12

I have a closed-source 3rd party program, and I want to be able to

  • Know what memory is allocated to the program
  • Access that memory (read only is fine)

Utilities like vmmap(1), heap(1), and leaks(1) seem to have similar functionality to what I need, but I can't find their source anywhere (the OS X versions) and can't figure out how they work. Preferably, this would all be done in user-space, possibly running as root, I don't want to write kernel code for the purpose of bypassing memory protection if I can avoid it.

I tried using shared memory passing the address of what I want to read as the 2nd argument to shmat(2), but this was ultimately unsuccessful (and probably not its intended usage and/or bad practice) and still left me without a way to determine what memory I'm looking for anyway (the program who owned the memory had to report its address to me).

Is there a way to just disable memory protection for a certain program so that it won't segfault when it tries to read/write memory that is allocated to a different process? Is there a better way that wouldn't enable bugs to seriously corrupt my entire system?

How is this achieved?

user992364
  • 442
  • 3
  • 18
  • Have you tried tracing the system calls of such utilities? – icktoofay Jun 11 '12 at 03:39
  • @icktoofay Good idea. Never done that before. I just tried it using shark.app (unstable gui crap, just the first suggestion google found me) but there are a few problems 1) symbol names are missing 2) shark keeps crashing (I'm going to try to see if I can do this with GDB or something), and 3) I can't find documentation for the syscalls which look like they might be relevant (io_connect_method, io_connect_(un)map_memory, some mach_* stuff). 4) It'll take me forever to dig through the dump and figure out how to properly use these calls. There must be documentation somewhere... – user992364 Jun 11 '12 at 04:17

2 Answers2

4

Basically, this guy is right.

Go download the source code that accompanies this book and see vm_rw_master.c of example 8-16 for a working implementation.

See http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/ for documentation, it's slightly outdated, and questionably correct, but it's the best available.

EDIT: Also, see http://lightbulbone.com/2011/05/dumping-process-memory-on-mac-os-x/ (note that the task who owns memory you are trying to read does NOT need to be a child of the process trying to do the reading, you just need to have the proper authorization.)

EDIT: Also, see http://os-tres.net/blog/2010/02/17/mac-os-x-and-task-for-pid-mach-call/ for a good example of authorization.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
user992364
  • 442
  • 3
  • 18
3

I don't have access to an OS X machine, but this looks very similar to what you're trying to do:

Reading Other Process' Memory in OS X?

Here's an archive of the link that doesn't work:

http://web.archive.org/web/20090627062246/http://www.matasano.com/log/1100/what-ive-been-doing-on-my-summer-vacation-or-it-has-to-work-otherwise-gdb-wouldnt/

Community
  • 1
  • 1
Alex W
  • 37,233
  • 13
  • 109
  • 109
  • That article seems to boil down to "ptrace won't work, use vm_read and vm_write", neither of which have manpages, and the only syscall in the dump that looks similar is vm_deallocate... :( – user992364 Jun 11 '12 at 04:51