Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Code injection

The concept of using the Mach API in order to inject code into another task has been demonstrated numerous times. The most well known implementation is named mach_inject[4]. This code uses task_for_pid() to get a port for the chosen pid. The thread_create_running() function is used to create a thread in the task and set the register state. In this way control of execution is gained. This code has been rewritten using the same method for the intel platform[5].

It's also pretty easy to set the thread starting state to point to the dlopen() function and load a dylib from disk. Or even vm_map() an object file into the process space by hand and fix up relocations yourself.