inject.c -> EXC_BREAKPOINT

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

inject.c -> EXC_BREAKPOINT

Postby frankmarco » Sun Sep 20, 2015 1:51 pm

:cry: Hello,
I have been playing around with the dynamic process injection file "inject.c" located at : for a iOS Device (ARM 64).
I have modified the file to fit my needs and have removed the last shell code instruction "BRK X0" which causes a "EXC_BREAKPOINT".
However, when I jump to the "PTHREAD_EXIT" routine, my code still hits a "EXC_BREAKPOINT" and causes the process I am injecting into to crash.

Can anyone please tell me what their thoughts are on to why this is happening?
Or if possible how to exit the thread gracefully so that my dylib is still loaded into the target process?

Would it make sense to repeatedly call something like "usleep" in my shell code instead of "PTHREAD_EXIT" and then back in the inject.c code call "thread_terminate"?
My only concern with this is that a race condition could possibly occur where the "thread_create" kills the thread from "thread_create_running" before the dlopen call has finished loading the dylib.

Any thoughts would be greatly appreciated!!!

- frankmarco
Posts: 2
Joined: Sun Sep 20, 2015 1:33 pm

Re: inject.c -> EXC_BREAKPOINT

Postby morpheus » Wed Sep 23, 2015 3:58 pm

I'd have to see the actual sample to tell you what's wrong ; The ARM64 example is actually complete (I didn't cripple it the way I did the x86_64 one). Pthread_exit is , in fact, the "right way" to exit the injection, leaving the dylib loaded. Whatever follows the pthread_exit in the injected code won't be reached. If the injected thread is the one calling pthread_exit, and you have indeed "promoted" it to a pthread, there should be no problem. Otherwise, you can call the direct Mach APIs for thread_terminate on your the thread port.
Site Admin
Posts: 716
Joined: Thu Apr 11, 2013 6:24 pm

Re: inject.c -> EXC_BREAKPOINT

Postby bob969 » Tue Feb 14, 2017 4:27 pm

This question is unrelated to the shell code portion, but is another question about the inject code. In the following lines:

remoteStack64 += (STACK_SIZE / 2); // this is the real stack
//remoteStack64 -= 8; // need alignment of 16

why do you allocate room for the stack but then start in the middle (cutting the space allocated in half)? Is it so it can grow up OR down? Also, why did you remove the alignment? It is unnecessary?

Posts: 8
Joined: Tue Mar 22, 2016 1:44 pm

Re: inject.c -> EXC_BREAKPOINT

Postby morpheus » Sun Feb 19, 2017 5:52 am

I did the cut in the middle just to be sure Ive got enough space on both sides (and yeah, on other archs it could presumably grow up, but on ARM and Intel it grows down).

The -=8 is the other way I "broke" the exploit for Intel - on ARM, alignment is 8, but Intel needs 16. Without the -8 (or +8) you'd get a certain GPF. The first way, btw, was not putting pthread_exit, so after a sleep of 100000 this segfaults.
Site Admin
Posts: 716
Joined: Thu Apr 11, 2013 6:24 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 6 guests