方式一：
通过mach_vm_region系统API
参考代码：https://github.com/davidrhodus/misc/blob/master/iOS-internals/vmmap.c

#include <mach/vm_map.h>
#include <stdio.h>#include <mach-o/dyld_images.h>/*** vmmap(1) clone for OS X and iOS* -------------------------------** This is a simple example of using the mach_vm_region_info APIs in order to * obtain a process' (technically, a task's) virtual memory address space, in a* manner akin to /proc/[pid]/maps on Linux.** The process is simple - get the task port, then call mach_vm_region_info until* you've exhausted the address space (in iOS this happens around 0x40000000, * where the commpage is). On iOS 6, for some peculiar reason the task port is* invalidated after each call, so the quick workaround here solves the problem* by regetting the port. The actual mach error code to check for is in the header* files, though the code simply tries regetting.** N.B - For this code to work, you MUST provide the entitlements to allow * task-for-pid to work, else you'll fail with error 5. The entitlements are in * the output in Chapter 3, but for those of you who haven't bought the book, it would be:*
--- Cut here <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict><key>com.apple.springboard.debugapplications</key><true/><key>get-task-allow</key><true/><key>proc_info-allow</key><true/><key>task_for_pid-allow</key><true/><key>run-unsigned-code</key><true/>
</dict>
</plist>--- Ok, enough :-)**  so - copy the above XML to a file, say, "ent.xml", and be sure to run "ldid -Sent.xml vmmap"*  before trying to run this. You can download the binary (already thus signed) if you're lazy*  (and trust me, because you *will* need root on your i-Device for this)**  As the book clearly states, once you have the task port, the world is your oyster. You can*  control the entire virtual memory space, reading and writing it as you please. Stay tuned*  for the corrupt tool (which will be provided soon in binary form)**/int g_pid = 0; // required in iOS 6 (read below)/* 03/08/13 - Added List of Mach-O images: */struct dyld_image_info *g_dii = NULL;
int     g_imageCount;
//读取进程内存数据
unsigned char *
readProcessMemory (int pid, mach_vm_address_t addr, mach_msg_type_number_t *size)
{// Helper function to read process memory (a la Win32 API of same name)// To make it easier for inclusion elsewhere, it takes a pid, and// does the task_for_pid by itself. Given that iOS invalidates task ports// after use, it's actually a good idea, since we'd need to reget anywaytask_t  t;//获取进程中的任务task_for_pid(mach_task_self(),pid, &t);mach_msg_type_number_t  dataCnt = size;vm_offset_t readMem;// Use vm_read, rather than mach_vm_read, since the latter is different// in iOS.//获取内存kern_return_t kr = vm_read(t,        // vm_map_t target_task,  任务addr,     // mach_vm_address_t address, 任务中对应地址*size,     // mach_vm_size_t size&readMem,     //vm_offset_t *data,size);     // mach_msg_type_number_t *dataCntif (kr) {// DANG..fprintf (stderr, "Unable to read target task's memory @%p - kr 0x%x\n" , addr, kr);return NULL;}return ( (unsigned char *) readMem);}kern_return_t mach_vm_read (vm_map_t, mach_vm_address_t, mach_vm_size_t, vm_offset_t *, mach_msg_type_number_t *);
//暴利搜索内存
void
findListOfBinaries(task_t  t, mach_vm_address_t    addr, int size)
{kern_return_t kr;mach_msg_type_number_t  dataCnt = size;// 读取指定内存地址上指定大小的内容unsigned char *readData = readProcessMemory (g_pid, addr, &dataCnt);int machsig = 0xfeedface;// Checking only 0xfeedfa is a simple way to catch both 64-bit (facf) and 32-bit (face) headers// Machine endianness is automatically taken care of, too..// 判断是否是macho头if (readData && memcmp (readData + 1, ((unsigned char *) &machsig) + 1 , 3) == 0){// This is a Mach headerint i = 0;// A MUCH better way would be to iterate through the LC and find the name of dyld// but this would require my machlib.c (closed source) and really get the same result.// This works because on both iOS and OS X dyld is at /usr/lib.for (i = 0; i <dataCnt; i++){   // 循环比较内存内容是否是"lib/dyld"if (memcmp(readData+i, "lib/dyld", 8) == 0){unsigned int dyld_all_image_infos_offset ;int imageCount = 0;// 拷贝导入模块信息memcpy (&dyld_all_image_infos_offset, readData+DYLD_ALL_IMAGE_INFOS_OFFSET_OFFSET, sizeof (unsigned int));struct dyld_all_image_infos *dyldaii ;// Safeguard: should check that dyld_all_image_infos_offset is < size..if (dyld_all_image_infos_offset > size){// This is to be expected, since the dyld_all_image_infos is in a data region//printf ("Offset %x is greater than region size : %x\n", dyld_all_image_infos_offset, size);dataCnt = sizeof(dyld_all_image_infos);readData = readProcessMemory (g_pid, addr + dyld_all_image_infos_offset , &dataCnt);if (!readData) { return;}dyldaii = (struct dyld_all_image_infos *) readData;}else{dyldaii = (struct dyld_all_image_infos *) (readData +dyld_all_image_infos_offset);}printf ("Version: %d, %d images at offset %p\n",dyldaii->version, dyldaii->infoArrayCount, dyldaii->infoArray);// Go to dyldaii->infoArray addressimageCount = dyldaii->infoArrayCount;// 保存导入模块信息dataCnt = imageCount * sizeof(struct dyld_image_info);g_dii = (struct dyld_image_info *) malloc (dataCnt);g_imageCount = imageCount;readData = readProcessMemory(g_pid, dyldaii->infoArray, &dataCnt);if (!readData) { return;}struct dyld_image_info *dii = (struct dyld_image_info *) readData;// We don't need i anymore, anywayfor (i = 0; i < imageCount; i++){dataCnt = 1024;char *imageName = readProcessMemory (g_pid, dii[i].imageFilePath, &dataCnt);if (imageName) g_dii[i].imageFilePath = strdup(imageName);else g_dii[i].imageFilePath = NULL;g_dii[i].imageLoadAddress = dii[i].imageLoadAddress;}break;}}}}/* End 03/08/13 */
char *
behavior_to_text (vm_behavior_t b)
{switch (b){case VM_BEHAVIOR_DEFAULT: return("default");case VM_BEHAVIOR_RANDOM:  return("random");case VM_BEHAVIOR_SEQUENTIAL: return("fwd-seq");case VM_BEHAVIOR_RSEQNTL: return("rev-seq");case VM_BEHAVIOR_WILLNEED: return("will-need");case VM_BEHAVIOR_DONTNEED: return("will-need");case VM_BEHAVIOR_FREE: return("free-nowb");case VM_BEHAVIOR_ZERO_WIRED_PAGES: return("zero-wire");case VM_BEHAVIOR_REUSABLE: return("reusable");case VM_BEHAVIOR_REUSE: return("reuse");case VM_BEHAVIOR_CAN_REUSE: return("canreuse");default: return ("?");}}
//内存属性
char *
protection_bits_to_rwx (vm_prot_t p)
{// previous version of this somehow lost the "p&", always returning rwx..static char returned[4];returned[0] = (p &VM_PROT_READ    ? 'r' : '-');returned[1] = (p &VM_PROT_WRITE   ? 'w' : '-');returned[2] = (p & VM_PROT_EXECUTE ? 'x' : '-');returned[3] = '\0';// memory leak here. No biggyreturn (strdup(returned));}
//当前内存状态
const char *
unparse_inheritance (vm_inherit_t i)
{switch (i){case VM_INHERIT_SHARE:return "share";case VM_INHERIT_COPY:return "copy";case VM_INHERIT_NONE:return "none";default:return "???";}
}macosx_debug_regions (task_t task, mach_vm_address_t address, int max)
{kern_return_t kret;mach_vm_address_t prev_address;/* @TODO: warning - potential overflow here - gotta fix this.. */vm_region_basic_info_data_t prev_info,info;mach_vm_size_t size, prev_size;mach_port_t object_name;mach_msg_type_number_t count;//模块总共读的块数int nsubregions = 0;// 已遍历的模块数int num_printed = 0;count = VM_REGION_BASIC_INFO_COUNT_64;kret = mach_vm_region (task, &address, &size, VM_REGION_BASIC_INFO,(vm_region_info_t) &info, &count, &object_name);if (kret != KERN_SUCCESS){printf ("mach_vm_region: Error %d - %s", kret, mach_error_string(kret));return;}//保存上一次遍历的模块信息memcpy (&prev_info, &info, sizeof (vm_region_basic_info_data_t));prev_address = address;prev_size = size;// 已获取1块nsubregions = 1;for (;;){int print = 0;int done = 0;address = prev_address + prev_size;/* Check to see if address space has wrapped around. */// 遍历模块结束if (address == 0){ print = done = 1;}if (!done){// Even on iOS, we use VM_REGION_BASIC_INFO_COUNT_64. This works.count = VM_REGION_BASIC_INFO_COUNT_64;// 读取从address开始的第一个正确的模块信息，注意这里可能不是一个模块头kret =mach_vm_region (task, &address, &size, VM_REGION_BASIC_INFO,(vm_region_info_t) &info, &count, &object_name);if (kret != KERN_SUCCESS){/* iOS 6 workaround - attempt to reget the task port to avoiD *//* "(ipc/send) invalid destination port" (1000003 or something) */task_for_pid(mach_task_self(),g_pid, &task);// 重新获取一遍kret =mach_vm_region (task, &address, &size, VM_REGION_BASIC_INFO,(vm_region_info_t) &info, &count, &object_name);}if (kret != KERN_SUCCESS){fprintf (stderr,"mach_vm_region failed for address %p - Error: %x\n", address,(kret));size = 0;if (address >= 0x4000000) return;print = done = 1;}}// 如果上一个内存起始地址+内存大小！=当前的地址，说明是新的模块if (address != prev_address + prev_size)print = 1;// 如果内存属性不同，说明是新的模块if ((info.protection != prev_info.protection)|| (info.max_protection != prev_info.max_protection)|| (info.inheritance != prev_info.inheritance)|| (info.shared != prev_info.reserved)|| (info.reserved != prev_info.reserved))print = 1;//如果是新的模块，获取它的其它信息if (print){int   print_size;char *print_size_unit;if (num_printed == 0)printf ("Region ");elseprintf ("   ... ");findListOfBinaries(task, prev_address, prev_size);/* Quick hack to show size of segment, which GDB does not */print_size = prev_size;if (print_size > 1024) { print_size /= 1024; print_size_unit = "K"; }if (print_size > 1024) { print_size /= 1024; print_size_unit = "M"; }if (print_size > 1024) { print_size /= 1024; print_size_unit = "G"; }/* End Quick hack */printf (" %p-%p [%d%s](%s/%s; %s, %s, %s) %s",(prev_address),(prev_address + prev_size),print_size,print_size_unit,protection_bits_to_rwx (prev_info.protection),protection_bits_to_rwx (prev_info.max_protection),unparse_inheritance (prev_info.inheritance),prev_info.shared ? "shared" : "private",prev_info.reserved ? "reserved" : "not-reserved",behavior_to_text (prev_info.behavior));if (nsubregions > 1)printf (" (%d sub-regions)", nsubregions);printf ("\n");// 把此次内存信息保存起来prev_address = address;prev_size = size;memcpy (&prev_info, &info, sizeof (vm_region_basic_info_data_t));nsubregions = 1;num_printed++;}else{//如果不是新的模块，只增加模块大小prev_size += size;nsubregions++;}if ((max > 0) && (num_printed >= max)){printf ("Max %d num_printed %d\n", max, num_printed);done = 1;}if (done)break;}
}void
main(int argc, char **argv)
{struct vm_region_basic_info vmr;kern_return_t   rc;mach_port_t task;mach_vm_size_t  size = 8;vm_region_info_t    info = (vm_region_info_t) malloc(10000);mach_msg_type_number_t  info_count;mach_port_t     object_name;//初始值设为1mach_vm_address_t   addr =1;int pid;//需要提供参数1为目标进程的PIDif (!argv[1]) { printf ("Usage: %s <PID>\n"); exit (1);}//把参数1转换成pidpid = atoi(argv[1]);g_pid = pid; // req for iOS 6// 获取目标进程的taskrc = task_for_pid(mach_task_self(),pid, &task);if (rc) { fprintf (stderr, "task_for_pid() failed with error %d - %s\n", rc, mach_error_string(rc)); exit(1); }printf ("RC %d - Task: %d\n",rc, task);macosx_debug_regions (task, addr, 1000);int i ;for ( i = 0; i < g_imageCount; i++){printf("Image: %s loaded @%p\n",g_dii[i].imageFilePath, g_dii[i].imageLoadAddress);}printf("Done\n");}

方式二：
通过_dyld_getimage*系列API

头文件：dyld.h
函数原型：
//获取当前进程加载的模块数。
uint32_t                    _dyld_image_count(void);
//获取内存中某个模块的头部指针。
const struct mach_header*   _dyld_get_image_header(uint32_t image_index);
//获取内存中某个模块的slide值。
intptr_t                    _dyld_get_image_vmaddr_slide(uint32_t image_index);
// 获取内存中某个模块的名称。
const char*                 _dyld_get_image_name(uint32_t image_index);
实现：
#import
int32_t nModNums= _dyld_image_count();
const char *pszModName = NULL;
intptr_t pModSlide = 0;
const struct mach_header* pModHeader = NULL;for (uint32_t i = 0; i < nModNums; i++)
{
pModSlide  = _dyld_get_image_vmaddr_slide(i);
pszModName = _dyld_get_image_name(i);
pModHeader = _dyld_get_image_header(i);
}