So I’ve had mixed success when injection into other processes on OS X. The majority of functions will hook just fine using mach_star (intel). But I was having a particular problem hooking some functions. I wanted to get a better idea of what was actually being passed to this function. And, of course, it wouldn’t hook, ever. So I started to dive into mach_override.c a bit and realized that the instruction matching “algorithm” wasn’t conclusive. Basically what happens is mach_override will loop through the assembly at the start of the function you want to override. It will verify that you should in fact be able to override it (it needs 5 instructions to perform a JMP). This is the relevant code that was giving me trouble:
{ 0x1, {0xFF}, {0x90} }, // nop
{ 0x1, {0xFF}, {0x55} }, // push %esp
{ 0x2, {0xFF, 0xFF}, {0x89, 0xE5} }, // mov %esp,%ebp
{ 0x1, {0xFF}, {0x53} }, // push %ebx
{ 0x3, {0xFF, 0xFF, 0x00}, {0x83, 0xEC, 0x00} }, // sub 0x??, %esp
{ 0x1, {0xFF}, {0x57} }, // push %edi
{ 0x1, {0xFF}, {0x56} }, // push %esi
{ 0x0 }
};
The relevant function I wanted to hook started with:
A1 44 E6 D8 00
This was the “problem.” Basically there is no rule in the possibleInstructions that accommodates for “mov, eax” So I just added one 🙂
static AsmInstructionMatch possibleInstructions[] = {
{ 0x1, {0xFF}, {0x90} }, // nop
{ 0x1, {0xFF}, {0x55} }, // push %esp
{ 0x2, {0xFF, 0xFF}, {0x89, 0xE5} }, // mov %esp,%ebp
{ 0x5, {0xFF, 0x00, 0x00, 0x00, 0x00}, {0xA1, 0x00, 0x00, 0x00, 0x00} }, // mov %eax, dword_
{ 0x1, {0xFF}, {0x53} }, // push %ebx
{ 0x3, {0xFF, 0xFF, 0x00}, {0x83, 0xEC, 0x00} }, // sub 0x??, %esp
{ 0x1, {0xFF}, {0x57} }, // push %edi
{ 0x1, {0xFF}, {0x56} }, // push %esi
{ 0x0 }
};
Recompiled, injected, and it works 🙂 Figured I would make a blog post considering I spent a good 2 hours trying to figure this out, I can definitely say I have a decently better understanding of what is actually going on 😉