Down the Rabbit Hole - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Code Injection OverviewMach supplies everything we need.It’s just not very well documented. ; )Specifically, Mach provides APIs for:Remote memory allocation. (vm_allocate())Remote memory I/O. (vm_write())Remote thread allocation. (thread_create())Remote thread control.(thread_create_running())Monday, February 9, 2009
Code Injection DetailsAllocate a remote thread stack. No need to populate it— parameters will be passed in registers.Allocate and populate the thread’s code block. The gotchahere is determining the thread entry’s code size. It’ssurprisingly hard, and requires a calling the dynamicloader APIs and stat()’ing the file system!Allocate, populate and start the thread. Set the threadcontrol block’s srr0 to the code block, r1 to thestack, r3 through r10 to parameters and lr to0xDEADBEEF (this thread should never return).Monday, February 9, 2009
Page 1 and 2: Dynamically Overriding Mac OS XDown
Page 3: What Happened toHow to Hack Mac OS
Page 7 and 8: Function OverridingIdeally, overrid
Page 9 and 10: CFM vs MachExporter-Owned Vector Ta
Page 11 and 12: Function OverridingWhat will work:
Page 13 and 14: Single-Instruction OverwritingRepla
Page 15 and 16: The Branch IslandWe can allocate a
Page 17: Inside the Branch IslandC definitio
Page 21 and 22: Lame Override Animation! Reentry Is
Page 23 and 24: Function Overriding DetailsDiscover
Page 25: Code Injection OverviewFunction ove
Page 29 and 30: Code & Doc AvailabilityTwo packages

Down the Rabbit Hole - Reverse Engineering Mac OS X

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?