mach_inject mach_override - hewigovens/hewigovens.github.com GitHub Wiki

from paper Dynamically Overriding Mac OS X

github.com:rentzsch/mach_inject github.com:rentzsch/mach_override

code injection

Mac OS 9 made it straight-forward to globally replace or extend system-supplied functions with your own code. However Mac OS X, with its multiuser architecture and protected memory, makes this less obvious. Fortunately, if we explore the lower levels of Mach, we discover all the basic tools we need. Specifically, Mach offers two crucial abilities that allow us to "inject" and execute arbitrary code: remote memory allocation and remote thread creation. Mach offers the ability for one process to allocate memory in another process's address space via the vm_allocate() call. You can populate to this "remote" memory block using vm_write(). Finally, thread_create_running() allows you to create a new thread in another process.

code override

What is surprisingly feasible is to rewrite the function's implementation itself. The idea is to replace the function's first instruction with a branch instruction to the desired override function. This technique is known as single-instruction overwriting.

##Examples

• Dropbox uses this trick(you can find it here:
  /Library/DropboxHelperTools/Dropbox_u$(id -u)
• Alexey Zhuchkov's FinderMenu, open sourced.

#####Back to Hook & Inject methods