找出在选择Mac上下文菜单操作时正在调用什么系统调用或函数？

Question

我最近发现，如果您按Shift + Option并单击macOS右上方的Bluetooth图标，您将获得一个附加的调试菜单。在此调试菜单中，有一个“重置蓝牙模块”选项。

我希望能够从终端调用它。当用户单击该图标时，是否可以跟踪正在执行的系统调用？还是正在调用什么私有API，然后通过Swift或bash甚至通过原始syscall自己调用它？

Answer 1

我在这里。

在活动监视器I Sample过程中，bluetoothd守护程序过程。 这给我很好：

Analysis of sampling bluetoothd (pid 7781) every 1 millisecond
Process:         bluetoothd [7781]
Path:            /usr/sbin/bluetoothd
Load Address:    0x10020b000
Identifier:      bluetoothd
Version:         6014.1.3
Code Type:       X86-64
Parent Process:  debugserver [7821]

MacOS 64位可执行二进制文件通常具有基本地址0x10000000。因此，我们可以得出结论，ASLR偏移恰好是0x20b000。我使用反汇编程序来挑选一些候选对象来设置断点。反汇编程序报告的地址需要移动0x20b000。 由于这是根用户拥有的在终端中对其进行调试的进程，因此我们需要触发

sudo lldb
attach 7781
br s -a <address>

经过反复试验，我遇到了断点。我的回溯是：

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 7.1
  * frame #0: 0x00000001004718f0 bluetoothd`___lldb_unnamed_symbol5143$$bluetoothd               -[CBXPCManager hostControllerReset]:
    frame #1: 0x000000010027215d bluetoothd`___lldb_unnamed_symbol941$$bluetoothd + 93           -[DaemonCore hostControllerReset:]:
    frame #2: 0x00007fff44c5cb96 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 12
    frame #3: 0x00007fff44c5cb10 CoreFoundation`___CFXRegistrationPost_block_invoke + 63
    frame #4: 0x00007fff44c5ca7a CoreFoundation`_CFXRegistrationPost + 404
    frame #5: 0x00007fff44c64f28 CoreFoundation`___CFXNotificationPost_block_invoke + 87
    frame #6: 0x00007fff44bcd8b4 CoreFoundation`-[_CFXNotificationRegistrar find:object:observer:enumerator:] + 1642
    frame #7: 0x00007fff44bccc67 CoreFoundation`_CFXNotificationPost + 732
    frame #8: 0x00007fff46e52f5b Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 66
    frame #9: 0x00007fff4739b533 IOBluetooth`BluetoothHCIControllerGeneralInterestNotification + 275
    frame #10: 0x00007fff4750077a IOKit`IODispatchCalloutFromCFMessage + 323
    frame #11: 0x00007fff4750062d IOKit`_IODispatchCalloutWithDispatch + 33
    frame #12: 0x00007fff70b18bde libdispatch.dylib`dispatch_mig_server + 357
    frame #13: 0x00007fff70b0263d libdispatch.dylib`_dispatch_client_callout + 8
    frame #14: 0x00007fff70b04de6 libdispatch.dylib`_dispatch_continuation_pop + 414
    frame #15: 0x00007fff70b13f42 libdispatch.dylib`_dispatch_source_invoke + 2056
    frame #16: 0x00007fff70b0d54b libdispatch.dylib`_dispatch_main_queue_callback_4CF + 813
    frame #17: 0x00007fff44bfa2d7 CoreFoundation`__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
    frame #18: 0x00007fff44bf9a01 CoreFoundation`__CFRunLoopRun + 2289
    frame #19: 0x00007fff44bf8ebe CoreFoundation`CFRunLoopRunSpecific + 455
    frame #20: 0x00007fff46e5d7df Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280
    frame #21: 0x00007fff46e5d6b4 Foundation`-[NSRunLoop(NSRunLoop) run] + 76
    frame #22: 0x0000000100306827 bluetoothd`___lldb_unnamed_symbol2266$$bluetoothd + 2295            EntryPoint: /mainLoop?
    frame #23: 0x00007fff70b4f3d5 libdyld.dylib`start + 1

bluetoothd中发生的相关事件似乎是：

NSNotification @"IOBluetoothHostControllerDidResetNotification" object:nil userInfo:nil
-[DaemonCore hostControllerReset: notificationArg]: //NSConcreteNotification 0x7ffb656315d0 {name = IOBluetoothHostControllerDidResetNotification}
-[CBXPCManager hostControllerReset]: