task_info() isn't available from the kernel unless you create an export for it, which is a pain in the butt.
I referred to it only because I thought it could give you some insight on what the kernel can do.
Like I said, there is some code sample that retrieves the list of loaded modules via task_info() and via direct access to the memory. If I can find it again, I'll send the link out.
There is also a library that you could check in the private frameworks: CoreSymbolication.
This is used by vmmap to display the info about any process. This is also user mode stuff but it's quite interesting to open it with IDA pro and do a little RE :)
--Manu
> From: email@hidden
> To: email@hidden
> CC: email@hidden; email@hidden; email@hidden
> CC:
> Subject: Re: accessing argv on exec
> Date: Wed, 12 Nov 2014 10:45:41 -0800
>
>
> On Tue, Nov 11 2014 at 22:52, Manu . wrote:
> > You may also want to look at task_info. While it only gives you the all loaded images list, there is some code that
> > you can find which can use task_info or get the offset of the structure in memory. There is a gContext variable in
> > dyld that contains argv[] so if one can retrieve the loaded modules structure address, it should be possible to get
> > the rest. Kind of wish that the arguments would be kept in the proc_t and made available (like on Windows EPROCESS
> > -> PEB -> command line), alas it's not the case.
>
> Hey Manu,
>
> I'm probably missing something super obvious, but task_info() doesn't
> appear to be resolvable from a kext. Were you suggesting doing this from
> userspace?
>
> > Date: Tue, 11 Nov 2014 16:25:46 -0800
> > Subject: Re: accessing argv on exec
> > From: email@hidden
> > To: email@hidden
> > CC: email@hidden; email@hidden
>
>
> > Hi Peter,Here's some simple code form the days of 10.6. I expect it should still work with minor tweaks (and
> > commenting the printfs).
>
> This is awesome! Thanks, Evan.