WriteProcessMemory equivalent on OS X

Question

I am using method hooking/detour in my library.

What would be the solution for method hooking/detour on OS X since WriteProcessMemory/ReadProcessMemory are Windows API functions?

Edit:

Ok, let me put a bit more information here so it gets clearer why I am asking that question:

In an upcoming feature in my DSharp library I have this code:

procedure FreeInstance(Self: TObject);
begin
  ...

  Self.CleanupInstance;
  FreeMem(Pointer(Self));
end;

var
  FreeInstanceBackup: TXRedirCode;

initialization
  ...
  HookCode(@TObject.FreeInstance, @FreeInstance, FreeInstanceBackup);

finalization
  UnhookCode(@TObject.FreeInstance, FreeInstanceBackup);
  ...

end.

Fact is, I need to hook into the TObject.FreeInstance method to be notified of every object destruction (yes I know, it might not be called if someone decides to override it and does not call inherited).

Another unit that uses the WriteProcessMemory is ReturnTypePatch.pas which fixes QC #98687 which is nessecary for Mocking libraries like mine and Delphi Mocks from Vincent Parrett (he basically had a user reporting that problem before we both were aware of that problem).

Yet another use of WriteProcessMemory is in the AOP part of DSharp where I basically replace the VMT of a class with the proxy class VMT that is created from the TVirtualMethodInterceptor class from the RTTI. With TVirtualMethodInterceptor you can only proxify an existing object - my implementation does that for the whole class (so all existing and future objects, even if inherited).

In all cases the memory cannot be written by using Move because they are protected (getting AV when replacing WriteProcessMemory with a call to CopyMemory).

Hope that was enough information on what I am doing with these functions - and someone can point me to a solution that will work on OS X (unfortunately I don't have one so I cannot test anything).

Answer 1

The most direct equivalent to WriteProcessMemory/ReadProcessMemory are the Mach calls vm_write/vm_read. Instead of an HPROCESS you need a Mach task (which you can get via task_for_pid), and of course there are lots of little differences.

Since Apple has helpfully removed the manpages for these functions, and not documented them in any of the Xcode docsets, you have to deal with the slightly-out-of-date non-Apple Mach/MK/Gnu-Mach documentation, the header file comments (which are pretty good), and/or third-party articles like http://www.uninformed.org/?v=4&a=3 and http://www.phrack.org/issues.html?issue=66&id=16 (you can probably guess just from the URLs who their target audience is). But it's pretty easy. Porting a "memory cheat tool" from Windows to Mac, you'd spend a lot more time rewriting the GUI than implementing the low-level stuff.

But this may not be the best way to do method hooking. Especially if you're hooking ObjC methods, but even for C APIs. Describe what you want to do in more detail, and I can provide better alternatives.