Playing with injector.c

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Playing with injector.c

Postby TheDarkKnight » Wed Nov 09, 2016 5:31 pm

Hi J,

I've been playing around with injector.c with interesting results. I can inject a simple dylib, that prints output from the constructor, into a binary such as 'less', without issue. The payload has a simple printf, then thread_suspend.

Two target processes cause interesting results.

1) Injecting into 'top', sometimes causes a bus error 10.

2) Injecting into a Cocoa app, works if the app is running under lldb, but crashes with a 'EXC_BREAKPOINT' in the first thread when it's not being debugged and reports something like this:

System Integrity Protection: disabled

Crashed Thread: 0

Exception Codes: 0x0000000000000002, 0x0000000000000000

External Modification Warnings:
Thread creation by external task.

Thread 0 Crashed:
0 0x00007fff8a7232a7 __CFRunLoopServiceMachPort + 439
1 0x00007fff8a722568 __CFRunLoopRun + 1064
2 0x00007fff8a721ed8 CFRunLoopRunSpecific + 296
3 0x00007fff8b911935 RunCurrentEventLoopInMode + 235
4 0x00007fff8b91176f ReceiveNextEventCommon + 432
5 0x00007fff8b9115af _BlockUntilNextEventMatchingListInModeWithFilter + 71
6 0x00007fff932e7df6 _DPSNextEvent + 1067
7 0x00007fff932e7226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
8 0x00007fff932dbd80 -[NSApplication run] + 682
9 0x00007fff932a5368 NSApplicationMain + 1176
10 com.avecto.InjectionOverrideTestApp 0x000000010ab5e08b main + 59
11 libdyld.dylib 0x00007fff885d35ad start + 1

Thread 0 crashed with X86 Thread State (64-bit):
rax: 0xffffffffffffffff rbx: 0x0000000010004002 rcx: 0x0000000000000c00 rdx: 0x0000000010004002
rdi: 0x0000000010004002 rsi: 0x0000000000000000 rbp: 0x00007fff54923520 rsp: 0x00007fff549234c0
r8: 0x0000000000003003 r9: 0x0000000000000c00 r10: 0x0000000000000c00 r11: 0x0000000000000206
r12: 0x0000000007000906 r13: 0x00007fff549235b8 r14: 0x0000000010004002 r15: 0x00007fff549235d0
rip: 0x00007fff8a7232a7 rfl: 0x0000000000000202 cr2: 0x0000700000117000

Can you please explain what would likely cause the occasional bad memory access (bus error) with 'top' ?
In the case of a Cocoa app, would the problem be the lack of an event loop in the injected thread payload, or is it something else?

Thanks ;O)
Posts: 38
Joined: Wed Dec 16, 2015 10:30 am

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests