6

I'd like to figure out how does VMMAP process operates.

After running this executable with dtrace, it seems that the method proc_regionfilename that extract the address space of each section in the virtual memory.

So, I dug a little deeper, and found its implementation in xnu under the file
libsyscall/wrappers/libproc/libproc.c

In function body i see that the main call is to proc_pidinfo : 

retval = proc_pidinfo(pid, PROC_PIDREGIONPATHINFO, (uint64_t)address, &reginfo, sizeof(struct proc_regionwithpathinfo));

And proc_pidinfo which calls in its turn to __proc_info symbol : 

int __proc_info(int callnum, int pid, int flavor, uint64_t arg, void * buffer, int buffersize);

However, this symbol cannot be found in the code, and i wonder how it's created during pre-compile, compile, link or real time.

Any idea where can i find it, or how does it being created (I haven't tried to compile the kernel yet).

thanks

Zohar81
  • 4,554
  • 5
  • 29
  • 82

1 Answers1

3

proc_info is a syscall, so it's implementation is in the kernel. Source code for the version found in 10.11.2 can be found here:

http://opensource.apple.com/source/xnu/xnu-3248.20.55/bsd/kern/proc_info.c

pmdj
  • 22,018
  • 3
  • 52
  • 103
  • 1
    Thanks, but why does it declaration in libproc.c is made in the mangled form (__proc_info instead of proc_info) ? – Zohar81 Feb 22 '16 at 10:57
  • I think `__proc_info` is the syscall shim that turns regular function calling convention into syscall convention and actually causes the trap to kernel space. Those are autogenerated from the kernel's syscall table, so you won't find any direct source code for them. Not 100% sure though. – pmdj Feb 22 '16 at 11:21