Catching Mach system calls using dtruss

Question

I ran dtruss on vmmap that is a process that read the virtual memory of another remote process.

I would expect that some of mach_port system calls would appear in the output of my command, but couldn't trace any (i.e. mach_vm_read, task_for_pid, etc ..)

The exact command i ran (notice that dtruss is a wrapper script of dtrace in OS-X) :

sudo dtruss vmmap <pid_of_sample_process>  

The input argument for vmmap is just a pid of any running process, and the OS version i use is 10.10 (in 10.11 there's entitlement issue when running dtruss on apple products such as vmmap).

Perhaps someone can tell me how to identify the system call i'm looking for... Should I look for the explicit name in dtruss output, or just a general call number of my desired syscall (sadly, i haven't found any of them) :

./bsd/kern/trace.codes:0xff004b10       MSG_mach_vm_read

Answer 1

It looks to me like it's not using Mach APIs. It's using the libproc interface. I'm seeing many proc_info() syscalls, which is what's behind library calls like proc_pidinfo().

I used:

sudo dtrace -n 'pid$target::proc_*:entry {}' -c 'vmmap <some PID>'

to trace the various libproc functions being called. I see calls to proc_name(), proc_pidpath(), and proc_pidinfo() to get information about the target process and then calls to proc_regionfilename() to get information about the VM regions.

By the way, vmmap doesn't read the memory of the other process, it just reports information about the VM regions, not their contents. So, I wouldn't expect to see mach_vm_read() or the like.