", 618 | "enosys", 619 | "enosys", 620 | "enosys", 621 | "pselect", 622 | "pselect_nocancel", 623 | "read_nocancel", 624 | "write_nocancel", 625 | "open_nocancel", 626 | "sys_close_nocancel", 627 | "wait4_nocancel", 628 | "recvmsg_nocancel", 629 | "sendmsg_nocancel", 630 | "recvfrom_nocancel", 631 | "accept_nocancel", 632 | "nosys", 633 | "nosys", 634 | "nosys", 635 | "nosys", 636 | "msync_nocancel", 637 | "sys_fcntl_nocancel", 638 | "select_nocancel", 639 | "fsync_nocancel", 640 | "connect_nocancel", 641 | "nosys", 642 | "sigsuspend_nocancel", 643 | "readv_nocancel", 644 | "writev_nocancel", 645 | "sendto_nocancel", 646 | "nosys", 647 | "pread_nocancel", 648 | "pwrite_nocancel", 649 | "waitid_nocancel", 650 | "poll_nocancel", 651 | "msgsnd_nocancel", 652 | "msgrcv_nocancel", 653 | "nosys", 654 | "nosys", 655 | "sem_wait_nocancel", 656 | "aio_suspend_nocancel", 657 | "__sigwait_nocancel", 658 | "nosys", 659 | "__semwait_signal_nocancel", 660 | "__mac_mount", 661 | "__mac_get_mount", 662 | "nosys", 663 | "__mac_getfsstat", 664 | "fsgetpath", 665 | "audit_session_self", 666 | "audit_session_join", 667 | "sys_fileport_makeport", 668 | "sys_fileport_makefd", 669 | "audit_session_port", 670 | "pid_suspend", 671 | "pid_resume", 672 | "pid_hibernate", 673 | "nosys", 674 | "pid_shutdown_sockets", 675 | "nosys", 676 | "nosys", 677 | "shared_region_map_and_slide_np", 678 | "kas_info", 679 | "memorystatus_control", 680 | "nosys", 681 | "guarded_open_np", 682 | "guarded_close_np", 683 | "guarded_kqueue_np", 684 | "change_fdguard_np", 685 | "usrctl", 686 | "proc_rlimit_control", 687 | "connectx", 688 | "disconnectx", 689 | "peeloff", 690 | "socket_delegate", 691 | "nosys", 692 | "nosys", 693 | "nosys", 694 | "nosys", 695 | "telemetry", 696 | "proc_uuid_policy", 697 | "nosys", 698 | "memorystatus_get_level", 699 | "nosys", 700 | "system_override", 701 | "vfs_purge", 702 | "sfi_ctl", 703 | "sfi_pidctl", 704 | "coalition", 705 | "coalition_info", 706 | "enosys", 707 | "enosys", 708 | "necp_match_policy", 709 | "nosys", 710 | "getattrlistbulk", 711 | "clonefileat", 712 | "openat", 713 | "openat_nocancel", 714 | "renameat", 715 | "faccessat", 716 | "fchmodat", 717 | "fchownat", 718 | "fstatat", 719 | "fstatat64", 720 | "linkat", 721 | "unlinkat", 722 | "readlinkat", 723 | "symlinkat", 724 | "mkdirat", 725 | "getattrlistat", 726 | "proc_trace_log", 727 | "bsdthread_ctl", 728 | "openbyid_np", 729 | "recvmsg_x", 730 | "sendmsg_x", 731 | "nosys", 732 | "nosys", 733 | "thread_selfusage", 734 | "csrctl", 735 | "enosys", 736 | "guarded_open_dprotected_np", 737 | "guarded_write_np", 738 | "guarded_pwrite_np", 739 | "guarded_writev_np", 740 | "renameatx_np", 741 | "mremap_encrypted", 742 | "enosys", 743 | "netagent_trigger", 744 | "nosys", 745 | "stack_snapshot_with_config", 746 | "microstackshot", 747 | "enosys", 748 | "grab_pgo_data", 749 | "enosys", 750 | "persona", 751 | "enosys", 752 | "enosys", 753 | "mach_eventlink_signal", 754 | "mach_eventlink_wait_until", 755 | "mach_eventlink_signal_wait_until", 756 | "work_interval_ctl", 757 | "getentropy", 758 | "necp_open", 759 | "necp_client_action", 760 | "enosys", 761 | "enosys", 762 | "enosys", 763 | "enosys", 764 | "enosys", 765 | "enosys", 766 | "enosys", 767 | "enosys", 768 | "enosys", 769 | "enosys", 770 | "enosys", 771 | "enosys", 772 | "enosys", 773 | "enosys", 774 | "ulock_wait", 775 | "ulock_wake", 776 | "fclonefileat", 777 | "fs_snapshot", 778 | "enosys", 779 | "terminate_with_payload", 780 | "abort_with_payload", 781 | "necp_session_open", 782 | "necp_session_action", 783 | "enosys", 784 | "enosys", 785 | "setattrlistat", 786 | "net_qos_guideline", 787 | "fmount", 788 | "ntp_adjtime", 789 | "ntp_gettime", 790 | "os_fault_with_payload", 791 | "kqueue_workloop_ctl", 792 | "enosys", 793 | "__mach_bridge_remote_time", 794 | "coalition_ledger", 795 | "enosys", 796 | "log_data", 797 | "memorystatus_available_memory", 798 | "enosys", 799 | "shared_region_map_and_slide_2_np", 800 | "pivot_root", 801 | "task_inspect_for_pid", 802 | "task_read_for_pid", 803 | "sys_preadv", 804 | "sys_pwritev", 805 | "sys_preadv_nocancel", 806 | "sys_pwritev_nocancel", 807 | "ulock_wait2", 808 | "proc_info_extended_id", 809 | ]) 810 | 811 | if __name__ == "__main__": 812 | main() 813 | --------------------------------------------------------------------------------