Page 1 of 1

Problem with inject.c

PostPosted: Fri Jul 12, 2019 3:43 pm
by reggi
Hey,

Does http://newosxbook.com/src.jl?tree=listi ... e=inject.c still work on macOS Mojave? Whenever I try inject a dylib to task it crashes:

Process 18471 stopped
* thread #2, stop reason = EXC_BAD_ACCESS (code=1, address=0xd8)
frame #0: 0x00007fff6f555419 libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow + 42
libsystem_pthread.dylib`_pthread_mutex_firstfit_lock_slow:
-> 0x7fff6f555419 <+42>: mov r8, qword ptr [rcx + 0xd8]
0x7fff6f555420 <+49>: mov ecx, dword ptr [rdi + 0xc]
0x7fff6f555423 <+52>: mov edx, ecx
0x7fff6f555425 <+54>: and edx, 0xc
Target 0: (target_app) stopped.

Re: Problem with inject.c

PostPosted: Tue Jul 16, 2019 3:21 pm
by morpheus
Still works. Make sure your stack alignment is right, and from the looks of things "0xd8" means you dereferenced a NULL pointer plus that offset.

Re: Problem with inject.c

PostPosted: Tue Jul 16, 2019 7:44 pm
by darkknight
morpheus wrote:Still works. Make sure your stack alignment is right, and from the looks of things "0xd8" means you dereferenced a NULL pointer plus that offset.

Hmmmm seems some internals have changed ??
https://knight.sc/malware/2019/03/15/co ... macos.html

This example makes use of the Mach thread_create_running API. Since macOS has a dual personality, with low level Mach APIs as well as BSD APIs, there exists two sets of APIs for working with threads. One is the Mach APIs and the other is the pthread APIs. Unfortunately some internal parts of macOS expect every thread to have been properly created from the BSD APIs and to have all Mach thread structures as well as pthread structures set up properly. In order to handle this, the inject.c example above, attempts to first call _pthread_set_self in the injected code in order to get the thread to a working state.

This approach works well up to macOS 10.14 where some of the pthread internal code changed.......

Re: Problem with inject.c

PostPosted: Tue Jul 16, 2019 8:24 pm
by reggi
Thanks for the answers. It seems that something in Mojave was internally changed. I think that the stack alignment was OK.

I couldn't figure out what was wrong and I tried another tool (https://github.com/attilathedud/dylib_injector) with their example that does not work on Mojave as well. And it crashes with the same error (0x8d).

Re: Problem with inject.c

PostPosted: Wed Jul 17, 2019 3:46 pm
by morpheus
You know what? I stand corrected. Oddly enough, I had never encountered this. I will make note of this in an upcoming vol 1 update! Thank you!