diff options
Diffstat (limited to 'inject.c')
-rw-r--r-- | inject.c | 245 |
1 files changed, 245 insertions, 0 deletions
diff --git a/inject.c b/inject.c new file mode 100644 index 0000000..82a0c57 --- /dev/null +++ b/inject.c @@ -0,0 +1,245 @@ +#include <sys/snapshot.h> +#include <dlfcn.h> +#include <sys/stat.h> +#include <sys/mount.h> +#include <copyfile.h> +#include <spawn.h> +#include <sys/utsname.h> +#include <unistd.h> +#include <libgen.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <dirent.h> +#include <sys/sysctl.h> +#include <mach-o/dyld.h> +#include <sys/mman.h> +#include <sys/param.h> +#include <CoreFoundation/CoreFoundation.h> +#include <mach/mach.h> +#include "async_wake_ios/async_wake_ios/libjb.h" +#include "patchfinder64.h" +#include <kmem.h> + +mach_port_t tfp0 = MACH_PORT_NULL; + +void wk32(uint64_t kaddr, uint32_t val) { + if (tfp0 == MACH_PORT_NULL) { + printf("attempt to write to kernel memory before any kernel memory write primitives available\n"); + sleep(3); + return; + } + + kern_return_t err; + err = mach_vm_write(tfp0, + (mach_vm_address_t)kaddr, + (vm_offset_t)&val, + (mach_msg_type_number_t)sizeof(uint32_t)); + + if (err != KERN_SUCCESS) { + printf("tfp0 write failed: %s %x\n", mach_error_string(err), err); + return; + } +} + +void wk64(uint64_t kaddr, uint64_t val) { + uint32_t lower = (uint32_t)(val & 0xffffffff); + uint32_t higher = (uint32_t)(val >> 32); + wk32(kaddr, lower); + wk32(kaddr+4, higher); +} + +uint32_t rk32(uint64_t kaddr) { + kern_return_t err; + uint32_t val = 0; + mach_vm_size_t outsize = 0; + err = mach_vm_read_overwrite(tfp0, + (mach_vm_address_t)kaddr, + (mach_vm_size_t)sizeof(uint32_t), + (mach_vm_address_t)&val, + &outsize); + if (err != KERN_SUCCESS){ + printf("tfp0 read failed %s addr: 0x%llx err:%x port:%x\n", mach_error_string(err), kaddr, err, tfp0); + sleep(3); + return 0; + } + + if (outsize != sizeof(uint32_t)){ + printf("tfp0 read was short (expected %lx, got %llx\n", sizeof(uint32_t), outsize); + sleep(3); + return 0; + } + return val; +} + +uint64_t rk64(uint64_t kaddr) { + uint64_t lower = rk32(kaddr); + uint64_t higher = rk32(kaddr+4); + uint64_t full = ((higher<<32) | lower); + return full; +} + +uint64_t kmem_alloc(uint64_t size) { + if (tfp0 == MACH_PORT_NULL) { + printf("attempt to allocate kernel memory before any kernel memory write primitives available\n"); + sleep(3); + return 0; + } + + kern_return_t err; + mach_vm_address_t addr = 0; + mach_vm_size_t ksize = round_page_kernel(size); + err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE); + if (err != KERN_SUCCESS) { + printf("unable to allocate kernel memory via tfp0: %s %x\n", mach_error_string(err), err); + sleep(3); + return 0; + } + return addr; +} + +// https://github.com/JonathanSeals/kernelversionhacker/blob/3dcbf59f316047a34737f393ff946175164bf03f/kernelversionhacker.c#L92 + +#define IMAGE_OFFSET 0x2000 +#define MACHO_HEADER_MAGIC 0xfeedfacf +#define MAX_KASLR_SLIDE 0x21000000 +#define KERNEL_SEARCH_ADDRESS 0xfffffff007004000 + +#define ptrSize sizeof(uintptr_t) + +static vm_address_t get_kernel_base(mach_port_t tfp0) +{ + uint64_t addr = 0; + addr = KERNEL_SEARCH_ADDRESS+MAX_KASLR_SLIDE; + + while (1) { + char *buf; + mach_msg_type_number_t sz = 0; + kern_return_t ret = vm_read(tfp0, addr, 0x200, (vm_offset_t*)&buf, &sz); + + if (ret) { + goto next; + } + + if (*((uint32_t *)buf) == MACHO_HEADER_MAGIC) { + int ret = vm_read(tfp0, addr, 0x1000, (vm_offset_t*)&buf, &sz); + if (ret != KERN_SUCCESS) { + printf("Failed vm_read %i\n", ret); + goto next; + } + + for (uintptr_t i=addr; i < (addr+0x2000); i+=(ptrSize)) { + mach_msg_type_number_t sz; + int ret = vm_read(tfp0, i, 0x120, (vm_offset_t*)&buf, &sz); + + if (ret != KERN_SUCCESS) { + printf("Failed vm_read %i\n", ret); + exit(-1); + } + if (!strcmp(buf, "__text") && !strcmp(buf+0x10, "__PRELINK_TEXT")) { + return addr; + } + } + } + + next: + addr -= 0x200000; + } +} + +size_t +kread(uint64_t where, void *p, size_t size) +{ + int rv; + size_t offset = 0; + while (offset < size) { + mach_vm_size_t sz, chunk = 2048; + if (chunk > size - offset) { + chunk = size - offset; + } + rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz); + if (rv || sz == 0) { + fprintf(stderr, "[e] error reading kernel @%p\n", (void *)(offset + where)); + break; + } + offset += sz; + } + return offset; +} + +size_t +kwrite(uint64_t where, const void *p, size_t size) +{ + int rv; + size_t offset = 0; + while (offset < size) { + size_t chunk = 2048; + if (chunk > size - offset) { + chunk = size - offset; + } + rv = mach_vm_write(tfp0, where + offset, (mach_vm_offset_t)p + offset, (mach_msg_type_number_t)chunk); + if (rv) { + fprintf(stderr, "[e] error writing kernel @%p\n", (void *)(offset + where)); + break; + } + offset += chunk; + } + return offset; +} + +mach_port_t try_restore_port() { + mach_port_t port = MACH_PORT_NULL; + kern_return_t err; + err = host_get_special_port(mach_host_self(), 0, 4, &port); + if (err == KERN_SUCCESS && port != MACH_PORT_NULL) { + printf("got persisted port!\n"); + // make sure rk64 etc use this port + return port; + } + printf("unable to retrieve persisted port\n"); + return MACH_PORT_NULL; +} + +int injectTrustCache(int argc, char* argv[], uint64_t trust_chain, uint64_t amficache) { + printf("Injecting to trust cache...\n"); + struct trust_mem mem; + size_t length = 0; + uint64_t kernel_trust = 0; + + mem.next = rk64(trust_chain); + *(uint64_t *)&mem.uuid[0] = 0xabadbabeabadbabe; + *(uint64_t *)&mem.uuid[8] = 0xabadbabeabadbabe; + + for (int i = 1; i < argc; i++) { + int rv = grab_hashes(argv[i], kread, amficache, mem.next); + if (rv) { + printf("Failed to inject to trust cache.\n"); + return -1; + } + } + + length = (sizeof(mem) + numhash * 20 + 0xFFFF) & ~0xFFFF; + kernel_trust = kmem_alloc(length); + printf("alloced: 0x%zx => 0x%llx\n", length, kernel_trust); + + mem.count = numhash; + kwrite(kernel_trust, &mem, sizeof(mem)); + kwrite(kernel_trust + sizeof(mem), allhash, numhash * 20); + wk64(trust_chain, kernel_trust); + printf("Successfully injected to trust cache.\n"); + return 0; +} + +int main(int argc, char* argv[]) { + if (argc < 2) { + fprintf(stderr,"Usage: inject /full/path/to/executable\n"); + fprintf(stderr,"Inject executables to trust cache\n"); + return -1; + } + tfp0 = try_restore_port(); + uint64_t kernel_base = get_kernel_base(tfp0); + init_kernel(kernel_base, NULL); + uint64_t trust_chain = find_trustcache(); + uint64_t amficache = find_amficache(); + term_kernel(); + return injectTrustCache(argc, argv, trust_chain, amficache); +} |