Code injection...

Vent out liberIOS stuff here.
Requests for ETAs or 11.2+ support will be removed without warning!

Code injection...

Postby limneos » Sat Dec 30, 2017 1:39 am

I'm not sure if it's mentioned somewhere, or if its obvious by any code sample or reference and yet I've missed it...
But after seeing a tweet of Morpheus saying that "code injection is already supported",
I'm posting these questions here as Morpheus suggested so that others can learn from it as well , when answered:

To make these questions more clear, I'm numbering them:

1) How is code injection supported for native binaries? (wouldn't be much fun to inject our own binaries :p )
2) Do we need to alter the native binaries in order to do this? (hopefully not)
3) Do we need to use our own injection methods or is there a designated/preferred one? If so ,what are the guidelines?
I have seen the guidelines about entitling our own processes with "platform-application" but ,
4) what are the requirements for libraries?

(Note: I've already tried the call_remote approach with which I made a simple "./injector <pid> <path_to_library>" tool , which worked on other forks, but doesn't seem to work here)

I see some possibly related functions in QiLin header, but I'm not sure which to use for injection (and I can't go too far with guesses/tests because I'm left with only one device on 11.1.2 atm and I'm trying to keep it safe)
But even then,

5) If we need to use QiLin for injection, does it mean we have to get tfp0 everytime we call our injection method? (since its required to call initQiLin first)
6) Could we possibly have a code sample (with any entitlements required etc) of a simple dynamic library being injected in, say, SpringBoard? (the most-targeted process of all times)
7) Can we use this in a daemon and apply on every process re-launch ? (aka respring for SpringBoard)
8) Since none of the above are documented anywhere but yet, code injection *is* supported, can we/should we contact you in private about this?
9) Am I just being too hasty and all this is being processed and is going to be documented soon?

(Although they may seem a lot, number 6 alone would probably solve all the mystery.)

Thank you in advance,

Limneos
limneos
 
Posts: 2
Joined: Wed Dec 27, 2017 8:03 am

Re: Code injection...

Postby eni9889 » Mon Jan 01, 2018 10:05 pm

I have been looking into the same thing. This might be a good starting point: http://newosxbook.com/src.jl?tree=listi ... e=inject.c
eni9889
 
Posts: 3
Joined: Fri Dec 29, 2017 6:26 pm

code injection causes to amfidebilitate crash

Postby eni9889 » Mon Jan 01, 2018 10:25 pm

I'm trying to use http://newosxbook.com/src.jl?tree=listi ... e=inject.c to inject the included test.dylib and its causing amfidebilitate and amfid to crash.I'm wondering if I'm using the library incorrectly or if the inject code is not compatible with the latest iOS. I've attached the crash reports below. Thanks for all the hard work.

https://ghostbin.com/paste/7uej7 -- amfid
https://ghostbin.com/paste/xjbhu -- amfidebilitate
eni9889
 
Posts: 3
Joined: Fri Dec 29, 2017 6:26 pm

Re: Code injection...

Postby Wingzero » Tue Jan 02, 2018 3:42 am

I posted about debugserver is not working, I suspect the entitlement thing is not working properly.
Any idea?
Wingzero
 
Posts: 54
Joined: Thu Jul 27, 2017 2:35 am

Re: code injection causes to amfidebilitate crash

Postby BrunoNFL » Tue Jan 02, 2018 1:52 pm

I wonder if Morpheus has at least an example in achieving that in LiberiOS.
In my case when I tried injecting into a process, I got a message saying it couldn't get task_for_pid in said process...

Am I doing this wrong?
BrunoNFL
 
Posts: 11
Joined: Thu Dec 28, 2017 12:14 pm

Re: code injection causes to amfidebilitate crash

Postby boudarbalat » Tue Jan 02, 2018 5:18 pm

I've compiled inject.c and when I run it to inject test.dylib into one of my apps I get the output below and then immediately my app closes.

Code: Select all
-bash-3.2# ./inject 395 /usr/local/lib/test.dylib
Allocated remote stack @0x10168c000
Allocated remote stack @0x10168c000
Pthread exit  @18680bbe0, 18680bbe0
Pthread set self @18680b804
Pthread exit  @18680bbe0, 18680bbe0
DLOpen @1865cb460
Remote Stack 64  0x101694000, Remote code is 0x1010ec000


Btw when I try to inject into a stock app like MobileSafari, it fails promptly:

Code: Select all
-bash-3.2# ./inject 368 /usr/local/lib/test.dylib
Unable to allocate memory for remote stack in thread: Error (os/kern) invalid argument
Unable to allocate memory for remote stack in thread: Error (os/kern) invalid argument


I'm too wondering if I'm doing anything wrong.
Any help here would be much appreciated.
Thank u
boudarbalat
 
Posts: 3
Joined: Tue Jan 02, 2018 5:06 pm

Re: code injection causes to amfidebilitate crash

Postby BrunoNFL » Tue Jan 02, 2018 5:35 pm

At least you got further than I did!
I'll try again when I get home from work today. Last time I tried it was 1am haha
BrunoNFL
 
Posts: 11
Joined: Thu Dec 28, 2017 12:14 pm

Re: code injection causes to amfidebilitate crash

Postby boudarbalat » Tue Jan 02, 2018 5:42 pm

BrunoNFL wrote:At least you got further than I did!
I'll try again when I get home from work today. Last time I tried it was 1am haha


Well if you need help with what i did, let me know.
boudarbalat
 
Posts: 3
Joined: Tue Jan 02, 2018 5:06 pm

Re: code injection causes to amfidebilitate crash

Postby BrunoNFL » Tue Jan 02, 2018 11:02 pm

I'd actually like to get some help in that.
Every time I rum it seems to throw back an error like this:
Code: Select all
Unable to call task_for_pid on pid 1000: (os/kern) failure. Cannot continue!

I've signed it with jtool and have used the entitlements below:
Code: Select all
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>platform-application</key>
        <true/>
        <key>com.apple.springboard.debugapplications</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
</dict>
</plist>


Do you have any insights?
BrunoNFL
 
Posts: 11
Joined: Thu Dec 28, 2017 12:14 pm

Re: code injection causes to amfidebilitate crash

Postby boudarbalat » Wed Jan 03, 2018 3:48 pm

which process are you injecting. is it your own app or is it a stock app?
boudarbalat
 
Posts: 3
Joined: Tue Jan 02, 2018 5:06 pm

Next

Return to liber iOS

Who is online

Users browsing this forum: No registered users and 3 guests