I was trying to print all the memory regions of a process using the mach_vm_region and it seemed to work fine but when I compared it to the vmmap command vmmap -v -interleaved <PID>, I realized that I was still missing many memory regions.
For instance, after my program and vmmap were giving the same memory regions for about 50 regions straight, , in a certain region my program got this:
180000000 to 1f8000000
1f8000000 to 1f869c000
1f869c000 to 1f86bc000
1f86bc000 to 1f86c0000
1f86c0000 to 1fa000000
1fa000000 to 1faeac000
1faeac000 to 1fc5a0000
1fc5a0000 to 1ff928000
1ff928000 to 200000000
while in the same space, vmmap got this:
Submap 180000000-1f8000000 [ 1.9G 0K 0K 0K] r--/r-- SM=SHM machine-wide VM submap
unused shlib __TEXT 1a2174000-1a21c5000 [ 324K 324K 0K 0K] r-x/r-x SM=COW system shared lib __TEXT not used by this process
__TEXT 1a21c5000-1a21c7000 [ 8K 8K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_blocks.dylib
__TEXT 1a21c7000-1a2209000 [ 264K 264K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libxpc.dylib
__TEXT 1a2209000-1a2223000 [ 104K 104K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_trace.dylib
__TEXT 1a2223000-1a22ad000 [ 552K 536K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libcorecrypto.dylib
__TEXT 1a22ad000-1a22d8000 [ 172K 172K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_malloc.dylib
__TEXT 1a22d8000-1a231f000 [ 284K 284K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libdispatch.dylib
__TEXT 1a231f000-1a235d000 [ 248K 248K 0K 0K] r-x/r-x SM=COW /usr/lib/libobjc.A.dylib
__TEXT 1a235d000-1a2360000 [ 12K 12K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_featureflags.dylib
__TEXT 1a2360000-1a23e2000 [ 520K 488K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_c.dylib
__TEXT 1a23e2000-1a2449000 [ 412K 396K 0K 0K] r-x/r-x SM=COW /usr/lib/libc++.1.dylib
__TEXT 1a2449000-1a2461000 [ 96K 96K 0K 0K] r-x/r-x SM=COW /usr/lib/libc++abi.dylib
__TEXT 1a2461000-1a2499000 [ 224K 224K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_kernel.dylib
__TEXT 1a2499000-1a24a6000 [ 52K 52K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_pthread.dylib
__TEXT 1a24a6000-1a24b3000 [ 52K 52K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libdyld.dylib
__TEXT 1a24b3000-1a24bb000 [ 32K 32K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_platform.dylib
__TEXT 1a24bb000-1a24e8000 [ 180K 164K 0K 0K] r-x/r-x SM=COW /usr/lib/system/libsystem_info.dylib
__TEXT 1a24e8000-1a2a2f000 [ 5404K 4092K 0K 0K] r-x/r-x SM=COW /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
unused shlib __TEXT 1a2a2f000-1a4921000 [ 30.9M 17.4M 0K 0K] r-x/r-x SM=COW system shared lib __TEXT not used by this process
__TEXT 1a4921000-1a4bd7000 [ 2776K 2568K 0K 0K] r-x/r-x SM=COW /usr/lib/libicucore.A.dylib
...
__DATA_DIRTY 1fb3fe3e8-1fb3fe3f0 [ 8 8 8 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_notify.dylib
__DATA_DIRTY 1fb3fe3f0-1fb3fe404 [ 20 20 20 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_platform.dylib
unused shlib __DATA 1fb3fe404-1fb400000 [ 7K 7K 7K 0K] rw-/rw- SM=COW unused system shared lib __DATA, on dirty page
__DATA_DIRTY 1fb400000-1fb405838 [ 22K 22K 22K 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_pthread.dylib
__DATA_DIRTY 1fb405838-1fb405848 [ 16 16 16 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_symptoms.dylib
__DATA_DIRTY 1fb405848-1fb405cb8 [ 1136 1136 1136 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_trace.dylib
__DATA_DIRTY 1fb405cb8-1fb406708 [ 2640 2640 2640 0K] rw-/rw- SM=COW /usr/lib/system/libxpc.dylib
unused shlib __DATA 1fb406708-1fb408000 [ 6K 6K 6K 0K] rw-/rw- SM=COW unused system shared lib __DATA, on dirty page
__AUTH 1fb408000-1fb4081b8 [ 440 440 0K 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_trace.dylib
__AUTH 1fb4081b8-1fb408218 [ 96 96 0K 0K] rw-/rw- SM=COW /usr/lib/system/libcorecrypto.dylib
unused shlib __DATA 1fb408218-1fb40c000 [ 15K 15K 0K 0K] rw-/rw- SM=COW system shared lib __DATA not used by this process
__AUTH 1fb40c000-1fb414000 [ 32K 32K 0K 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_malloc.dylib
__DATA 1fb414000-1fb415400 [ 5K 5K 0K 0K] rw-/rw- SM=COW /usr/lib/system/libdispatch.dylib
__AUTH 1fb415400-1fb415478 [ 120 120 0K 0K] rw-/rw- SM=COW /usr/lib/libobjc.A.dylib
__AUTH 1fb415478-1fb416190 [ 3352 3352 0K 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_c.dylib
__AUTH 1fb416190-1fb418628 [ 9K 9K 1576 0K] rw-/rw- SM=COW /usr/lib/libc++.1.dylib
__AUTH 1fb418628-1fb418670 [ 72 72 72 0K] rw-/rw- SM=COW /usr/lib/libc++abi.dylib
__AUTH 1fb418670-1fb4186b0 [ 64 64 64 0K] rw-/rw- SM=COW /usr/lib/system/libdyld.dylib
__AUTH 1fb4186b0-1fb418880 [ 464 464 464 0K] rw-/rw- SM=COW /usr/lib/system/libsystem_info.dylib
__AUTH 1fb418880-1fb41a740 [ 8K 8K 8K 0K] rw-/rw- SM=COW /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
unused shlib __DATA 1fb41a740-1fb41c000 [ 6K 6K 6K 0K] rw-/rw- SM=COW unused system shared lib __DATA, on dirty page
unused shlib __DATA 1fb41c000-1fb4a2640 [ 538K 506K 0K 0K] rw-/rw- SM=COW system shared lib __DATA not used by this process
__AUTH 1fb4a2640-1fb4a2660 [ 32 32 0K 0K] rw-/rw- SM=COW /usr/lib/system/libcommonCrypto.dylib
__AUTH 1fb4a2660-1fb4a2668 [ 8 8 0K 0K] rw-/rw- SM=COW /usr/lib/libSystem.B.dylib
unused shlib __DATA 1fb4a2668-1fbb2c000 [ 6694K 982K 0K 0K] rw-/rw- SM=COW system shared lib __DATA not used by this process
__AUTH_CONST 1fbb2c000-1fbc08e80 [ 884K 884K 0K 0K] rw-/rw- SM=COW /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
__OBJC_CONST 1fbc08e80-1fbc0f9f0 [ 27K 27K 0K 0K] rw-/rw- SM=COW /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
unused shlib __DATA 1fbc0f9f0-1fc288000 [ 6626K 1250K 0K 0K] rw-/rw- SM=COW system shared lib __DATA not used by this process
__OBJC_RW 1fc288000-1fc5a0000 [ 3168K 1616K 16K 0K] rw-/rw- SM=COW /usr/lib/libobjc.A.dylib
__AUTH_CONST 1fc5a0000-1fc5a0030 [ 48 48 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_blocks.dylib
__OBJC_CONST 1fc5a0030-1fc5a0390 [ 864 864 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_blocks.dylib
__DATA_CONST 1fc5a0390-1fc5a4e20 [ 19K 19K 0K 0K] r--/rw- SM=COW /usr/lib/system/libxpc.dylib
__OBJC_CONST 1fc5a4e20-1fc5a5f90 [ 4K 4K 0K 0K] r--/rw- SM=COW /usr/lib/system/libxpc.dylib
__AUTH_CONST 1fc5a5f90-1fc5a6c90 [ 3328 3328 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_trace.dylib
__OBJC_CONST 1fc5a6c90-1fc5a6e40 [ 432 432 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_trace.dylib
__AUTH_CONST 1fc5a6e40-1fc5a7f10 [ 4K 4K 0K 0K] r--/rw- SM=COW /usr/lib/system/libcorecrypto.dylib
__AUTH_CONST 1fc5a7f10-1fc5a84e8 [ 1496 1496 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_malloc.dylib
unused shlib __TEXT 1fc5a84e8-1fc5a8500 [ 24 24 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__DATA_CONST 1fc5a8500-1fc5bb8e8 [ 77K 29K 0K 0K] r--/rw- SM=COW /usr/lib/system/libdispatch.dylib
__OBJC_CONST 1fc5bb8e8-1fc5bc938 [ 4K 4K 0K 0K] r--/rw- SM=COW /usr/lib/system/libdispatch.dylib
unused shlib __TEXT 1fc5bc938-1fc5bc940 [ 8 8 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fc5bc940-1fc5bd3c8 [ 2696 2696 0K 0K] r--/rw- SM=COW /usr/lib/libobjc.A.dylib
__OBJC_CONST 1fc5bd3c8-1fc5bd698 [ 720 720 0K 0K] r--/rw- SM=COW /usr/lib/libobjc.A.dylib
__AUTH_CONST 1fc5bd698-1fc5bd808 [ 368 368 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_featureflags.dylib
__AUTH_CONST 1fc5bd808-1fc5be168 [ 2400 2400 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_c.dylib
__AUTH_CONST 1fc5be168-1fc5c02a8 [ 8K 8K 0K 0K] r--/rw- SM=COW /usr/lib/libc++.1.dylib
__AUTH_CONST 1fc5c02a8-1fc5c34b8 [ 13K 13K 0K 0K] r--/rw- SM=COW /usr/lib/libc++abi.dylib
__AUTH_CONST 1fc5c34b8-1fc5c35e0 [ 296 296 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_kernel.dylib
__AUTH_CONST 1fc5c35e0-1fc5c3810 [ 560 560 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_pthread.dylib
__AUTH_CONST 1fc5c3810-1fc5c3fc8 [ 1976 1976 0K 0K] r--/rw- SM=COW /usr/lib/system/libdyld.dylib
__AUTH_CONST 1fc5c3fc8-1fc5c4250 [ 648 648 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_platform.dylib
__AUTH_CONST 1fc5c4250-1fc5c53f0 [ 4K 4K 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_info.dylib
unused shlib __TEXT 1fc5c53f0-1fc6e1e10 [ 1139K 947K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fc6e1e10-1fc6f3d48 [ 72K 72K 0K 0K] r--/rw- SM=COW /usr/lib/libicucore.A.dylib
__AUTH_CONST 1fc6f3d48-1fc6f41c8 [ 1152 1152 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_darwin.dylib
unused shlib __TEXT 1fc6f41c8-1fc70fa80 [ 110K 110K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fc70fa80-1fc70fe00 [ 896 896 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_notify.dylib
unused shlib __TEXT 1fc70fe00-1fc896a40 [ 1563K 1451K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fc896a40-1fc897608 [ 3016 3016 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_networkextension.dylib
unused shlib __TEXT 1fc897608-1fc8e5718 [ 312K 136K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fc8e5718-1fc8e6160 [ 2632 2632 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_asl.dylib
unused shlib __TEXT 1fc8e6160-1fc9af288 [ 804K 724K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fc9af288-1fc9af560 [ 728 728 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_symptoms.dylib
unused shlib __TEXT 1fc9af560-1fcae6480 [ 1244K 892K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fcae6480-1fcae78c0 [ 5K 5K 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_containermanager.dylib
unused shlib __TEXT 1fcae78c0-1fcbf6250 [ 1082K 842K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fcbf6250-1fcbf6560 [ 784 784 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_configuration.dylib
__AUTH_CONST 1fcbf6560-1fcbf6768 [ 520 520 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_sandbox.dylib
unused shlib __TEXT 1fcbf6768-1fcc3f8b8 [ 292K 212K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fcc3f8b8-1fcc3f9c0 [ 264 264 0K 0K] r--/rw- SM=COW /usr/lib/system/libquarantine.dylib
unused shlib __TEXT 1fcc3f9c0-1fccc6ac0 [ 540K 268K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fccc6ac0-1fccc6d50 [ 656 656 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_coreservices.dylib
unused shlib __TEXT 1fccc6d50-1fccf2d88 [ 176K 144K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fccf2d88-1fccf2da8 [ 32 32 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_m.dylib
unused shlib __TEXT 1fccf2da8-1fccf2e28 [ 128 128 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fccf2e28-1fccf2e98 [ 112 112 0K 0K] r--/rw- SM=COW /usr/lib/system/libmacho.dylib
unused shlib __TEXT 1fccf2e98-1fccf2fb0 [ 280 280 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
__AUTH_CONST 1fccf2fb0-1fccf3d80 [ 3536 3536 0K 0K] r--/rw- SM=COW /usr/lib/system/libcommonCrypto.dylib
__AUTH_CONST 1fccf3d80-1fccf3e98 [ 280 280 0K 0K] r--/rw- SM=COW /usr/lib/system/libunwind.dylib
__AUTH_CONST 1fccf3e98-1fccf4168 [ 720 720 0K 0K] r--/rw- SM=COW /usr/lib/liboah.dylib
__AUTH_CONST 1fccf4168-1fccf45a0 [ 1080 1080 0K 0K] r--/rw- SM=COW /usr/lib/system/libcopyfile.dylib
__AUTH_CONST 1fccf45a0-1fccf4600 [ 96 96 0K 0K] r--/rw- SM=COW /usr/lib/system/libcompiler_rt.dylib
__AUTH_CONST 1fccf4600-1fccf4750 [ 336 336 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_collections.dylib
__AUTH_CONST 1fccf4750-1fccf4a18 [ 712 712 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_secinit.dylib
__AUTH_CONST 1fccf4a18-1fccf4b78 [ 352 352 0K 0K] r--/rw- SM=COW /usr/lib/system/libremovefile.dylib
__AUTH_CONST 1fccf4b78-1fccf4bf8 [ 128 128 0K 0K] r--/rw- SM=COW /usr/lib/system/libkeymgr.dylib
__AUTH_CONST 1fccf4bf8-1fccf4db0 [ 440 440 0K 0K] r--/rw- SM=COW /usr/lib/system/libsystem_dnssd.dylib
__AUTH_CONST 1fccf4db0-1fccf4e70 [ 192 192 0K 0K] r--/rw- SM=COW /usr/lib/system/libcache.dylib
__AUTH_CONST 1fccf4e70-1fccf5120 [ 688 688 0K 0K] r--/rw- SM=COW /usr/lib/libSystem.B.dylib
__AUTH_CONST 1fccf5120-1fccf5208 [ 232 232 0K 0K] r--/rw- SM=COW /usr/lib/libfakelink.dylib
__AUTH_CONST 1fccf5208-1fccf5260 [ 88 88 0K 0K] r--/rw- SM=COW /System/Library/PrivateFrameworks/SoftLinking.framework/Versions/A/SoftLinking
unused shlib __TEXT 1fccf5260-1ff928000 [ 44.2M 6603K 0K 0K] r--/rw- SM=COW system shared lib __TEXT not used by this process
Submap 1ff928000-200000000 [ 7008K 0K 0K 0K] r--/r-- SM=PRV process-only VM submap
Now I understand submaps and that all of these mini regions only happened after vmmap specified that the REGION TYPE (first column) was of type Submap and I did try along using mach_vm_region_recurse with depth greater than 0 however that only gave this:
1a2174000 to 1f1b30000
1f3b30000 to 1f669c000
1f869c000 to 1f86bc000
that was extra information - nothing even close to vmmap. I did try looking around and the closest thing I could try to find to fix this problem was the segment_command_64 struct defined as :
struct segment_command_64 { /* for 64-bit architectures */
uint32_t cmd; /* LC_SEGMENT_64 */
uint32_t cmdsize; /* includes sizeof section_64 structs */
char segname[16]; /* segment name */
uint64_t vmaddr; /* memory address of this segment */
uint64_t vmsize; /* memory size of this segment */
uint64_t fileoff; /* file offset of this segment */
uint64_t filesize; /* amount to map from the file */
vm_prot_t maxprot; /* maximum VM protection */
vm_prot_t initprot; /* initial VM protection */
uint32_t nsects; /* number of sections in segment */
uint32_t flags; /* flags */
};
along side the getsectbynamefromheader_64 function but I really couldn't figure anything out as there is 0 documentation for anything.
For parsing Mach-O segments, there is a fair bit of information out on the web about the Mach-O executable file format, which is what you're dealing with here, it's just mapped directly into memory.
Essentially though, each Mach-O segment (
segment_command_64) will contain some number of sections (section_64). The sections are described in an array ofsection_64structs immediately following thesegment_command_64struct. There will bensectsarray entries. You can skip from segment to segment by movingcmdsizebytes ahead in memory. (The number of load commands you will encounter is specified in thencmdsfield of themach_header_64file header. They won't all be segments (cmd == LC_SEGMENT_64) but share theload_commandstruct prefix.The other thing to bear in mind about
vmmapis that it has a whole bunch of special security entitlements which allow it more access to kernel APIs and data structures than most processes:However most of that is for allowing inspection of other processes - I'm not sure if those entitlements enable it to view more information than a regular process can get about itself.