• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: Problem with dlopen
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Problem with dlopen

  • Subject: RE: Problem with dlopen
  • From: "Emmanuel T." <email@hidden>
  • Date: Mon, 25 Jul 2016 17:43:07 +0000
  • Thread-topic: Problem with dlopen

I’m guessing that all that stuff changed since Maverick 😊

When I wrote the dylib injection at the time, I wasn’t using pthread_set_self() but I used a couple of functions to do this.

If I remember correctly (haven’t touched a Mac for 1.5 year :/  ) I made calls to cthread_init() and pthread_init() but I could be completely wrong since I don’t remember much of it all.

 

The problem was that the app would crash otherwise because the GS selector was zero. There is a swapgs() call that’s made in the kernel at some point but even with setting GS to whatever value it was in the injecting app (setting it via the context registers) it would still be zero in the shell code thread.

 

Some calls are fine but dlopen() will do a mov GS:[%RAX+0x4] or something along those lines early in the process in order to get the thread info and since GS is zero, it will crash and die a horrible death.

You might want to look at the source code of pthread_set_self() .

 

I’ll try to find my old source and let you know what functions I used to remediate the crash.

 

Cheers

 

 

Sent from Mail for Windows 10

 

From: Gordo Cath
Sent: Monday, July 25, 2016 07:51
To: email@hidden
Subject: Problem with dlopen

 

Hi,
I'm using 10.10.5 and using the code from http://www.newosxbook.com/src.jl?tree=listings&file=inject.c
I created my own simple library from the sample at the bottom of the file using Xcode 6.2.
everything compiles fine and I'm not arm64.
When I go to run i use 2 instances of lldb.  one on the target and one in the one running inject.  
I setup a breakpoint on dlopen in the target.  I watch it go through the process of loading my library.
of interest is rbx appears to have the name of the library and r14 is set to 0.  I have seen other runtime examples have r14 set to name of the library and rbx set to the number of characters of the name of the library.
Anyways, it always crashes at addr 0x7fff62ac56097 0f 29 45 c0 movaps %xmm0 -0x40(:rbp)  -- which if i understand it is trying to save off a value to a location 0x40 ahead of where base pointer is now at.   I've checked my settings and it appears to be a legitimate location.  The values are all 0   The instruction right before it is a xorps %xmm0, %xmm0

I don't know if the 0x7fff62ac56097 holds across other programs but it /usr/lib/dyld.dylib

I tried googling to see if this is a known bug.  I'm wondering if not having the # characters set in the name in a register is the problem.

any ideas?

Thanks

Gordo
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
 
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Problem with dlopen (From: Gordo Cath <email@hidden>)

  • Prev by Date: Problem with dlopen
  • Previous by thread: Problem with dlopen
  • Index(es):
    • Date
    • Thread