|
|
@@ -14,67 +14,67 @@ static pid_t pid = -1;
|
|
|
|
|
|
|
|
|
int main(int argc, char* argv[]){
|
|
|
- if (argc < 2){
|
|
|
- printf("Usage: cycripter <process name> &\n\n");
|
|
|
+ if (argc < 2){
|
|
|
+ printf("Usage: cycripter <process name> &\n\n");
|
|
|
printf("\tIt is important to append & when running this task!!! Otherwise upon exit it brings down the injected process with it, not sure why that happens yet.\n\n");
|
|
|
- return 0;
|
|
|
- }
|
|
|
-
|
|
|
- char *process_name = argv[1];
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+
|
|
|
+ char *process_name = argv[1];
|
|
|
|
|
|
pid = [FindProcess find_process:process_name];
|
|
|
|
|
|
- printf("\n%s PID is %d\n", process_name, pid);
|
|
|
+ printf("\n%s PID is %d\n", process_name, pid);
|
|
|
|
|
|
|
|
|
- task_t remoteTask;
|
|
|
- kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);
|
|
|
- if (kr != KERN_SUCCESS) {
|
|
|
- printf("Failed to get task for pid %u!\n", pid);
|
|
|
- return -1;
|
|
|
- }
|
|
|
-
|
|
|
- //printf("Remote task: 0x%x\n", remoteTask);
|
|
|
- tihmstar::takeover mytk(remoteTask);
|
|
|
-
|
|
|
- mytk.kidnapThread();
|
|
|
-
|
|
|
- void *dylibPathAddr = mytk.allocMem(0x100 + strlen(dylib) + 1);
|
|
|
- mytk.writeMem((void *)(0x100 + (uint64_t)dylibPathAddr), strlen(dylib) + 1, dylib);
|
|
|
-
|
|
|
- //printf("Dylib Path Addr: 0x%llx\n", 0x100 + (uint64_t)dylibPathAddr);
|
|
|
-
|
|
|
+ task_t remoteTask;
|
|
|
+ kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);
|
|
|
+ if (kr != KERN_SUCCESS) {
|
|
|
+ printf("Failed to get task for pid %u!\n", pid);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ //printf("Remote task: 0x%x\n", remoteTask);
|
|
|
+ tihmstar::takeover mytk(remoteTask);
|
|
|
+
|
|
|
+ mytk.kidnapThread();
|
|
|
+
|
|
|
+ void *dylibPathAddr = mytk.allocMem(0x100 + strlen(dylib) + 1);
|
|
|
+ mytk.writeMem((void *)(0x100 + (uint64_t)dylibPathAddr), strlen(dylib) + 1, dylib);
|
|
|
+
|
|
|
+ //printf("Dylib Path Addr: 0x%llx\n", 0x100 + (uint64_t)dylibPathAddr);
|
|
|
+
|
|
|
//printf("Start listening...\n");
|
|
|
|
|
|
FindProcess *proc = [FindProcess new];
|
|
|
[proc startListeningForAppName:[NSString stringWithUTF8String:process_name]];
|
|
|
|
|
|
|
|
|
- //printf("Trying dlopen...\n");
|
|
|
-
|
|
|
- uint64_t ret = mytk.callfunc((void *)&dlopen, {0x100 + (uint64_t)dylibPathAddr, 2});
|
|
|
- //printf("dylib opened at addr: 0x%llx\n", ret);
|
|
|
-
|
|
|
- mytk.deallocMem(dylibPathAddr, 0x100 + strlen(dylib) + 1);
|
|
|
-
|
|
|
- if (ret != 0){
|
|
|
- printf("No error occurred!\n");
|
|
|
- } else {
|
|
|
- uint64_t error = mytk.callfunc((void *)&dlerror, {});
|
|
|
- if (error == 0){
|
|
|
- printf("Error occurred, but dlerror returned NULL!\n");
|
|
|
- return -1;
|
|
|
- } else {
|
|
|
- uint64_t len = mytk.callfunc((void *)&strlen, {error});
|
|
|
- char *local_cstring = (char *)malloc(len + 1);
|
|
|
- mytk.readMem((void *)error, len + 1, local_cstring);
|
|
|
-
|
|
|
- printf("Error is %s\n", local_cstring);
|
|
|
-
|
|
|
- return -1;
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
+ //printf("Trying dlopen...\n");
|
|
|
+
|
|
|
+ uint64_t ret = mytk.callfunc((void *)&dlopen, {0x100 + (uint64_t)dylibPathAddr, 2});
|
|
|
+ //printf("dylib opened at addr: 0x%llx\n", ret);
|
|
|
+
|
|
|
+ mytk.deallocMem(dylibPathAddr, 0x100 + strlen(dylib) + 1);
|
|
|
+
|
|
|
+ if (ret != 0){
|
|
|
+ printf("No error occurred!\n");
|
|
|
+ } else {
|
|
|
+ uint64_t error = mytk.callfunc((void *)&dlerror, {});
|
|
|
+ if (error == 0){
|
|
|
+ printf("Error occurred, but dlerror returned NULL!\n");
|
|
|
+ return -1;
|
|
|
+ } else {
|
|
|
+ uint64_t len = mytk.callfunc((void *)&strlen, {error});
|
|
|
+ char *local_cstring = (char *)malloc(len + 1);
|
|
|
+ mytk.readMem((void *)error, len + 1, local_cstring);
|
|
|
+
|
|
|
+ printf("Error is %s\n", local_cstring);
|
|
|
+
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
CFRunLoopRun();
|
|
|
- return 0;
|
|
|
+ return 0;
|
|
|
}
|
Kevin Bradley