Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

Postby shinvou » Sat Mar 04, 2017 7:39 pm

Hei.

I'm the author of Parasite, a kernel extension for OS X that hooks process execution via macf and inserts a load dylib command into the macho header.

This way won't work anymore on Sierra (with SIP completely disabled).

Do you happen to know what changed in 10.12 that makes this not possible anymore? On my current build I'm hooking mpo_vnode_check_exec and the code I use for inserting the dylib (from osxreverser) runs without errors and even returns success, but the dylib won't get loaded by the process.

Thanks in advance.
shinvou
 
Posts: 2
Joined: Sat Mar 04, 2017 7:19 pm

Re: Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

Postby morpheus » Sun Mar 05, 2017 12:26 am

In two words: library validation.

There is now an additional MACF hook to see which libraries get mmap(2)ed into the process space, even with LC_LOAD_DYLIB. Apple has special code signature requirements for that (book, chapters 5 and 7).
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

Postby shinvou » Mon Mar 06, 2017 1:12 pm

Ok, thanks for your answer. What would be the best way to circumvent that?

I guess AMFI kext does check it, if so: We could just override the amfi mac hook with our own?
shinvou
 
Posts: 2
Joined: Sat Mar 04, 2017 7:19 pm

Re: Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

Postby morpheus » Wed Mar 08, 2017 8:49 pm

You can't override a MACF hook using an API - you can only add an additional one. However, if you are in kernel mode, you can patch AMFI's hooks or the function pointer itself.
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests