Make -filter argument take a regex

App/ProcessMonitor.xcodeproj/project.pbxproj

@@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 50;
+	objectVersion = 54;
 	objects = {
 
 /* Begin PBXBuildFile section */
@@ -113,7 +113,8 @@
 		CD38A8352358B410004EBB67 /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 1220;
+				BuildIndependentTargetsInParallel = YES;
+				LastUpgradeCheck = 1500;
 				ORGANIZATIONNAME = "Patrick Wardle";
 				TargetAttributes = {
 					CD38A83C2358B410004EBB67 = {
@@ -198,9 +199,11 @@
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
+				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
 				ENABLE_TESTABILITY = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				GCC_DYNAMIC_NO_PIC = NO;
 				GCC_NO_COMMON_BLOCKS = YES;
@@ -257,9 +260,11 @@
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
+				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				ENABLE_NS_ASSERTIONS = NO;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				GCC_NO_COMMON_BLOCKS = YES;
 				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
@@ -281,11 +286,12 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = ProcessMonitor/ProcessMonitor.entitlements;
-				CODE_SIGN_IDENTITY = "Developer ID Application";
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1.5.0;
-				DEVELOPMENT_TEAM = VBG97UB4TA;
+				DEAD_CODE_STRIPPING = YES;
+				DEVELOPMENT_TEAM = ZK96P738ZR;
 				ENABLE_HARDENED_RUNTIME = YES;
 				HEADER_SEARCH_PATHS = ../Library/Release;
 				INFOPLIST_FILE = ProcessMonitor/Info.plist;
@@ -295,9 +301,9 @@
 				);
 				LIBRARY_SEARCH_PATHS = ../Library/Release;
 				MARKETING_VERSION = 1.5.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "com.objective-see.processmonitor";
+				PRODUCT_BUNDLE_IDENTIFIER = "vin.je.com.objective-see.processmonitor";
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				PROVISIONING_PROFILE_SPECIFIER = "Process Monitor";
+				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
 			name = Debug;
 		};
@@ -306,11 +312,12 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = ProcessMonitor/ProcessMonitor.entitlements;
-				CODE_SIGN_IDENTITY = "Developer ID Application";
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 1.5.0;
-				DEVELOPMENT_TEAM = VBG97UB4TA;
+				DEAD_CODE_STRIPPING = YES;
+				DEVELOPMENT_TEAM = ZK96P738ZR;
 				ENABLE_HARDENED_RUNTIME = YES;
 				HEADER_SEARCH_PATHS = ../Library/Release;
 				INFOPLIST_FILE = ProcessMonitor/Info.plist;
@@ -320,9 +327,9 @@
 				);
 				LIBRARY_SEARCH_PATHS = ../Library/Release;
 				MARKETING_VERSION = 1.5.0;
-				PRODUCT_BUNDLE_IDENTIFIER = "com.objective-see.processmonitor";
+				PRODUCT_BUNDLE_IDENTIFIER = "vin.je.com.objective-see.processmonitor";
 				PRODUCT_NAME = "$(TARGET_NAME)";
-				PROVISIONING_PROFILE_SPECIFIER = "Process Monitor";
+				PROVISIONING_PROFILE_SPECIFIER = "";
 			};
 			name = Release;
 		};

App/ProcessMonitor.xcodeproj/xcshareddata/xcschemes/ProcessMonitor.xcscheme

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
-   LastUpgradeVersion = "1220"
+   LastUpgradeVersion = "1500"
    version = "1.3">
    <BuildAction
       parallelizeBuildables = "YES"
@@ -31,7 +31,7 @@
       </Testables>
    </TestAction>
    <LaunchAction
-      buildConfiguration = "Debug"
+      buildConfiguration = "Release"
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
       debugAsWhichUser = "root"

App/ProcessMonitor/main.h

@@ -16,8 +16,8 @@
 //'skipAPple' flag
 BOOL skipApple = NO;
 
-//filter string
-NSString* filterBy = nil;
+//filter regex
+NSRegularExpression *filterByRegex = nil;
 
 //'prettyPrint' flag
 BOOL prettyPrint = NO;

App/ProcessMonitor/main.m

@@ -20,7 +20,7 @@ int main(int argc, const char * argv[]) {
         NSArray* arguments = nil;
 
         //grab args
-        arguments = [[NSProcessInfo processInfo] arguments];
+        arguments = [NSProcessInfo processInfo].arguments;
 
         //run via user (app)?
         // display error popup
@@ -63,7 +63,7 @@ int main(int argc, const char * argv[]) {
 
         //run loop
         // as don't want to exit
-        [[NSRunLoop currentRunLoop] run];
+        [NSRunLoop.currentRunLoop run];
 
     } //pool
 
@@ -98,7 +98,7 @@ BOOL processArgs(NSArray* arguments)
         index++;
 
         //sanity check
-        // make sure name comes after
+        // make sure name regex comes after
         if(index >= arguments.count)
         {
             //invalid
@@ -108,8 +108,17 @@ BOOL processArgs(NSArray* arguments)
             goto bail;
         }
 
-        //grab filter name
-        filterBy = [arguments objectAtIndex:index];
+        //grab filter name regex
+        NSError *regex_error = nil;
+        filterByRegex = [NSRegularExpression regularExpressionWithPattern:arguments[index] options:0 error:&regex_error];
+        if (!filterByRegex || regex_error) {
+            printf("%s", [NSString stringWithFormat:@"Error creating regex: %@\n", regex_error.localizedDescription].UTF8String);
+            //invalid
+            validArgs = NO;
+
+            //bail
+            goto bail;
+        }
     }
 
 bail:
@@ -118,39 +127,33 @@ BOOL processArgs(NSArray* arguments)
 }
 
 //print usage
-void usage()
+void usage(void)
 {
     //name
-    NSString* name = nil;
+    NSString* name = NSBundle.mainBundle.infoDictionary[@"CFBundleName"];
 
     //version
-    NSString* version = nil;
-
-    //extract name
-    name = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"CFBundleName"];
-
-    //extract version
-    version = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"CFBundleVersion"];
+    NSString* version = NSBundle.mainBundle.infoDictionary[@"CFBundleVersion"];
 
     //usage
     printf("\n%s (v%s) usage:\n", name.UTF8String, version.UTF8String);
-    printf(" -h or -help      display this usage info\n");
-    printf(" -pretty          JSON output is 'pretty-printed'\n");
-    printf(" -skipApple       ignore Apple (platform) processes \n");
-    printf(" -parseEnv        parse environment variable information\n");
-    printf(" -filter <name>   show events matching process name\n\n");
+    printf(" -h or -help            display this usage info\n");
+    printf(" -pretty                JSON output is 'pretty-printed'\n");
+    printf(" -skipApple             ignore Apple (platform) processes \n");
+    printf(" -parseEnv              parse environment variable information\n");
+    printf(" -filter <name regex>   show events matching process name\n\n");
 
     return;
 }
 
 //monitor
-BOOL monitor()
+BOOL monitor(void)
 {
     //(process) events of interest
     es_event_type_t events[] = {ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXIT};
 
     //init monitor
-    ProcessMonitor* procMon = [[ProcessMonitor alloc] init];
+    ProcessMonitor* procMon = ProcessMonitor.new;
 
     //define block
     // automatically invoked upon process events
@@ -170,10 +173,10 @@ BOOL monitor()
 
         //filter
         // and no match? skip
-        if(0 != filterBy.length)
+        if(nil != filterByRegex)
         {
             //check file paths & process
-            if(YES != [process.path hasSuffix:filterBy])
+            if(0 == [filterByRegex numberOfMatchesInString:process.path options:0 range:NSMakeRange(0, process.path.length)])
             {
                 //ignore
                 return;
@@ -248,7 +251,7 @@ BOOL monitor()
 
     //convert to string
     // note, we manually unescape forward slashes
-    prettyString = [[[NSString alloc] initWithData:prettyData encoding:NSUTF8StringEncoding] stringByReplacingOccurrencesOfString:@"\\/" withString:@"/"];
+    prettyString = [[NSString.alloc initWithData:prettyData encoding:NSUTF8StringEncoding] stringByReplacingOccurrencesOfString:@"\\/" withString:@"/"];
 
 bail:
 

Library/Release/ProcessMonitor.h

@@ -25,7 +25,7 @@ enum csOptions{csNone, csStatic, csDynamic};
 enum Signer{None, Apple, AppStore, DevID, AdHoc};
 
 //architectures
-enum Architectures{ArchUnknown, ArchAppleSilicon, ArchIntel};
+enum Architectures{ArchUnknown, ArchFail1, ArchFail2, ArchFail3, ArchAppleSilicon, ArchIntel};
 
 //cs options
 #define CS_STATIC_CHECK YES
@@ -41,11 +41,11 @@ typedef void (^ProcessCallbackBlock)(Process* _Nonnull);
 @interface ProcessMonitor : NSObject
 
 //start monitoring
-// pass in events of interest, count of said events, flag for codesigning, and callback
--(BOOL)start:(es_event_type_t* _Nonnull)events count:(uint32_t)count csOption:(NSUInteger)csOption callback:(ProcessCallbackBlock _Nonnull)callback;
+// pass in events of interest, count of said events, flag for codesigning, flag for environment variable collection, and callback
+-(BOOL)start:(es_event_type_t* _Nonnull)events count:(uint32_t)count csOption:(NSUInteger)csOption parseEnv:(BOOL)parseEnv callback:(ProcessCallbackBlock _Nonnull)callback;
 
 //stop monitoring
--(BOOL)stop;
+@property (NS_NONATOMIC_IOSONLY, readonly) BOOL stop;
 
 @end
 
@@ -89,6 +89,9 @@ typedef void (^ProcessCallbackBlock)(Process* _Nonnull);
 //args
 @property(nonatomic, retain)NSMutableArray* _Nonnull arguments;
 
+//environment variables
+@property(nonatomic, retain)NSMutableDictionary* _Nullable environment;
+
 //ancestors
 @property(nonatomic, retain)NSMutableArray* _Nonnull ancestors;
 
@@ -118,6 +121,6 @@ typedef void (^ProcessCallbackBlock)(Process* _Nonnull);
 
 //init
 // flag controls code signing options
--(id _Nullable)init:(es_message_t* _Nonnull)message csOption:(NSUInteger)csOption;
+-(instancetype _Nullable)init:(es_message_t* _Nonnull)message csOption:(NSUInteger)csOption parseEnv:(BOOL)parseEnv;
 
 @end