Page 1 of 1

Task operations fail?

PostPosted: Wed Feb 20, 2019 10:20 pm

I'm trying to use QiLin to modify SpringBoard's data. After Platformizing, ShaiHuluding and borrowing entitlements from sysdiagnose I can successfully get task_for_pid for SpringBoard and I get a seemingly valid looking task port. However, every following task_*/mach_vm_* call on that task port, including trivial calls like task_terminate, fail with KERN_INVALID_ARGUMENT (4). What am I doing wrong?

On a similar topic, I also tried to use setCSFlagsForPid on SpringBoard to give it the CS_GET_TASK_ALLOW flag, which should effectively give it get-task-allow, but it didn't seem to work for neither my process (Before borrowing entitlements from sysdiagnose) nor for (the original, unmodified) debugserver. Is it possible to use QiLin to make processes debuggable using the unmodified debugserver?


Re: Task operations fail?

PostPosted: Wed Feb 20, 2019 10:56 pm
by darkknight

Re: Task operations fail?

PostPosted: Wed Feb 20, 2019 11:29 pm
I'm doing something pretty much equivalent (Promoting my own process instead of debugserver):
Code: Select all
    borrowEntitlementsFromDonor("/usr/bin/sysdiagnose", "-u");
    mach_port_t springboard = 0;
    task_for_pid(mach_task_self(), findPidOfProcess("SpringBoard"), &springboard);

All calls appear to succeed, and task_for_pid returns a valid-looking task port, but calling task_* methods on that returned port all return KERN_INVALID_ARGUMENT: task_terminate, task_resume, task_suspend, task_info. The only oddball is pid_for_task, which seems to work and return the correct PID. What could cause these calls to fail if I already have the task port?

Re: Task operations fail?

PostPosted: Thu Feb 21, 2019 8:35 pm
by darkknight
I wonder if has anything to do with changes made to amfi....per

Specifically :
Debugging protection, which was limited to Apple's processes, is now extended to the masses. In order to enable debugging features, once again entitlements are used: Used for
get-task-allow Willingly give up own task port (debugee)
debugger Marks own process as debugger
allow-dyld-environment-variables Force dyld to pass variables to signed process

Are you missing an entitlement maybe ?

Re: Task operations fail?

PostPosted: Fri Feb 22, 2019 12:35 pm
I managed to solve this by not entitling my own process, but instead entitling some other process I fork into. Not sure why this works, but no complaints. It seems that port_name_to_task acts strangely when used by the exploiting process.