You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md
+71Lines changed: 71 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,6 +102,28 @@ For more background on obtaining a task port and what can be done with it:
# Inspect memory layout before deciding between a full core and a selective dump
118
+
vmmap <pid>
119
+
```
120
+
121
+
Operationally, this usually means:
122
+
123
+
- A third-party app shipped with **`get-task-allow`** is often directly dumpable with LLDB, and the resulting dump may expose TCC-protected data that the app already accessed.
124
+
- A **hardened** target without `get-task-allow` will commonly reject attaches, even as `root`, unless you control the relevant debugger entitlements / policy path.
125
+
- Unhardened third-party processes are still the easiest place to use `lldb`, `vmmap`, Frida, or custom `task_for_pid`/`vm_read` readers.
126
+
105
127
## Selective dumps with Frida or userland readers
106
128
107
129
When a full core is too noisy, dumping only **interesting readable ranges** is often faster. Frida is especially useful because it works well for **targeted extraction** once you can attach to the process.
@@ -134,6 +156,55 @@ This is useful when you want to avoid giant core files and only collect:
134
156
135
157
Older userland tools such as [`readmem`](https://github.com/gdbinit/readmem) also exist, but they are mainly useful as **source references** for direct `task_for_pid`/`vm_read` style dumping and are not well-maintained for modern Apple Silicon workflows.
136
158
159
+
## Heap / VM snapshots with `.memgraph`
160
+
161
+
If you mainly care about **heap objects**, **allocation provenance**, or a snapshot that can be moved to another machine, a `.memgraph` is often more practical than a giant Mach-O core. The `leaks` tooling can generate one from a live process:
162
+
163
+
```bash
164
+
# Capture a memory graph from a live process
165
+
leaks <pid> -outputGraph /tmp/target.memgraph
166
+
167
+
# Include richer object content when you expect to inspect strings / heap data offline
Then triage it offline with standard Apple tooling:
172
+
173
+
```bash
174
+
vmmap /tmp/target.memgraph
175
+
heap /tmp/target.memgraph
176
+
stringdups /tmp/target-full.memgraph
177
+
malloc_history /tmp/target.memgraph 0xADDR
178
+
```
179
+
180
+
`stringdups` is the main reason to keep a `-fullContent` capture around, because the labels describing memory contents are omitted from a minimal `.memgraph`.
181
+
182
+
This is especially useful when:
183
+
184
+
- You want a **smaller, shareable snapshot** instead of a full core
185
+
-`MallocStackLogging` was enabled and you want **allocation backtraces**
186
+
- You already know an **interesting heap address** and want to pivot with `malloc_history`
187
+
- You need a quick **VM/heap breakdown** before deciding whether a full dump is worth the noise
188
+
189
+
## Swift-heavy targets: `swift-inspect`
190
+
191
+
For applications that keep high-value data inside **Swift runtime objects**, `swift-inspect` can be a good complement to LLDB or Frida. Instead of dumping everything first, you can query specific Swift runtime structures from a live process:
192
+
193
+
```bash
194
+
# Usually available from the Xcode / Swift toolchain
- Metadata allocations that reveal types loaded at runtime
204
+
- Swift concurrency state (`Task`, actor, thread relationships) before doing a more targeted dump
205
+
206
+
For more object-level runtime triage once you can already inspect the process, check [the dedicated page on objects in memory](../macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.md).
207
+
137
208
## Quick triage notes
138
209
139
210
-`sysctl vm.swapusage` is still a quick way to check **swap usage** and whether swap is **encrypted**.
0 commit comments