diff options
| author | Sam Bingner <sam@bingner.com> | 2018-12-21 18:24:37 -1000 |
|---|---|---|
| committer | Sam Bingner <sam@bingner.com> | 2018-12-21 18:24:37 -1000 |
| commit | 8031d5da39b95aa65e4989e094a636bee424aef4 (patch) | |
| tree | a672c430ad39ee2a35cb31019cbeec7247b1a91d | |
| parent | ae8077efe69311b8eee2846affebd6194b7b29c4 (diff) | |
Split inject code to a separate file to be more easily integrated in external projects
| -rw-r--r-- | Makefile | 8 | ||||
| -rw-r--r-- | include/kmem.h | 2 | ||||
| -rw-r--r-- | inject.h | 14 | ||||
| -rw-r--r-- | inject.m | 35 | ||||
| -rw-r--r-- | kern_funcs.c | 6 | ||||
| -rw-r--r-- | kern_funcs.h | 1 | ||||
| -rw-r--r-- | main.c | 50 |
7 files changed, 76 insertions, 40 deletions
@@ -1,12 +1,12 @@ ARCHS ?= arm64 target ?= iphone:11.0:11.0 +CFLAGS = -Iinclude include $(THEOS)/makefiles/common.mk TOOL_NAME = inject -inject_CODESIGN_FLAGS = -Hsha256 -Hsha1 -Sentitlements.xml -inject_FRAMEWORKS = IOKit Security -inject_CFLAGS = -Wno-error=unused-function -Wno-error=unused-variable -Wno-error=missing-braces -Iinclude +inject_CODESIGN_FLAGS = -Sentitlements.xml inject_LIBRARIES = mis -inject_FILES = inject.m patchfinder64.c kern_funcs.c +inject_FRAMEWORKS = IOKit Security +inject_FILES = main.c $(libinjection_FILES) include $(THEOS_MAKE_PATH)/tool.mk diff --git a/include/kmem.h b/include/kmem.h index 698bccc..e8619fe 100644 --- a/include/kmem.h +++ b/include/kmem.h @@ -42,8 +42,6 @@ kern_return_t mach_vm_protect ( boolean_t set_maximum, vm_prot_t new_protection); -extern mach_port_t tfp0; - uint32_t rk32(uint64_t kaddr); uint64_t rk64(uint64_t kaddr); diff --git a/inject.h b/inject.h new file mode 100644 index 0000000..ed17877 --- /dev/null +++ b/inject.h @@ -0,0 +1,14 @@ +/* + * inject.h + * + * Created by Sam Bingner on 9/27/2018 + * Copyright 2018 Sam Bingner. All Rights Reserved. + * + */ + +#ifndef _INJECT_H_ +#define _INJECT_H_ + +int injectTrustCache(int argc, char* argv[], uint64_t trust_chain); + +#endif @@ -25,8 +25,6 @@ extern NSString *kMISValidationOptionUniversalFileOffset; extern NSString *kMISValidationOptionAllowAdHocSigning; extern NSString *kMISValidationOptionOnlineAuthorization; -mach_port_t tfp0 = MACH_PORT_NULL; - enum { cdHashTypeSHA1 = 1, cdHashTypeSHA256 = 2 @@ -48,20 +46,6 @@ struct hash_entry_t { typedef uint8_t hash_t[TRUST_CDHASH_LEN]; -mach_port_t try_restore_port() { - mach_port_t port = MACH_PORT_NULL; - kern_return_t err; - - err = host_get_special_port(mach_host_self(), 0, 4, &port); - if (err == KERN_SUCCESS && port != MACH_PORT_NULL) { - fprintf(stderr, "got persisted port!\n"); - // make sure rk64 etc use this port - return port; - } - fprintf(stderr, "unable to retrieve persisted port\n"); - return MACH_PORT_NULL; -} - bool check_amfi(NSString *path) { return MISValidateSignatureAndCopyInfo(path, @{kMISValidationOptionAllowAdHocSigning: @YES, kMISValidationOptionRespectUppTrustAndAuthorization: @YES}, NULL) == 0; } @@ -198,26 +182,11 @@ int injectTrustCache(int argc, char* argv[], uint64_t trust_chain) { } } -int main(int argc, char* argv[]) { - if (argc < 2) { - fprintf(stderr,"Usage: inject /full/path/to/executable\n"); - fprintf(stderr,"Inject executables to trust cache\n"); - return -1; - } +__attribute__((constructor)) +void ctor() { void *lib = dlopen("/System/Library/Frameworks/Security.framework/Security", RTLD_LAZY); if (lib != NULL) { _SecCopyErrorMessageString = dlsym(lib, "SecCopyErrorMessageString"); dlclose(lib); } - tfp0 = try_restore_port(); - if (tfp0 == MACH_PORT_NULL) - return -2; - uint64_t kernel_base = get_kernel_base(tfp0); - init_kernel(kernel_base, NULL); - uint64_t trust_chain = find_trustcache(); - term_kernel(); - printf("Injecting to trust cache...\n"); - int ninjected = injectTrustCache(argc, argv, trust_chain); - printf("Successfully injected [%d/%d] to trust cache.\n", ninjected, argc - 1); - return argc - ninjected - 1; } diff --git a/kern_funcs.c b/kern_funcs.c index cd43438..2d7d182 100644 --- a/kern_funcs.c +++ b/kern_funcs.c @@ -20,10 +20,14 @@ #include <kmem.h> #include "CSCommon.h" -extern mach_port_t tfp0; +static mach_port_t tfp0=MACH_PORT_NULL; size_t kread(uint64_t where, void *p, size_t size); size_t kwrite(uint64_t where, const void *p, size_t size); +void set_tfp0(mach_port_t port) { + tfp0 = port; +} + void wk32(uint64_t kaddr, uint32_t val) { kwrite(kaddr, &val, sizeof(uint32_t)); } diff --git a/kern_funcs.h b/kern_funcs.h index e37ef1d..075eb61 100644 --- a/kern_funcs.h +++ b/kern_funcs.h @@ -1,6 +1,7 @@ #ifndef _KERN_FUNCS_H_ #define _KERN_FUNCS_H_ +void set_tfp0(mach_port_t port); void wk32(uint64_t kaddr, uint32_t val); void wk64(uint64_t kaddr, uint64_t val); uint32_t rk32(uint64_t kaddr); @@ -0,0 +1,50 @@ +/* + * inject.m + * + * Created by Sam Bingner on 9/27/2018 + * Copyright 2018 Sam Bingner. All Rights Reserved. + * + */ + +#include <CoreFoundation/CoreFoundation.h> +#include <mach/mach.h> +#include <dlfcn.h> +#include "patchfinder64.h" +#include "CSCommon.h" +#include "kern_funcs.h" +#include "inject.h" + + +mach_port_t try_restore_port() { + mach_port_t port = MACH_PORT_NULL; + kern_return_t err; + + err = host_get_special_port(mach_host_self(), 0, 4, &port); + if (err == KERN_SUCCESS && port != MACH_PORT_NULL) { + fprintf(stderr, "got persisted port!\n"); + // make sure rk64 etc use this port + return port; + } + fprintf(stderr, "unable to retrieve persisted port\n"); + return MACH_PORT_NULL; +} + +int main(int argc, char* argv[]) { + if (argc < 2) { + fprintf(stderr,"Usage: inject /full/path/to/executable\n"); + fprintf(stderr,"Inject executables to trust cache\n"); + return -1; + } + mach_port_t tfp0 = try_restore_port(); + if (tfp0 == MACH_PORT_NULL) + return -2; + set_tfp0(tfp0); + uint64_t kernel_base = get_kernel_base(tfp0); + init_kernel(kernel_base, NULL); + uint64_t trust_chain = find_trustcache(); + term_kernel(); + printf("Injecting to trust cache...\n"); + int ninjected = injectTrustCache(argc, argv, trust_chain); + printf("Successfully injected [%d/%d] to trust cache.\n", ninjected, argc - 1); + return argc - ninjected - 1; +} |