Hello Comex,

I am new to git so I emailed you directly. Sorry, I was not aware of process.

I had few observations. Thought I should share it with you. This injection system is working nice with all applications (like, itunes, firefox, skype, finder, dock.. etc) but it fails to inject in "launchd" process. Another observation is if I run injection on terminal in bash, it cannot inject in bash and if I run it in sh, it cannot inject in sh.

While debugging, it appears to fail in following line when during start of 3rd loop for exception.

    TRY(mach_msg_overwrite(NULL, MACH_RCV_MSG, 0, sizeof(msg), exc, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL, (void *) &msg, sizeof(msg)));

Thank you,
Rahul

Steps:

1. Start the chess application. With chess, sjeng.ChessEngine also starts.
2. Inject dylib to the process, notice that injection fails and process will crash.
3. This behavior is also observed with other apps but it can be consistently reproduced with the help of sjeng.ChessEngine.

Crash Log for refenrece:

Process: sjeng.ChessEngine [505]
Path: /Applications/Chess.app/Contents/Resources/sjeng.ChessEngine
Identifier: sjeng.ChessEngine
Version: ??? (???)
Code Type: X86-64 (Native)
Parent Process: Chess [501]

Date/Time: 2012-09-11 10:21:54.386 +0200
OS Version: Mac OS X 10.6.8 (10K549)
Report Version: 6

Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Crashed Thread: 1

Thread 0: Dispatch queue: com.apple.main-thread
0 libSystem.B.dylib 0x00007fff82837982 read$NOCANCEL + 10
1 libSystem.B.dylib 0x00007fff828870ef __sread + 16
2 libSystem.B.dylib 0x00007fff8287ee34 _sread + 19
3 libSystem.B.dylib 0x00007fff8287ecca __srefill + 41
4 libSystem.B.dylib 0x00007fff82889e8e __srget + 17
5 libSystem.B.dylib 0x00007fff82889e4a getc + 63
6 sjeng.ChessEngine 0x000000010000455a 0x100000000 + 17754
7 sjeng.ChessEngine 0x00000001000013fc 0x100000000 + 5116
8 sjeng.ChessEngine 0x0000000100000884 0x100000000 + 2180

Thread 1 Crashed:
0 com.apple.CoreFoundation 0x00007fff8038c590 __CFInitialize + 1808
1 dyld 0x00007fff5fc0d5de ImageLoaderMachO::doImageInit(ImageLoader::LinkContext const&) + 138
2 dyld 0x00007fff5fc0d617 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 27
3 dyld 0x00007fff5fc0bcfc ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 236
4 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157
5 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157
6 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157
7 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157
8 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157
9 dyld 0x00007fff5fc0bdb6 ImageLoader::runInitializers(ImageLoader::LinkContext const&) + 58
10 dyld 0x00007fff5fc08fcf dlopen + 573
11 ??? 0x00000000deadbeef 0 + 3735928559
12 libSystem.B.dylib 0x00007fff8286ee89 thread_start + 13

Thread 1 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x00007fff8038ab58 rcx: 0x00007fff5fbffbe0 rdx: 0x00007fff5fbffb80
rdi: 0x0000000000000000 rsi: 0x00007fff5fbffb68 rbp: 0x0000000100398be0 rsp: 0x0000000100398390
r8: 0x00007fff5fc40548 r9: 0x0000000100406480 r10: 0x0000000000000000 r11: 0x0000000000000003
r12: 0x00007fff8038be80 r13: 0x00007fff5fc404a0 r14: 0x0000000000000005 r15: 0x0000000100400810
rip: 0x00007fff8038c590 rfl: 0x0000000000000246 cr2: 0x00007fff700a87e8

If application in which we are injecting has following settings on 10.8 OSX Garbage Collection Work Queue will crash.

ARCHS = $(ARCHS_STANDARD_64_BIT)
GCC_VERSION = com.apple.compilers.llvmgcc42
GCC_ENABLE_OBJC_GC = required //user defined setting.

On crash it will generate following message,

malloc: Thread::suspend(): unable to suspend a thread: err = 268435459, Thread 0x111000000: _pthread = 0x108129000, _thread = 0x8b07, _stack_base = 0x108129000, enlivening on, 0 local blocks

It will even when injected library has exactly same configuration as of the application in which we are injecting. After injecting play a little bit with application, like for 5-10 seconds.

interpose.c:102

return true;  //should be result?

Very strangely, interpose.c stopped working on some symbols on iOS 9, but only on arm64. For example, try hooking _SSLHandshake called from CFNetwork -- SocketStream::_PerformSecurityHandshake_NoLock. If we add logging to the hook insertion routine, you'll see the interposition gets installed on CFNetwork imports, but it is never invoked when SSLHandshake is called.

OTOH, if we try a hook on _open we see it gets invoked consistently when calling [NSString stringWithContentsOfFile:] via Foundation -- _NSReadBytesFromFileWithExtendedAttributes for example.

Also, both seem to work just fine on armv7 and even on arm64 on iOS 8.

"Interpose" be used in my app. I want put this app on AppStore, would it be rejected?
because i used "interpose" to call private API

Hello there,

In file, Inject.c

static kern_return_t get_stuff(task_t task, cpu_type_t *cputype, struct addr_bundle *addrs) {

...

if defined(i386) || defined(x86_64) || defined(ppc)

// Try to guess whether the process is 64-bit,
bool proc64 = info.all_image_info_addr > 0;

else

bool proc64 = false;

endif

mach_vm_address_t dyldImageLoadAddress = proc64 ? u.data64.dyldImageLoadAddress : u.data.dyldImageLoadAddress;

...

}

Above code gives wrong result and thus injection fails at mach_vm_read_overwrite();

I think check for #if defined(i386) || defined(x86_64) || defined(ppc)
is wrong as it will check whether injection process is 64 bit or 32 bit or ppc. It wont check whether task(injectee process) is 32 bit or 64 bit.

Hello there,

If you modify puts() in file testputs.c for using callback mechanism then function hooking does not work.

Below is the source code to test it.

include <stdio.h>

include <unistd.h>

int main() {

typeof(puts) *putting = puts;

while(1) {
    putting("Hi!\n");
    sleep(1);
}

}

Hello Comex,I am huge fan of you and your code inject.c.
I wanted to try out interposing by myself,I read through few of apple documents regarding Mach-O file and Mike Ash blog about dynamic loading. But still concepts are not clear for me.Can you please suggest some blogs or documents so which have detailed explanation of Mach-O file and dynamic loading. My aim is to understand interpose.c and make use of it..

Thanks

Hi there,

I tried to inject in Google Chrome but it failed.

Below are the results..

myserver:tester test$ sudo ./tester 1860 testlib.dylib
Password:
pid=1860 fail on line 233: mach_vm_read_overwrite(task, dyldImageLoadAddress, sizeof(mach_hdr), address_cast(&mach_hdr), &data_size)
fail on line 305: get_stuff(task, &cputype, &addrs)
kr=1