Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 4» 2006.Jun


Next: Moving into the kernel Up: Abusing Mach on Mac Previous: Replacing ptrace()   Contents

Code injection

The concept of using the Mach API in order to inject code into another task has been demonstrated numerous times. The most well known implementation is named mach_inject[4]. This code uses task_for_pid() to get a port for the chosen pid. The thread_create_running() function is used to create a thread in the task and set the register state. In this way control of execution is gained. This code has been rewritten using the same method for the intel platform[5].

It's also pretty easy to set the thread starting state to point to the dlopen() function and load a dylib from disk. Or even vm_map() an object file into the process space by hand and fix up relocations yourself.