iosline.php注入,iOS下远程进程注入dylib源码

[Asm] 纯文本查看 复制代码//

// main.c

// swinjector

//

// Created by rainyx on 13-7-24.

// Copyright (c) 2013年 __MyCompanyName__. All rights reserved.

//

#include

#include

#include

#include

#include

#include

#define CPSR_T_MASK (1u<<5)

struct INJECT_CONTEXT

{

unsigned int _pthreadStruct;

void (*__pthread_set_self)(pthread_t);

int (*pthread_create)(pthread_t *, const pthread_attr_t *, void *(*)(void *), void *);

int (*pthread_join)(pthread_t, void **);

mach_port_t (*mach_thread_self)();

kern_return_t (*thread_terminate)(thread_act_t);

const char *library;

void *(*dlopen)(const char *, int);

} INJECT_CONTEXT;

int main (int argc, const char * argv[])

{

if(argc!=3)

{

printf("Usage: \n");

return 0;

}

const char *library = argv[2];

mach_port_t self = mach_task_self();

mach_port_t remoteTask;

pid_t pid = (pid_t)strtoul(argv[1], NULL, 10);

task_for_pid(mach_task_self(), pid, &remoteTask);

if(!remoteTask)

{

printf("Failed: task_for_pid, pid: %d(0x%X).\n", pid, pid);

return 0;

}

// 分配栈空间

vm_address_t remoteStack;

vm_size_t stackSize = 16*1024;

vm_allocate(remoteTask, &remoteStack, stackSize, TRUE);

// 写入library字符串

vm_size_t libraryLen = strlen(library);

vm_address_t remoteLibrary;

vm_allocate(remoteTask, &remoteLibrary, libraryLen, TRUE);

vm_write(remoteTask, remoteLibrary, library, (mach_msg_type_number_t)libraryLen);

// 分配_pthread struct空间

vm_address_t remotePthreadStruct;

vm_size_t pthreadStructSize = 1024;

vm_allocate(remoteTask, &remotePthreadStruct, pthreadStructSize, TRUE);

// 写入Context

struct INJECT_CONTEXT context;

extern void __pthread_set_self(pthread_t);

context.library = remoteLibrary;

context._pthreadStruct = (unsigned int)remotePthreadStruct;

context.__pthread_set_self = &__pthread_set_self;

context.thread_terminate = &thread_terminate;

context.mach_thread_self = &mach_thread_self;

context.pthread_create = &pthread_create;

context.pthread_join = &pthread_join;

context.dlopen = &dlopen;

vm_size_t contextSize = sizeof(INJECT_CONTEXT);

vm_address_t remoteContext;

vm_allocate(remoteTask, &remoteContext, contextSize, TRUE);

vm_write(remoteTask, remoteContext, &context, (mach_msg_type_number_t)contextSize);

// 写入Code

unsigned char code[124] = {

0x80, 0x40, 0x2D, 0xE9, 0x08, 0xD0, 0x4D, 0xE2, 0x00, 0x70, 0xA0, 0xE1, 0x00, 0x00, 0x97, 0xE5,

0x00, 0x00, 0x80, 0xE5, 0x04, 0x10, 0x97, 0xE5, 0x31, 0xFF, 0x2F, 0xE1, 0x0D, 0x00, 0xA0, 0xE1,

0x00, 0x10, 0xA0, 0xE3, 0x30, 0x20, 0x8F, 0xE2, 0x07, 0x30, 0xA0, 0xE1, 0x08, 0x40, 0x97, 0xE5,

0x34, 0xFF, 0x2F, 0xE1, 0x00, 0x00, 0x9D, 0xE5, 0x04, 0x10, 0x8D, 0xE2, 0x0C, 0x20, 0x97, 0xE5,

0x32, 0xFF, 0x2F, 0xE1, 0x10, 0x10, 0x97, 0xE5, 0x31, 0xFF, 0x2F, 0xE1, 0x14, 0x10, 0x97, 0xE5,

0x31, 0xFF, 0x2F, 0xE1, 0x08, 0xD0, 0x8D, 0xE2, 0x80, 0x80, 0xBD, 0xE8, 0x80, 0x40, 0x2D, 0xE9,

0x00, 0x70, 0xA0, 0xE1, 0x18, 0x00, 0x97, 0xE5, 0x02, 0x10, 0xA0, 0xE3, 0x1C, 0x20, 0x97, 0xE5,

0x32, 0xFF, 0x2F, 0xE1, 0x00, 0x00, 0xA0, 0xE3, 0x80, 0x80, 0xBD, 0xE8

};

vm_size_t codeSize = 124;

vm_address_t remoteCode;

vm_allocate(remoteTask, &remoteCode, codeSize, TRUE);

vm_write(remoteTask, remoteCode, &code, (mach_msg_type_number_t)codeSize);

vm_protect(remoteTask, remoteCode, codeSize, FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE);

// 创建远程线程

arm_thread_state_t state;

memset(&state, 0, sizeof(state));

state.__r[0] = (__uint32_t)remoteContext;

state.__pc = (__uint32_t)remoteCode;

state.__sp = (__uint32_t)(remoteStack + stackSize/2);

if (state.__pc & 0x1)

{

state.__pc &= ~0x1;

state.__cpsr |= CPSR_T_MASK;

}

else

{

state.__cpsr &= ~CPSR_T_MASK;

}

// 启动线程

thread_act_t remoteThread;

thread_create_running(remoteTask, ARM_THREAD_STATE, (thread_state_t) &state, ARM_THREAD_STATE_COUNT, &remoteThread);

//printf("Remote thread is running.\n");

// 等待线程结束，释放资源

thread_state_flavor_t flavor;

mach_msg_type_number_t count;

flavor = ARM_THREAD_STATE;

count = ARM_THREAD_STATE_COUNT;

mach_msg_type_number_t read;

kern_return_t status;

while (true)

{

read = count;

status = thread_get_state(remoteThread, flavor, (thread_state_t)&state, &read);

if(status == KERN_SUCCESS)

{

usleep(10000);

continue;

}

else if(status == KERN_TERMINATED || status == MACH_SEND_INVALID_DEST)

{

break;

}

else

{

// TODO on error.

}

}

if(remoteThread)

mach_port_deallocate(self, remoteThread);

if(remoteCode)

vm_deallocate(remoteTask, remoteCode, codeSize);

if(remotePthreadStruct)

vm_deallocate(remoteTask, remotePthreadStruct, pthreadStructSize);

if(remoteLibrary)

vm_deallocate(remoteTask, remoteLibrary, libraryLen);

if(remoteContext)

vm_deallocate(remoteTask, remoteContext, contextSize);

if(remoteStack)

vm_deallocate(remoteTask, remoteStack, stackSize);

printf("Injected successfully!\n");

return 0;

}