Task operations fail?

Discussion of the QiLin Toolkit. Requests for features and bug reports welcome.

Task operations fail?

Postby LIJI » Wed Feb 20, 2019 10:20 pm

Hi,

I'm trying to use QiLin to modify SpringBoard's data. After Platformizing, ShaiHuluding and borrowing entitlements from sysdiagnose I can successfully get task_for_pid for SpringBoard and I get a seemingly valid looking task port. However, every following task_*/mach_vm_* call on that task port, including trivial calls like task_terminate, fail with KERN_INVALID_ARGUMENT (4). What am I doing wrong?

On a similar topic, I also tried to use setCSFlagsForPid on SpringBoard to give it the CS_GET_TASK_ALLOW flag, which should effectively give it get-task-allow, but it didn't seem to work for neither my process (Before borrowing entitlements from sysdiagnose) nor for (the original, unmodified) debugserver. Is it possible to use QiLin to make processes debuggable using the unmodified debugserver?

Thanks!
LIJI
 
Posts: 11
Joined: Sat Sep 12, 2015 5:43 pm

Re: Task operations fail?

Postby darkknight » Wed Feb 20, 2019 10:56 pm

darkknight
 
Posts: 98
Joined: Mon Apr 18, 2016 10:49 pm

Re: Task operations fail?

Postby LIJI » Wed Feb 20, 2019 11:29 pm

I'm doing something pretty much equivalent (Promoting my own process instead of debugserver):
Code: Select all
    shaiHuludMeMoar()
    platformizeMe();
    borrowEntitlementsFromDonor("/usr/bin/sysdiagnose", "-u");
   
    mach_port_t springboard = 0;
    task_for_pid(mach_task_self(), findPidOfProcess("SpringBoard"), &springboard);


All calls appear to succeed, and task_for_pid returns a valid-looking task port, but calling task_* methods on that returned port all return KERN_INVALID_ARGUMENT: task_terminate, task_resume, task_suspend, task_info. The only oddball is pid_for_task, which seems to work and return the correct PID. What could cause these calls to fail if I already have the task port?
LIJI
 
Posts: 11
Joined: Sat Sep 12, 2015 5:43 pm

Re: Task operations fail?

Postby darkknight » Thu Feb 21, 2019 8:35 pm

I wonder if has anything to do with changes made to amfi....per http://newosxbook.com/free/security12deltae.pdf

Specifically :
Debugging protection, which was limited to Apple's processes, is now extended to the masses. In order to enable debugging features, once again entitlements are used:
com.apple.security.cs.. Used for
get-task-allow Willingly give up own task port (debugee)
debugger Marks own process as debugger
allow-dyld-environment-variables Force dyld to pass variables to signed process


Are you missing an entitlement maybe ?
darkknight
 
Posts: 98
Joined: Mon Apr 18, 2016 10:49 pm

Re: Task operations fail?

Postby LIJI » Fri Feb 22, 2019 12:35 pm

I managed to solve this by not entitling my own process, but instead entitling some other process I fork into. Not sure why this works, but no complaints. It seems that port_name_to_task acts strangely when used by the exploiting process.
LIJI
 
Posts: 11
Joined: Sat Sep 12, 2015 5:43 pm


Return to QiLin (麒麟)

Who is online

Users browsing this forum: No registered users and 0 guests

cron