Retrieve Process Run-time Architecture on Apple Silicon Macs On The Command Line with `archinfo` - Security Boulevard

SBN Retrieve Process Run-time Architecture on Apple Silicon Macs On The Command Line with `archinfo`

Apple M1/Apple Silicon/arm64 macOS can run x86_64 programs via Rosetta and most M1 systems currently (~March 2021) very likely run a mix of x86_64 and arm64 processes.

Activity Monitor can show the architecture:

but command line tools such as ps and top do not due to Apple hiding the details of the proper sysctl() incantations necessary to get this info.

Patrick Wardle reverse engineered Activity Monitor — https://www.patreon.com/posts/45121749 — and I slapped that hack together with some code from Sydney San Martin — https://gist.github.com/s4y/1173880/9ea0ed9b8a55c23f10ecb67ce288e09f08d9d1e5 — into a nascent, bare-bones command line utility: archinfo.

It will do slightly more, soon, but for now, it just returns a big JSON blob (that will work fine with jq, et al) of running processes and their respective architectures.

Build from source or grab from the releases via my git (https://git.rud.is/hrbrmstr/archinfo) or GH (https://github.com/hrbrmstr/archinfo).

library(tidyverse)

arch <- jsonlite::fromJSON(system("/usr/local/bin/archinfo", intern=TRUE))

arch %>% 
  as_tibble() %>% 
  mutate(
    executable = basename(executable)
  ) %>% 
  select(
    executable, arch
  ) 
## # A tibble: 448 x 2
##    executable                                          arch
##    <chr>                                               <chr>
## …
## 50 com.apple.WebKit.WebContent                         arm64
## 51 com.apple.WebKit.Networking                         arm64
## 52 com.apple.WebKit.WebContent                         arm64
## 53 RStudio — tycho                                     x86_64
## 54 QtWebEngineProcess                                  x86_64
## 55 VTEncoderXPCService                                 arm64
## 56 rsession-arm64                                      arm64
## 57 RStudio                                             x86_64
## 58 MTLCompilerService                                  arm64
## 59 MTLCompilerService                                  arm64
## 60 coreautha                                           arm64
## –

table(arch[["arch"]])
##
##  arm64 x86_64
##    419     29

*** This is a Security Bloggers Network syndicated blog from rud.is authored by hrbrmstr. Read the original post at: https://rud.is/b/2021/03/13/retrieve-process-run-time-architecture-on-apple-silicon-macs-on-the-command-line-with-archinfo/