I wanted to use /proc/<pid>/map directory in order to get info about virtual memory of a process (especially about its shared libraries). Since mac os doesn't have one I'm trying to find other ways. One of them seems to be sysctl call but I don't quite understand how to use it for such purpose. Are there any examples? I know it also can be done via some mach_vm interface calls but documentation is quite pour. Maybe you know any other ways of reading process memory? My mac os version is Darwin by the way.
Note: the purpose is to do this without using any utilities or fork/exec calls. I also don't want any pseudofs to be mounted.
Asked
Active
Viewed 1,599 times
2
Artyom
- 284
- 2
- 14
1 Answers
2
macOS' virtual memory subsystem is in the Mach-inherited part of the kernel, so those APIs are definitely the ones to use. For inspecting regions, look at mach_vm_region() (called vm_region in the original Mach - you will find more documentation for that), for reading memory, use mach_vm_read().
You may also find the vmmap command line utility to come in useful for exploration.
pmdj
- 22,018
- 3
- 52
- 103
-
The problem really is that `mach_vm_region` can only tell that the region is shared but has no option to find which region stands for which shared library. I want the functionality similar to `vmmap -allStliptLibs`. Is it possible to get such without accessing the linker? – Artyom Jul 25 '17 at 13:29
-
I'm not aware of a way to do that. Even vmmap itself links against Symbolication.framework. The kernel holds a reference to the `vnode_t` somewhere internally, but as far as I'm aware there isn't even a public KPI for accessing that from a kext. – pmdj Jul 25 '17 at 13:57