Page 1 of 1

Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

PostPosted: Sat Mar 04, 2017 7:39 pm
by shinvou
Hei.

I'm the author of Parasite, a kernel extension for OS X that hooks process execution via macf and inserts a load dylib command into the macho header.

This way won't work anymore on Sierra (with SIP completely disabled).

Do you happen to know what changed in 10.12 that makes this not possible anymore? On my current build I'm hooking mpo_vnode_check_exec and the code I use for inserting the dylib (from osxreverser) runs without errors and even returns success, but the dylib won't get loaded by the process.

Thanks in advance.

Re: Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

PostPosted: Sun Mar 05, 2017 12:26 am
by morpheus
In two words: library validation.

There is now an additional MACF hook to see which libraries get mmap(2)ed into the process space, even with LC_LOAD_DYLIB. Apple has special code signature requirements for that (book, chapters 5 and 7).

Re: Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

PostPosted: Mon Mar 06, 2017 1:12 pm
by shinvou
Ok, thanks for your answer. What would be the best way to circumvent that?

I guess AMFI kext does check it, if so: We could just override the amfi mac hook with our own?

Re: Insert LC_LOAD_DYLIB cmd into process via Kext on 10.12?

PostPosted: Wed Mar 08, 2017 8:49 pm
by morpheus
You can't override a MACF hook using an API - you can only add an additional one. However, if you are in kernel mode, you can patch AMFI's hooks or the function pointer itself.