Playing with injector.c

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Playing with injector.c

Postby TheDarkKnight » Wed Nov 09, 2016 5:31 pm

Hi J,

I've been playing around with injector.c with interesting results. I can inject a simple dylib, that prints output from the constructor, into a binary such as 'less', without issue. The payload has a simple printf, then thread_suspend.

Two target processes cause interesting results.

1) Injecting into 'top', sometimes causes a bus error 10.

2) Injecting into a Cocoa app, works if the app is running under lldb, but crashes with a 'EXC_BREAKPOINT' in the first thread when it's not being debugged and reports something like this:

System Integrity Protection: disabled

Crashed Thread: 0

Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY

External Modification Warnings:
Thread creation by external task.

Thread 0 Crashed:
0 com.apple.CoreFoundation 0x00007fff8a7232a7 __CFRunLoopServiceMachPort + 439
1 com.apple.CoreFoundation 0x00007fff8a722568 __CFRunLoopRun + 1064
2 com.apple.CoreFoundation 0x00007fff8a721ed8 CFRunLoopRunSpecific + 296
3 com.apple.HIToolbox 0x00007fff8b911935 RunCurrentEventLoopInMode + 235
4 com.apple.HIToolbox 0x00007fff8b91176f ReceiveNextEventCommon + 432
5 com.apple.HIToolbox 0x00007fff8b9115af _BlockUntilNextEventMatchingListInModeWithFilter + 71
6 com.apple.AppKit 0x00007fff932e7df6 _DPSNextEvent + 1067
7 com.apple.AppKit 0x00007fff932e7226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
8 com.apple.AppKit 0x00007fff932dbd80 -[NSApplication run] + 682
9 com.apple.AppKit 0x00007fff932a5368 NSApplicationMain + 1176
10 com.avecto.InjectionOverrideTestApp 0x000000010ab5e08b main + 59
11 libdyld.dylib 0x00007fff885d35ad start + 1

Thread 0 crashed with X86 Thread State (64-bit):
rax: 0xffffffffffffffff rbx: 0x0000000010004002 rcx: 0x0000000000000c00 rdx: 0x0000000010004002
rdi: 0x0000000010004002 rsi: 0x0000000000000000 rbp: 0x00007fff54923520 rsp: 0x00007fff549234c0
r8: 0x0000000000003003 r9: 0x0000000000000c00 r10: 0x0000000000000c00 r11: 0x0000000000000206
r12: 0x0000000007000906 r13: 0x00007fff549235b8 r14: 0x0000000010004002 r15: 0x00007fff549235d0
rip: 0x00007fff8a7232a7 rfl: 0x0000000000000202 cr2: 0x0000700000117000


Can you please explain what would likely cause the occasional bad memory access (bus error) with 'top' ?
In the case of a Cocoa app, would the problem be the lack of an event loop in the injected thread payload, or is it something else?

Thanks ;O)
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 5 guests