How can I obtain another process' ASLR slide on OS X?

Question

Is it possible to obtain a running process' ASLR slide on OS X?

I don't want to somehow disable ASLR (eg. like gdb), but rather get the offset.

Example:

$ cat > test.c
#include <stdio.h>

int test(void) {
    return 42;
}

int main(void) {
    getchar();
    printf("%p: %d\n", test, test());
    return 0;
}
$ gcc test.c -o test

Running test multiple times will confirm that indeed test() has a different address at each run:

$ ./test
^D
0x104493e50: 42
$ ./test
^D
0x106fe8e80: 42

Note: the method to find the slide shouldn't search the memory of the process or otherwise inspect it, as I need a portable solution working for all executables.

Answer 1

Using the functions find_main_binary and get_image_size from Attach.mm in the source code of MachOView, you can get the ASLR slide of the process if you have the process' pid and you have root privileges like so:

pid_t pid = ...;

mach_vm_address_t main_address;
if(find_main_binary(pid, &main_address) != KERN_SUCCESS) {
    printf("Failed to find address of header!\n");
    return 1;
}

uint64_t aslr_slide;
if(get_image_size(main_address, pid, &aslr_slide) == -1) {
    printf("Failed to find ASLR slide!\n");
    return 1;
}

printf("ASLR slide: 0x%llx\n", aslr_slide);

I have made this into a small utility called get_aslr.

Answer 2

No, that would defeat the purpose of ASLR.