osx dylib injection
License: MIT License
Another dylib injector. Uses a bootstrapping module since mach_inject doesn't fully emulate library loading and crashes when loading complex modules.
mach_inject was taken from rentzsch/mach_inject. Thanks!testapp is a sample app to inject intotestdylib is a sample dylib to inject into an appbootstrap is a dylib that is initially injected to load another dylib (e.g. testdylib)Released under the MIT License.
BuildAll
Hello scen.
I'm the author of odourless (A tool for preventing .DS_Store creation)
I use osxinj in odourless, it work well, thank you very much for your great job.
But on big sur, it seems not working,void *loaderThread(void *patch_bundle) dlopen return NULL and dlerror return NULL too.
Please help!
sudo ./osxinj goat test.dylib
test.dylib
module: 0xA9600000
bootstrapfn: 0x2515D90
pid: 26665
image name: /Users/thelmgn/Library/Developer/Xcode/DerivedData/osxinj-avedzsjtjazwnxcvyqeygmiplxzv/Build/Products/Debug/bootstrap.dylib
mach_inject: found threadEntry image at: 0x102515000 with size: 28384
wrote param with size 54
fish: 'goat' terminated by signal SIGSEGV (Address boundary error)
Process: goat [26665]
Path: /Users/USER/*/goat
Identifier: goat
Version: 0
Code Type: X86-64 (Native)
Parent Process: fish [11796]
Responsible: goat [26665]
User ID: 501
Date/Time: 2020-10-11 13:28:26.439 +0100
OS Version: Mac OS X 10.14.6 (18G6032)
Report Version: 12
Anonymous UUID: AE3DCE2B-FFEE-8873-5AAA-0B0E77639EA0
Time Awake Since Boot: 4900 seconds
System Integrity Protection: disabled
Crashed Thread: 1
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001024d384a
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [26665]
External Modification Warnings:
Thread creation by external task.
VM Regions Near 0x1024d384a:
-->
__TEXT 000000010964e000-000000010964f000 [ 4K] r-x/r-x SM=COW /Users/USER/*
Application Specific Information:
dyld2 mode
Thread 0:: Dispatch queue: com.apple.main-thread
0 goat 0x000000010964ef77 main + 39
1 libdyld.dylib 0x00007fff583f03d5 start + 1
Thread 1 Crashed:
0 ??? 0x00000001024d384a 0 + 4333582410
Thread 2:
0 dyld 0x000000010c04b14d strcmp + 45
1 dyld 0x000000010c018eaa _dyld_func_lookup + 42
2 libdyld.dylib 0x00007fff583dbd30 dlopen + 181
3 ??? 0x000000010976ad4a 0 + 4453739850
4 libsystem_pthread.dylib 0x00007fff585e42eb _pthread_body + 126
5 libsystem_pthread.dylib 0x00007fff585e7249 _pthread_start + 66
6 libsystem_pthread.dylib 0x00007fff585e340d thread_start + 13
Thread 1 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x000000010969e20a rdx: 0x0000000000000000
rdi: 0x0000000109667fac rsi: 0x0000000109656000 rbp: 0x0000000109667ff4 rsp: 0x0000000109667f4c
r8: 0x000000000301002f r9: 0x0000000000000003 r10: 0x000070000bb6d000 r11: 0x0000000000000246
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x00000001024d384a rfl: 0x0000000000010246 cr2: 0x00000001024d384a
Logical CPU: 5
Error Code: 0x00000014
Trap Number: 14
Binary Images:
0x10964e000 - 0x10964eff7 +goat (0) <DDFA27F1-38DE-3C54-828E-D0C94987BBED> /Users/USER/*/goat
0x109657000 - 0x109658ffb libSystem.B.dylib (1252.250.1) <C466C7C6-4DCD-3C2E-B6A8-5D495BFF07BB> /usr/lib/libSystem.B.dylib
0x10965f000 - 0x10965fff7 liblaunch.dylib (1336.261.5) <5CB1CB72-8BDD-38F4-8BE0-2C76098BD915> /usr/lib/system/liblaunch.dylib
0x10966c000 - 0x10966eff7 libquarantine.dylib (86.270.1) <3F36A3D6-9606-3D90-B520-809BAEF981C3> /usr/lib/system/libquarantine.dylib
0x10967a000 - 0x109680ffb libsystem_dnssd.dylib (878.270.3) <D5352ABD-0311-3327-8E64-93F29EB19BF1> /usr/lib/system/libsystem_dnssd.dylib
0x10968c000 - 0x10968fff7 libsystem_sandbox.dylib (851.270.4) <05B25238-3B19-334C-894F-FDFF7807027A> /usr/lib/system/libsystem_sandbox.dylib
0x10969b000 - 0x1096c3ff7 libsystem_kernel.dylib (4903.278.44) <135154C7-B928-380F-BE89-101050F001C3> /usr/lib/system/libsystem_kernel.dylib
0x1096e0000 - 0x1096f5ff7 libsystem_trace.dylib (906.260.2) <12C1B9A2-39D6-3428-AE60-2303BD201A57> /usr/lib/system/libsystem_trace.dylib
0x109707000 - 0x109736fff libxpc.dylib (1336.261.5) <A1EABC2B-A88E-365C-AEA5-1543FD75BAC7> /usr/lib/system/libxpc.dylib
0x10c00a000 - 0x10c07470f dyld (655.1.1) <91A01B2E-622F-3FBC-8D67-AC6D5D1C0023> /usr/lib/dyld
0x7fff5561a000 - 0x7fff5566dff7 libc++.1.dylib (400.9.4) <9A60A190-6C34-339F-BB3D-AACE942009A4> /usr/lib/libc++.1.dylib
0x7fff5566e000 - 0x7fff55683ff7 libc++abi.dylib (400.17) <38C09CED-9090-3719-90F3-04A2749F5428> /usr/lib/libc++abi.dylib
0x7fff56c0e000 - 0x7fff57393fdf libobjc.A.dylib (756.2) <7C312627-43CB-3234-9324-4DEA92D59F50> /usr/lib/libobjc.A.dylib
0x7fff58273000 - 0x7fff58277ff3 libcache.dylib (81) <1987D1E1-DB11-3291-B12A-EBD55848E02D> /usr/lib/system/libcache.dylib
0x7fff58278000 - 0x7fff58282ff3 libcommonCrypto.dylib (60118.250.2) <1765BB6E-6784-3653-B16B-CB839721DC9A> /usr/lib/system/libcommonCrypto.dylib
0x7fff58283000 - 0x7fff5828aff7 libcompiler_rt.dylib (63.4) <5212BA7B-B7EA-37B4-AF6E-AC4F507EDFB8> /usr/lib/system/libcompiler_rt.dylib
0x7fff5828b000 - 0x7fff58294ff7 libcopyfile.dylib (146.250.1) <98CD00CD-9B91-3B5C-A9DB-842638050FA8> /usr/lib/system/libcopyfile.dylib
0x7fff58295000 - 0x7fff58319fc3 libcorecrypto.dylib (602.260.2) <01464D24-570C-3B83-9D18-467769E0FCDD> /usr/lib/system/libcorecrypto.dylib
0x7fff583a0000 - 0x7fff583d9ff7 libdispatch.dylib (1008.270.1) <97273678-E94C-3C8C-89F6-2E2020F4B43B> /usr/lib/system/libdispatch.dylib
0x7fff583da000 - 0x7fff58406ff7 libdyld.dylib (655.1.1) <002418CC-AD11-3D10-865B-015591D24E6C> /usr/lib/system/libdyld.dylib
0x7fff58407000 - 0x7fff58407ffb libkeymgr.dylib (30) <0D0F9CA2-8D5A-3273-8723-59987B5827F2> /usr/lib/system/libkeymgr.dylib
0x7fff58416000 - 0x7fff5841bfff libmacho.dylib (927.0.3) <A377D608-77AB-3F6E-90F0-B4F251A5C12F> /usr/lib/system/libmacho.dylib
0x7fff5841f000 - 0x7fff58420ff7 libremovefile.dylib (45.200.2) <9FBEB2FF-EEBE-31BC-BCFC-C71F8D0E99B6> /usr/lib/system/libremovefile.dylib
0x7fff58421000 - 0x7fff58438ff3 libsystem_asl.dylib (356.200.4) <A62A7249-38B8-33FA-9875-F1852590796C> /usr/lib/system/libsystem_asl.dylib
0x7fff58439000 - 0x7fff58439ff7 libsystem_blocks.dylib (73) <A453E8EE-860D-3CED-B5DC-BE54E9DB4348> /usr/lib/system/libsystem_blocks.dylib
0x7fff5843a000 - 0x7fff584c1fff libsystem_c.dylib (1272.250.1) <7EDACF78-2FA3-35B8-B051-D70475A35117> /usr/lib/system/libsystem_c.dylib
0x7fff584c2000 - 0x7fff584c5ffb libsystem_configuration.dylib (963.270.3) <2B4A836D-68A4-33E6-8D48-CD4486B03387> /usr/lib/system/libsystem_configuration.dylib
0x7fff584c6000 - 0x7fff584c9ff7 libsystem_coreservices.dylib (66) <719F75A4-74C5-3BA6-A09E-0C5A3E5889D7> /usr/lib/system/libsystem_coreservices.dylib
0x7fff584ca000 - 0x7fff584d0fff libsystem_darwin.dylib (1272.250.1) <EC9B39A5-9592-3577-8997-7DC721D20D8C> /usr/lib/system/libsystem_darwin.dylib
0x7fff584d8000 - 0x7fff58523ffb libsystem_info.dylib (517.200.9) <D09D5AE0-2FDC-3A6D-93EC-729F931B1457> /usr/lib/system/libsystem_info.dylib
0x7fff5854d000 - 0x7fff58598ff7 libsystem_m.dylib (3158.200.7) <F19B6DB7-014F-3820-831F-389CCDA06EF6> /usr/lib/system/libsystem_m.dylib
0x7fff58599000 - 0x7fff585c3fff libsystem_malloc.dylib (166.270.1) <011F3AD0-8E6A-3A89-AE64-6E5F6840F30A> /usr/lib/system/libsystem_malloc.dylib
0x7fff585c4000 - 0x7fff585ceff7 libsystem_networkextension.dylib (767.250.2) <FF06F13A-AEFE-3A27-A073-910EF78AEA36> /usr/lib/system/libsystem_networkextension.dylib
0x7fff585cf000 - 0x7fff585d6fff libsystem_notify.dylib (172.200.21) <145B5CFC-CF73-33CE-BD3D-E8DDE268FFDE> /usr/lib/system/libsystem_notify.dylib
0x7fff585d7000 - 0x7fff585e0fef libsystem_platform.dylib (177.270.1) <9D1FE5E4-EB7D-3B3F-A8D1-A96D9CF1348C> /usr/lib/system/libsystem_platform.dylib
0x7fff585e1000 - 0x7fff585ebff7 libsystem_pthread.dylib (330.250.2) <2D5C08FF-484F-3D59-9132-CE1DCB3F76D7> /usr/lib/system/libsystem_pthread.dylib
0x7fff585f0000 - 0x7fff585f2ff3 libsystem_secinit.dylib (30.260.2) <EF1EA47B-7B22-35E8-BD9B-F7003DCB96AE> /usr/lib/system/libsystem_secinit.dylib
0x7fff585f3000 - 0x7fff585faff3 libsystem_symptoms.dylib (820.267.1) <03F1C2DD-0F5A-3D9D-88F6-B26C0F94EB52> /usr/lib/system/libsystem_symptoms.dylib
0x7fff58612000 - 0x7fff58617ffb libunwind.dylib (35.4) <24A97A67-F017-3CFC-B0D0-6BD0224B1336> /usr/lib/system/libunwind.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 2
thread_create: 1
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 7329
thread_create: 3
thread_set_state: 12
VM Region Summary:
ReadOnly portion of Libraries: Total=234.4M resident=0K(0%) swapped_out_or_unallocated=234.4M(100%)
Writable regions: Total=27.8M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=27.8M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Kernel Alloc Once 8K 1
MALLOC 19.1M 7
MALLOC guard page 16K 3
STACK GUARD 56.0M 2
Stack 8712K 2
VM_ALLOCATE 24K 3
__DATA 2252K 39
__LINKEDIT 222.7M 11
__TEXT 11.6M 39
mapped file 24K 3
shared memory 8K 2
=========== ======= =======
TOTAL 320.2M 112
This is a weird case of it works on everybody's machine, except mine. This is less of a project issue, but a dylib injection issue, as no dylib injector works, i'll admit that. I had dylib injection working, and one day, it just broke. I'm not sure if I changed a setting and not noticed but it ain't working anymore.
Is this working for you in 10.12/Sierra?
I have an odd situation where mach_inject works perfectly fine, when my app is launched through Xcode. If I launch my app directly, the target process crashes as soon as it attempts to inject:
Date/Time: 2016-09-21 22:55:58.682 +0100
OS Version: Mac OS X 10.12 (16A323)
Report Version: 12
Anonymous UUID: 8AD07C6C-3EFE-5D39-B58B-393D95473947
Time Awake Since Boot: 3400 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000e50d34ab
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
External Modification Warnings:
Thread creation by external task.
VM Regions Near 0xe50d34ab:
Stack 00000000bf800000-00000000c0000000 [ 8192K] rw-/rwx SM=PRV
-->
Submap 00000000ffff0000-00000000ffff1000 [ 4K] r--/r-- SM=PRV process-only VM submap
Does you have any ideas on how to tackle this?
can support M1 platform?
nevermind :)
mach_inject: found threadEntry image at: 0x10e105000 with size: 10024
wrote param with size 127
please help me
I love this tool!
Currently I try to use it to inject a lib into an app running within the iOS simulator. At first it seemed quite simple. I can inject my own dylib into the testapp, but for some reason nothing happens when I try to inject it into a process within the simulator.
As far as I can see, the simulator just spawns more processes and I don't really have to care about it. Instead I can just search for the process name and be done.
I've build a dynamic framework (which basically contains a dylib) for the simulator (it's also 86_64).
injection.mm
#include <cstdio>
#import "Main.h"
void install(void) __attribute__ ((constructor));
void install()
{
[Main injectionTest];
}
Main.h
#import <Foundation/Foundation.h>
NS_ASSUME_NONNULL_BEGIN
@interface Main : NSObject
+ (void)injectionTest;
@end
NS_ASSUME_NONNULL_END
Main.m
#import "Main.h"
@implementation Main
+ (void)injectionTest {
[[NSFileManager defaultManager] createFileAtPath:@"/Users/jan/Downloads/osxinj/test.txt" contents:nil attributes:nil];
[@"Hello Simulator" writeToFile:@"/Users/jan/Downloads/osxinj/test.txt" atomically:YES encoding:NSUTF8StringEncoding error:nil];
NSLog(@"Hello Simulator");
}
@end
The good thing, I can inject Obj-C code into the testapp. The bad thing, I don't have any output from the simulator. As you can see I even tried breaking out and write a file to a specific directory.
Any ideas, what I'm doing wrong, or what I'm missing?
can someone plz guide me through this i am a noob
mach_inject: found threadEntry image at: 0xde000 with size: 9888
mach_inject failing.. (os/kern) invalid address
failed to inject: module:0x0 bootstrapfn:0x0
Line 200 in 1274a0f
Using this project, I hooked open system call and injected in excel. But new open is not getting called. The hooking for read and write system calls are working fine. Even hooking for open system call on TextEdit is working fine and messages are logged in system.log. I verified using dtruss that open system call is being called by Excel whenever new workbook is created. Any kind help is appreciated or any thoughts to try.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.