论坛地址:http://www.chinapyg.com/
转:http://www.dllhook.com/post/39.html
// ./insert_dylib @executable_path(表示加载bin所在目录)/inject.dylib test
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/stat.h>
#include <copyfile.h>
#include <mach-o/loader.h>
#include <mach-o/fat.h>
#define IS_64_BIT(x) ((x) == MH_MAGIC_64 || (x) == MH_CIGAM_64)
#define IS_LITTLE_ENDIAN(x) ((x) == FAT_CIGAM || (x) == MH_CIGAM_64 || (x) == MH_CIGAM)
#define SWAP32(x, magic) (IS_LITTLE_ENDIAN(magic)? OSSwapInt32(x): (x))
__attribute__((noreturn)) void usage(void) {
printf("Usage: insert_dylib [--inplace] [--weak] dylib_path binary_path [new_path]\n");
exit(1);
}
__attribute__((format(printf, 1, 2))) bool ask(const char *format, ...) {
char *question;
asprintf(&question, "%s [y/n] ", format);
va_list args;
va_start(args, format);
vprintf(question, args);
va_end(args);
free(question);
while(true) {
char *line = NULL;
size_t size;
getline(&line, &size, stdin);
switch(line[0]) {
case 'y':
case 'Y':
return true;
break;
case 'n':
case 'N':
return false;
break;
default:
printf("Please enter y or n: ");
}
}
}
void remove_code_signature(FILE *f, struct mach_header *mh, size_t header_offset, size_t commands_offset) {
fseek(f, commands_offset, SEEK_SET);
uint32_t ncmds = SWAP32(mh->ncmds, mh->magic);
for(int i = 0; i < ncmds; i++) {
struct load_command lc;
fread(&lc, sizeof(lc), 1, f);
if(SWAP32(lc.cmd, mh->magic) == LC_CODE_SIGNATURE) {
if(i == ncmds - 1 && ask("LC_CODE_SIGNATURE load command found. Remove it?")) {
fseek(f, -((long)sizeof(lc)), SEEK_CUR);
struct linkedit_data_command ldc;
fread(&ldc, sizeof(ldc), 1, f);
uint32_t cmdsize = SWAP32(ldc.cmdsize, mh->magic);
uint32_t dataoff = SWAP32(ldc.dataoff, mh->magic);
uint32_t datasize = SWAP32(ldc.datasize, mh->magic);
fseek(f, -((long)sizeof(ldc)), SEEK_CUR);
char *zero = calloc(cmdsize, 1);
fwrite(zero, cmdsize, 1, f);
free(zero);
fseek(f, header_offset + dataoff, SEEK_SET);
zero = calloc(datasize, 1);
fwrite(zero, datasize, 1, f);
free(zero);
mh->ncmds = SWAP32(ncmds - 1, mh->magic);
mh->sizeofcmds = SWAP32(SWAP32(mh->sizeofcmds, mh->magic) - ldc.cmdsize, mh->magic);
return;
} else {
printf("LC_CODE_SIGNATURE is not the last load command, so couldn't remove.");
}
}
fseek(f, SWAP32(lc.cmdsize, mh->magic) - sizeof(lc), SEEK_CUR);
}
}
bool insert_dylib(FILE *f, size_t header_offset, const char *dylib_path, bool weak) {
fseek(f, header_offset, SEEK_SET);
struct mach_header mh;
fread(&mh, sizeof(struct mach_header), 1, f);
if(mh.magic != MH_MAGIC_64 && mh.magic != MH_CIGAM_64 && mh.magic != MH_MAGIC && mh.magic != MH_CIGAM) {
printf("Unknown magic: 0x%x\n", mh.magic);
return false;
}
size_t commands_offset = header_offset + (IS_64_BIT(mh.magic)? sizeof(struct mach_header_64): sizeof(struct mach_header));
remove_code_signature(f, &mh, header_offset, commands_offset);
size_t dylib_path_len = strlen(dylib_path);
size_t dylib_path_size = (dylib_path_len & ~3) + 4;
uint32_t cmdsize = (uint32_t)(sizeof(struct dylib_command) + dylib_path_size);
struct dylib_command dylib_command = {
.cmd = SWAP32(weak? LC_LOAD_WEAK_DYLIB: LC_LOAD_DYLIB, mh.magic),
.cmdsize = SWAP32(cmdsize, mh.magic),
.dylib = {
.name = SWAP32(sizeof(struct dylib_command), mh.magic),
.timestamp = 0,
.current_version = 0,
.compatibility_version = 0
}
};
uint32_t sizeofcmds = SWAP32(mh.sizeofcmds, mh.magic);
fseek(f, commands_offset + sizeofcmds, SEEK_SET);
char space[cmdsize];
fread(&space, cmdsize, 1, f);
bool empty = true;
for(int i = 0; i < cmdsize; i++) {
if(space[i] != 0) {
empty = false;
break;
}
}
if(!empty) {
if(!ask("It doesn't seem like there is enough empty space. Continue anyway?")) {
return false;
}
}
fseek(f, -((long)cmdsize), SEEK_CUR);
char *dylib_path_padded = calloc(dylib_path_size, 1);
memcpy(dylib_path_padded, dylib_path, dylib_path_len);
fwrite(&dylib_command, sizeof(dylib_command), 1, f);
fwrite(dylib_path_padded, dylib_path_size, 1, f);
free(dylib_path_padded);
mh.ncmds = SWAP32(SWAP32(mh.ncmds, mh.magic) + 1, mh.magic);
sizeofcmds += cmdsize;
mh.sizeofcmds = SWAP32(sizeofcmds, mh.magic);
fseek(f, header_offset, SEEK_SET);
fwrite(&mh, sizeof(mh), 1, f);
return true;
}
int main(int argc, const char *argv[]) {
int inplace = false;
int weak = false;
struct option long_options[] = {
{"inplace", no_argument, &inplace, true},
{"weak", no_argument, &weak, true}
};
while(true) {
int option_index = 0;
int c = getopt_long(argc, (char *const *)argv, "", long_options, &option_index);
if(c == -1) {
break;
}
switch(c) {
case 0:
break;
case '?':
usage();
break;
default:
abort();
break;
}
}
argv = &argv[optind - 1];
argc -= optind - 1;
if(argc < 3 || argc > 4) {
usage();
}
const char *lc_name = weak? "LC_LOAD_WEAK_DYLIB": "LC_LOAD_DYLIB";
const char *dylib_path = argv[1];
const char *binary_path = argv[2];
struct stat s;
if(stat(binary_path, &s) != 0) {
perror(binary_path);
exit(1);
}
if(stat(dylib_path, &s) != 0) {
if(!ask("The provided dylib path doesn't exist. Continue anyway?")) {
exit(1);
}
}
bool binary_path_was_malloced = false;
if(!inplace) {
char *new_binary_path;
if(argc == 4) {
new_binary_path = (char *)argv[3];
} else {
asprintf(&new_binary_path, "%s_patched", binary_path);
binary_path_was_malloced = true;
}
if(stat(new_binary_path, &s) == 0) {
if(!ask("%s already exists. Overwrite it?", new_binary_path)) {
exit(1);
}
}
if(copyfile(binary_path, new_binary_path, NULL, COPYFILE_DATA | COPYFILE_UNLINK)) {
printf("Failed to create %s\n", new_binary_path);
exit(1);
}
binary_path = new_binary_path;
}
FILE *f = fopen(binary_path, "r+");
if(!f) {
printf("Couldn't open file %s\n", argv[1]);
exit(1);
}
bool success = true;
uint32_t magic;
fread(&magic, sizeof(uint32_t), 1, f);
switch(magic) {
case FAT_MAGIC:
case FAT_CIGAM: {
fseek(f, 0, SEEK_SET);
struct fat_header fh;
fread(&fh, sizeof(struct fat_header), 1, f);
uint32_t nfat_arch = SWAP32(fh.nfat_arch, magic);
printf("Binary is a fat binary with %d archs.\n", nfat_arch);
struct fat_arch archs[nfat_arch];
fread(&archs, sizeof(archs), 1, f);
int fails = 0;
for(int i = 0; i < nfat_arch; i++) {
bool r = insert_dylib(f, SWAP32(archs[i].offset, magic), dylib_path, weak);
if(!r) {
printf("Failed to add %s to arch #%d!\n", lc_name, i + 1);
fails++;
}
}
if(fails == 0) {
printf("Added %s to all archs in %s\n", lc_name, binary_path);
} else if(fails == nfat_arch) {
printf("Failed to add %s to any archs.\n", lc_name);
success = false;
} else {
printf("Added %s to %d/%d archs in %s\n", lc_name, nfat_arch - fails, nfat_arch, binary_path);
}
break;
}
case MH_MAGIC_64:
case MH_CIGAM_64:
case MH_MAGIC:
case MH_CIGAM:
if(insert_dylib(f, 0, dylib_path, weak)) {
printf("Added %s to %s\n", lc_name, binary_path);
} else {
printf("Failed to add %s!\n", lc_name);
success = false;
}
break;
default:
printf("Unknown magic: 0x%x\n", magic);
exit(1);
}
fclose(f);
if(!success) {
if(!inplace) {
unlink(binary_path);
}
exit(1);
}
if(binary_path_was_malloced) {
free((void *)binary_path);
}
return 0;
}