task_for_pid

Prototype

kern_return_t task_for_pid(mach_port_name_t target_tport, int pid, mach_port_name_t *t);

Returns: kern_return_t — KERN_SUCCESS, or KERN_FAILURE / KERN_INVALID_ARGUMENT on denial

Arguments

Version history

Not present in any released XNU version.

User-space stub

; libsystem_kernel.dylib: _task_for_pid
mov     x16, #-45
svc     #0x80
ret

mov     eax, 0x100002D  ; SYSCALL_CLASS_MACH | 45
syscall
ret

Examples

mach_port_name_t target;
kern_return_t kr = task_for_pid(mach_task_self(), pid, &target);
if (kr != KERN_SUCCESS) {
    fprintf(stderr, "task_for_pid: %s\n", mach_error_string(kr));
    return 1;
}

Notes

task_for_pid is gated by the taskgated launchd job, AMFI, and SIP. The caller must either be root, have the com.apple.security.cs.debugger entitlement, hold the get-task-allow entitlement on the target, or have been granted Developer Tools privileges via System Settings → Privacy & Security. With a task port the holder can call vm_read / vm_write / thread_create / thread_set_state on the target — i.e. arbitrary code execution.

Detection

Endpoint Security exposes ES_EVENT_TYPE_NOTIFY_GET_TASK and AUTH_GET_TASK on macOS 11+. Older systems can hook taskgated via MACF policies. Failed denials show up in /var/log/system.log under 'Security policy would not allow process'.

Malware usage

task_for_pid is the entry point for nearly every macOS code-injection toolkit (osascript-injection, dylib-injection via mach_vm_allocate + thread_create_running). State-sponsored implants — DazzleSpy, ChromeLoader-mac, JokerSpy — all chain task_for_pid + mach_vm_write + thread_create_running. A successful call on a non-self target with a non-debug entitlement is almost always suspicious.

Related APIs

MITRE ATT&CK

• T1055 — Process Injection
• T1057 — Process Discovery

Malware references

• DazzleSpy
• JokerSpy
• ChromeLoader (macOS variant)