Skip to content
macsyscalls

task_for_pid: macOS's most dangerous Mach trap

How task_for_pid works, why Apple gates it the way it does, and what its entitlement model means for security tooling on macOS.

Published on 5 min read
machtask_for_pidsecuritycode-injectionentitlements

If you wanted to summarize macOS's security model in a single syscall, you'd pick task_for_pid. It's the keystone primitive that, in three calls, gives a process the ability to read, write, and execute code inside any other process on the system. Every code-injection toolkit, every macOS debugger, every memory-scanning EDR — they all start here.

Apple knows this, which is why task_for_pid is one of the most aggressively gated syscalls in the kernel. This post walks through how the trap actually works, why the gates exist, and what changes the answer for offensive and defensive tools alike.

The trap, mechanically

The prototype is small:

kern_return_t task_for_pid(
    mach_port_name_t  target_tport,   // mach_task_self()
    int               pid,            // target process
    mach_port_name_t *t               // out: send right to target's task port
);

You hand the kernel your own task port and a target PID. On success, you get a Mach send right to the target's task port. With that send right in hand, you can call:

  • mach_vm_read — read arbitrary memory from the target.
  • mach_vm_write — write arbitrary memory into the target.
  • mach_vm_allocate + mach_vm_protect — make new RX memory in the target.
  • thread_create_running — start a new thread in the target at any RIP / PC you want.

That's the entire injection toolkit. Everything that calls itself a macOS process-injection technique — osascript-injection, dylib-injection, dyld-cache patching done remotely — uses some variation of these four calls after task_for_pid succeeds.

How the gate actually works

In XNU, task_for_pid() ends up at task_for_pid_posix_check() in bsd/vm/vm_unix.c. The checks, in the order they fire, are roughly:

  1. Self? If pid == getpid(), the call always succeeds — you already own your own task port.
  2. Root + same audit session? A root caller in the same audit session as the target succeeds unconditionally.
  3. AMFI policy hook. AppleMobileFileIntegrity (which, despite the name, has a desktop side) gets to vote. If the caller has the com.apple.system-task-ports entitlement (Apple-only), it succeeds.
  4. Debugger entitlement? If the caller has com.apple.security.cs.debugger and the target has get-task-allow in its entitlements, succeeds. This is the path Xcode takes for debugging.
  5. MACF policy. The MACF framework (where TCC and Endpoint Security plug in) gets the final veto.
  6. Otherwise: KERN_FAILURE. Logged to /var/log/system.log under "Security policy would not allow process".

The takeaway: a non-root caller without entitlements can only get a task port for its own process or for a debug-allowed child it spawned itself. Everything else fails by design.

The Developer Tools shortcut

System Settings → Privacy & Security → Developer Tools is the user-facing path to relaxing the gate. When a user adds a process there, TCC records a per-process exception that satisfies the MACF check at step 5. This is how Charles Proxy, Wireshark, and most performance-profiling tools convince the kernel to hand them task ports for unrelated processes.

For automation, the equivalent is the taskgated-helper plist and the system.privilege.taskport authorization right. Both are well-trodden ground for build-time pipelines.

Why task_name_for_pid is the "safe" cousin

There's a sibling syscall, task_name_for_pid, with a deceptively similar name and a vastly weaker capability. It returns a name-only task port — you can read certain bookkeeping (PID, audit token, basic state) but you cannot read memory, write memory, or change thread state. Apple introduced task_name_for_pid precisely so monitoring tools could enumerate processes without triggering the heavy task_for_pid gate.

Two newer cousins introduced in macOS 11+ went further:

  • task_read_for_pid — a read-only task port. Can mach_vm_read but not mach_vm_write. Used by sample, vmmap, and the Time Profiler.
  • task_inspect_for_pid — even narrower; reads task statistics only.

If you're writing a tool that needs to introspect another process but doesn't need write access, prefer these. They survive sandbox tightening better and trigger fewer security alerts.

What attackers actually do

Public malware reports show two common patterns in 2024–2026:

  1. Live task_for_pid against unrelated PIDs. This is the classic. DazzleSpy, JokerSpy, ChromeLoader-mac, NotLockBit-mac — all chain task_for_pid + mach_vm_write + thread_create_running. It works when the malware is running as root (often via a malicious LaunchDaemon) or when the user has been social-engineered into adding the helper to Developer Tools.

  2. Entitlement abuse via signed-but-shipped binaries. Find an Apple-signed binary that has com.apple.system-task-ports and ship it as a "helper." The 2023 work on Find Any File and the older work on Tunnelblick's suid helper are public examples of this pattern. Apple revokes signatures as these get noticed.

  3. debug_control_port_for_pid (newer). Introduced in macOS 12, this Mach trap returns a task_control_port to entitled debuggers, distinct from the legacy task_for_pid. It's now the path Xcode uses on Apple Silicon. Malware that wants to look like a debugger will reach for this if it can earn the entitlement.

What defenders should watch

Endpoint Security exposes the key events:

  • ES_EVENT_TYPE_AUTH_GET_TASK — fires before the gate decides; you can deny.
  • ES_EVENT_TYPE_NOTIFY_GET_TASK — fires after success; you can record but not block.
  • ES_EVENT_TYPE_AUTH_GET_TASK_NAME and _NOTIFY_GET_TASK_NAME — for the lighter cousins.

A practical detection rule: any NOTIFY_GET_TASK where the caller is not the system debugger (lldb-rpc-server, Xcode.app/Contents/MacOS/Xcode, Activity Monitor, sample, vmmap) and the target is WindowServer, launchd, loginwindow, or any browser process. The false-positive rate is shockingly low.

If you're building tooling around this, the next post in the series, Detecting syscall abuse with macOS Endpoint Security in 2026, walks through the ES side end-to-end.

Where to go next

Related articles

Detecting syscall abuse with macOS Endpoint Security in 2026
Endpoint Security is the modern, supported path for syscall-level detection on macOS — but its event taxonomy doesn't map 1-to-1 with syscalls. Here's the practical mapping for security work.
endpoint-securitymacosedrsecurity
Mach traps vs BSD syscalls: two kernels in one Mac
XNU is a Mach-3 microkernel with a BSD personality bolted on top. That hybrid is why macOS has two distinct syscall families — here's what each is for, and how they differ in practice.
xnumachbsdkernel