使用 execsnoop -v,我注意到两个进程的 dtrace 错误。 ID3 (ID 630) 和 ID2 (ID 360)。
~ 03:59 am ∆:ps -p 260
PID TTY TIME CMD
260 ?? 0:02.36 /usr/libexec/UserEventAgent (Aqua)
~ 03:59 am ∆:ps -p 630
PID TTY TIME CMD
~ 03:59 am ∆:sudo execsnoop -v
Password:
STRTIME UID PID PPID ARGS
dtrace: error on enabled probe ID 2 (ID 260: syscall::execve:return): invalid >kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 3 (ID 630: syscall::posix_spawn:return): >invalid kernel access in action #8 at DIF offset 0
dtrace: error on enabled probe ID 2 (ID 260: syscall::execve:return): invalid >kernel access in action #8 at DIF offset 0
^C
~ 04:01 am ∆:ps -p 3
PID TTY TIME CMD
~ 04:01 am ∆:ps -p 2
PID TTY TIME CMD
我的理解是,这是由一个进程生成的,该进程持有该进程的 dtrace 活动状态。
我注意到这些进程既没有显示在顶部命令列表中,也没有显示在活动监视器中。这两个进程在完全重新启动后重新出现,因此是一致的,我推测是一些 OSX 进程。只是令人费解的是,他们无法完全被识别。
很想了解这里发生了什么。