Search code examples

How can I obtain another process' ASLR slide on OS X?

Is it possible to obtain a running process' ASLR slide on OS X?

I don't want to somehow disable ASLR (eg. like gdb), but rather get the offset.


$ cat > test.c
#include <stdio.h>

int test(void) {
    return 42;

int main(void) {
    printf("%p: %d\n", test, test());
    return 0;
$ gcc test.c -o test

Running test multiple times will confirm that indeed test() has a different address at each run:

$ ./test
0x104493e50: 42
$ ./test
0x106fe8e80: 42

Note: the method to find the slide shouldn't search the memory of the process or otherwise inspect it, as I need a portable solution working for all executables.


  • Using the functions find_main_binary and get_image_size from in the source code of MachOView, you can get the ASLR slide of the process if you have the process' pid and you have root privileges like so:

    pid_t pid = ...;
    mach_vm_address_t main_address;
    if(find_main_binary(pid, &main_address) != KERN_SUCCESS) {
        printf("Failed to find address of header!\n");
        return 1;
    uint64_t aslr_slide;
    if(get_image_size(main_address, pid, &aslr_slide) == -1) {
        printf("Failed to find ASLR slide!\n");
        return 1;
    printf("ASLR slide: 0x%llx\n", aslr_slide);

    I have made this into a small utility called get_aslr.