Created
May 1, 2017 12:08
-
-
Save trufae/06cd2a4a5e2b1b4ad1a30e5b72d4d2c5 to your computer and use it in GitHub Desktop.
launchd posix spawn hookimg
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const readString = Memory.readUtf8String; | |
| var readU32 = Memory.readU32; | |
| var pid = ptr(0); | |
| const SIGSTOP = 17; | |
| const kill = new NativeFunction( | |
| Module.findExportByName(null, 'kill'), | |
| 'int', [ | |
| 'int', | |
| 'int' | |
| ]); | |
| Interceptor.attach(Module.findExportByName('/usr/lib/system/libsystem_kernel.dylib', 'posix_spawn'), { | |
| onEnter: function (args) { | |
| pid = ptr(args[0]); | |
| this.name = readString(args[1]); | |
| }, | |
| onLeave: function (ret) { | |
| const p = readU32(pid); | |
| if (this.name.indexOf('xpcproxy') !== -1) { | |
| console.log(ret, p); | |
| console.log('# kill -STOP ' + p + ' # ' + this.name); | |
| kill(p, SIGSTOP); | |
| } | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment