Problem with inject.c

Used for discussing the various tools in the book as well as encouraging members to share tools

Problem with inject.c

Postby reggi » Fri Jul 12, 2019 3:43 pm

Hey,

Does http://newosxbook.com/src.jl?tree=listi ... e=inject.c still work on macOS Mojave? Whenever I try inject a dylib to task it crashes:

Process 18471 stopped
* thread #2, stop reason = EXC_BAD_ACCESS (code=1, address=0xd8)
frame #0: 0x00007fff6f555419 libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 42
libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow:
-> 0x7fff6f555419 <+42>: mov r8, qword ptr [rcx + 0xd8]
0x7fff6f555420 <+49>: mov ecx, dword ptr [rdi + 0xc]
0x7fff6f555423 <+52>: mov edx, ecx
0x7fff6f555425 <+54>: and edx, 0xc
Target 0: (target_app) stopped.
reggi
 
Posts: 4
Joined: Sat Apr 07, 2018 12:43 pm

Re: Problem with inject.c

Postby morpheus » Tue Jul 16, 2019 3:21 pm

Still works. Make sure your stack alignment is right, and from the looks of things "0xd8" means you dereferenced a NULL pointer plus that offset.
morpheus
Site Admin
 
Posts: 716
Joined: Thu Apr 11, 2013 6:24 pm

Re: Problem with inject.c

Postby darkknight » Tue Jul 16, 2019 7:44 pm

morpheus wrote:Still works. Make sure your stack alignment is right, and from the looks of things "0xd8" means you dereferenced a NULL pointer plus that offset.

Hmmmm seems some internals have changed ??
https://knight.sc/malware/2019/03/15/co ... macos.html

This example makes use of the Mach thread_create_running API. Since macOS has a dual personality, with low level Mach APIs as well as BSD APIs, there exists two sets of APIs for working with threads. One is the Mach APIs and the other is the pthread APIs. Unfortunately some internal parts of macOS expect every thread to have been properly created from the BSD APIs and to have all Mach thread structures as well as pthread structures set up properly. In order to handle this, the inject.c example above, attempts to first call _pthread_set_self in the injected code in order to get the thread to a working state.

This approach works well up to macOS 10.14 where some of the pthread internal code changed.......
darkknight
 
Posts: 102
Joined: Mon Apr 18, 2016 10:49 pm

Re: Problem with inject.c

Postby reggi » Tue Jul 16, 2019 8:24 pm

Thanks for the answers. It seems that something in Mojave was internally changed. I think that the stack alignment was OK.

I couldn't figure out what was wrong and I tried another tool (https://github.com/attilathedud/dylib_injector) with their example that does not work on Mojave as well. And it crashes with the same error (0x8d).
reggi
 
Posts: 4
Joined: Sat Apr 07, 2018 12:43 pm

Re: Problem with inject.c

Postby morpheus » Wed Jul 17, 2019 3:46 pm

You know what? I stand corrected. Oddly enough, I had never encountered this. I will make note of this in an upcoming vol 1 update! Thank you!
morpheus
Site Admin
 
Posts: 716
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

cron