Created
March 14, 2023 17:23
-
-
Save 0xilis/8dac1248aaf4ff17074a30193675e6df to your computer and use it in GitHub Desktop.
inject /var/subsidiary/TweakDylib.dylib
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %hookf(int, posix_spawn, pid_t *pid, const char *orig_path, const posix_spawn_file_actions_t *file_actions, const posix_spawnattr_t *attrp, char *const orig_argv[], char *const envp[]) { | |
| //GUESS: Add DYLD_INSERT_LIBRARIES to envp | |
| //This is example code that I think should (theoretically) work? | |
| //compile this dylib and put it in launchd, then CT sign | |
| //adds a dylib to every process (that being, "/var/subsidiary/TweakDylib.dylib") | |
| //dylib is sandboxed btw, but should be possible for unsandboxed dylibs as well theoretically, see opainject and the nullconga pdf, not in this example code tho bc idc for now | |
| //in real world we shouldn't want to insert this dylib in *everything* and only insert it in stuff it should be inserted in, but once again, only an example | |
| int addingEnvVar = 0; //int/bool that is 1 if we're adding DYLD_INSERT_LIBRARIES=, and 0 if we're modifying it | |
| int dyldLibIndex = -1; | |
| char **ptr; | |
| int index = 0; | |
| for (ptr = envp; *ptr != NULL; ptr++) { if (strlen(*ptr) > 21) { //check if string size if 22 or above, aka length of DYLD_INSERT_LIBRARIES= string if(strncmp(*ptr, "DYLD_INSERT_LIBRARIES=", 22) == 0) { //check if string in envp starts with DYLD_INSERT_LIBRARIES= | |
| dyldLibIndex = index; | |
| } | |
| } | |
| index++; | |
| } | |
| if (dyldLibIndex == -1) { | |
| addingEnvVar = 1; | |
| dyldLibIndex = index; | |
| index++; | |
| } | |
| const char* newEnvp[index]; | |
| //add env vars to newEnvp from our current environment vars | |
| int index2 = 0; | |
| for (ptr = envp; *ptr != NULL; ptr++) { | |
| newEnvp[index2] = *ptr; | |
| index2++; | |
| } | |
| if (addingEnvVar) { | |
| //add DYLD_INSERT_LIBRARIES env var | |
| //index2 should be equal to dyldLibIndex at this moment | |
| newEnvp[index2] = "DYLD_INSERT_LIBRARIES=/var/subsidiary/TweakDylib.dylib"; | |
| } else { | |
| //modify existing DYLD_INSERT_LIBRARIES env var to use /var/subsidiary/TweakDylib.dylib | |
| //ex if DYLD_INSERT_LIBRARIES env var is DYLD_INSERT_LIBRARIES=/some/lib.dylib, it should now be DYLD_INSERT_LIBRARIES=/var/subsidiary/TweakDylib.dylib:/some/lib.dylib | |
| NSString *string = [[NSString alloc]initWithUTF8String:newEnvp[dyldLibIndex]]; //make the DYLD_INSERT_LIBRARIES env var to objc string | |
| string = [NSString stringWithFormat:@"DYLD_INSERT_LIBRARIES=/var/subsidiary/TweakDylib.dylib:%@",[str substringFromIndex:22]]; | |
| newEnvp[dyldLibIndex] = [string UTF8String]; | |
| } | |
| return %orig(pid, orig_path, file_actions, attrp, orig_argv, newEnvp); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
this is dumb and wont work