mach_vm_region_recurse, mapping memory and shared libraries on osx

Asked 5/8, 2011 at 23:27 Answered 30/3, 2013 at 1:53

I'm using vm_region_recurse_64 to map out the memory for a given process, vmmap style.

Trying to get a complete list of shared libraries loaded by the application by examining each library's Mach-O header in memory, however, vm_region_recurse seems to disagree with the vmmap command line tool about specifically where some of the specific memory sections begin and end.

This becomes especially true in the 90000000-a0000000 system submap where most of the os shared libraries are loaded.

And now I'm kind of stumped. I can list memory segments, tell generally what type they are, and read from them with vm_read. But listing them and getting correct and specific region info is proving difficult.

How does vmmap get listings of the specific locations at which libraries are loaded? My method seems to be ineffective.

Edit: here's the basic code I'm using. It returns a memory map similar to but not identical to vmmap's. Doesn't have memory regions of specific libraries.

kern_return_t krc = KERN_SUCCESS;
vm_address_t address = 0;
vm_size_t size = 0;
uint32_t depth = 1;
while (1) {
    struct vm_region_submap_info_64 info;
    mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;
    krc = vm_region_recurse_64(port, &address, &size, &depth, (vm_region_info_64_t)&info, &count);
    if (krc == KERN_INVALID_ADDRESS){
        break;
    }
    if (info.is_submap){
        depth++;
    }
    else {
        //do stuff
        printf ("Found region: %08x to %08x\n", (uint32_t)address, (uint32_t)address+size);
        address += size;
    }
}

Bukharin answered 5/8, 2011 at 23:27 Comment(0)

vmmap calls mach_vm_region_recurse() to list the memory regions.

In order to see the contents of submaps like the dyld shared cache at 0x90000000..0xa0000000, you'll need to look for regions with is_submap set, and then call mach_vm_region_recurse() again with the same address and a deeper nesting_depth.

Transudate answered 5/8, 2011 at 23:47 Comment(3)

On the right track... but I've discovered this. Okay, time for a snippet. I'll edit my original post. – Bukharin 6/8, 2011 at 1:5

I think this is correct. For whatever reason, the entire dyld shared cache is appearing as one memory object and not separate regions, but this method is letting me penetrate the submap and access the memory object. I'll have to look more into how to read which libs are loaded within the dyld shared cache. – Bukharin 9/8, 2011 at 19:55

Did you ever figure this out? I'm in the same boat where I get filenames that point to the dyld_shared_cache and I'd like to get the real dylib being requested. – Foremost 30/5, 2012 at 18:18

vmmap(1) actually gets a listing of the Mach-O images loaded in the process, by inspecting DYLD tables left in the target address space.

Tyrelltyrian answered 30/3, 2013 at 1:53 Comment(0)

Recommended topics

Hot tags