ProcInfo - Process info/monitoring library for macOS

Proc Info is a open-source, user-mode, library for macOS. It provides simple interface to retrieve detailed information about running processes, plus allows one to asynchronously monitor process creation & exit events.
To use the Proc Info library:
  1. add the Proc Info library (lib/libprocInfo.a) and Apple's OpenBSM library (libbsm.tbd) to your Xcode Project
  2. import the Proc Info library header file (procInfo.h)
  3. instantiate a Proc Info object
  4. a) to retrieve information about a running process invoke the init: method
    b) to enumerate existing processes invoke the currentProcesses method
    c) to monitor process events, declare a callback block and invoke the start: method
...or just download the demo project, to take it for a spin!
#import "procInfo.h"

//init proc info object
ProcInfo* procInfo = [[ProcInfo alloc] init];

//dump process info for process 1337
NSLog(@"process: %@", [[Process alloc] init:1337]);

//dump process info for all processes
for(Process* process in [procInfo currentProcesses])
    NSLog(@"new process: %@", process);
//block for process events
ProcessCallbackBlock block = ^(Process* process)
    if(process.type != EVENT_EXIT)
       NSLog(@"process start: %@\n", process);
      NSLog(@"process exit: %d\n",;

//start monitoring
// ->block will be invoke upon process events!
[processInfo start:block];
The Proc Info library provides an interface to:
  • retrieve information about arbitrary processes (by pid)
  • retrieve information about all running processes
  • monitor for process start & exit events
The library is already used in various Objective-See's tools that:
  • need to track process creation events (e.g. RansomWhere? BlockBlock, etc)
  • classify running processes (based on their cryptographic signatures)
Moreover, it is an important component of tools designed to facilitate Mac malware analysis (e.g. OSX/FruitFly), and vulnerability hunting (e.g. Installers/Updaters).
Powered by Blogger.