Home/ Questions/Q 7864743
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T23:52:40+00:00

I’m trying to read the memory of a process using task_for_pid / vm_read .

  • 0

I’m trying to read the memory of a process using task_for_pid / vm_read. 

uint32_t sz;
pointer_t buf;
task_t task;
pid_t pid = 9484;
kern_return_t error = task_for_pid(current_task(), pid, &task);
vm_read(task, 0x10e448000, 2048, &buf, &sz);

In this case I read the first 2048 bytes.

This works when I know the base address of the process (which I can find out using gdb “info shared” – in this case 0x10e448000), but how do I find out the base address at runtime (without looking at it with gdb)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Answering my own question. I was able to get the base address using mach_vm_region_recurse like below. The offset lands in vmoffset. If there is another way that is more “right” – don’t hesitate to comment!

    #include <stdio.h>
#include <mach/mach_init.h>
#include <sys/sysctl.h>
#include <mach/mach_vm.h>

 ...

    mach_port_name_t task;
    vm_map_offset_t vmoffset;
    vm_map_size_t vmsize;
    uint32_t nesting_depth = 0;
    struct vm_region_submap_info_64 vbr;
    mach_msg_type_number_t vbrcount = 16;
    kern_return_t kr;

    if ((kr = mach_vm_region_recurse(task, &vmoffset, &vmsize,
                 &nesting_depth,
                 (vm_region_recurse_info_t)&vbr,
                 &vbrcount)) != KERN_SUCCESS) 
    {
        printf("FAIL");
    }
    • 0