cycripter.mm 2.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081
  1. #include <stdio.h>
  2. #include <stdint.h>
  3. #include <mach/mach.h>
  4. #include "libtakeover.hpp"
  5. #include <dlfcn.h>
  6. #include <pthread.h>
  7. #include <unistd.h>
  8. #import "FindProcess.h"
  9. static char* dylib = "/usr/lib/CycriptLoader.dylib";
  10. static pid_t pid = -1;
  11. int main(int argc, char* argv[]){
  12. if (argc < 2){
  13. printf("Usage: cycripter <process name> &\n\n");
  14. printf("\tIt is important to append & when running this task!!! Otherwise upon exit it brings down the injected process with it, not sure why that happens yet.\n\n");
  15. return 0;
  16. }
  17. char *process_name = argv[1];
  18. pid = [FindProcess find_process:process_name];
  19. printf("\n%s PID is %d\n", process_name, pid);
  20. task_t remoteTask;
  21. kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);
  22. if (kr != KERN_SUCCESS) {
  23. printf("Failed to get task for pid %u!\n", pid);
  24. return -1;
  25. }
  26. //printf("Remote task: 0x%x\n", remoteTask);
  27. tihmstar::takeover mytk(remoteTask);
  28. mytk.kidnapThread();
  29. void *dylibPathAddr = mytk.allocMem(0x100 + strlen(dylib) + 1);
  30. mytk.writeMem((void *)(0x100 + (uint64_t)dylibPathAddr), strlen(dylib) + 1, dylib);
  31. //printf("Dylib Path Addr: 0x%llx\n", 0x100 + (uint64_t)dylibPathAddr);
  32. //printf("Start listening...\n");
  33. FindProcess *proc = [FindProcess new];
  34. [proc startListeningForAppName:[NSString stringWithUTF8String:process_name]];
  35. //printf("Trying dlopen...\n");
  36. uint64_t ret = mytk.callfunc((void *)&dlopen, {0x100 + (uint64_t)dylibPathAddr, 2});
  37. //printf("dylib opened at addr: 0x%llx\n", ret);
  38. mytk.deallocMem(dylibPathAddr, 0x100 + strlen(dylib) + 1);
  39. if (ret != 0){
  40. printf("No error occurred!\n");
  41. } else {
  42. uint64_t error = mytk.callfunc((void *)&dlerror, {});
  43. if (error == 0){
  44. printf("Error occurred, but dlerror returned NULL!\n");
  45. return -1;
  46. } else {
  47. uint64_t len = mytk.callfunc((void *)&strlen, {error});
  48. char *local_cstring = (char *)malloc(len + 1);
  49. mytk.readMem((void *)error, len + 1, local_cstring);
  50. printf("Error is %s\n", local_cstring);
  51. return -1;
  52. }
  53. }
  54. CFRunLoopRun();
  55. return 0;
  56. }