123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 |
- #include <stdio.h>
- #include <stdint.h>
- #include <mach/mach.h>
- #include "libtakeover.hpp"
- #include <dlfcn.h>
- #include <pthread.h>
- #include <unistd.h>
- #import "FindProcess.h"
- static char* dylib = "/usr/lib/CycriptLoader.dylib";
- static pid_t pid = -1;
- int main(int argc, char* argv[]){
- if (argc < 2){
- printf("Usage: cycripter <process name> &\n\n");
- printf("\tIt is important to append & when running this task!!! Otherwise upon exit it brings down the injected process with it, not sure why that happens yet.\n\n");
- return 0;
- }
-
- char *process_name = argv[1];
-
- pid = [FindProcess find_process:process_name];
-
- printf("\n%s PID is %d\n", process_name, pid);
-
-
- task_t remoteTask;
- kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);
- if (kr != KERN_SUCCESS) {
- printf("Failed to get task for pid %u!\n", pid);
- return -1;
- }
-
- //printf("Remote task: 0x%x\n", remoteTask);
- tihmstar::takeover mytk(remoteTask);
-
- mytk.kidnapThread();
-
- void *dylibPathAddr = mytk.allocMem(0x100 + strlen(dylib) + 1);
- mytk.writeMem((void *)(0x100 + (uint64_t)dylibPathAddr), strlen(dylib) + 1, dylib);
-
- //printf("Dylib Path Addr: 0x%llx\n", 0x100 + (uint64_t)dylibPathAddr);
-
- //printf("Start listening...\n");
-
- FindProcess *proc = [FindProcess new];
- [proc startListeningForAppName:[NSString stringWithUTF8String:process_name]];
-
-
- //printf("Trying dlopen...\n");
-
- uint64_t ret = mytk.callfunc((void *)&dlopen, {0x100 + (uint64_t)dylibPathAddr, 2});
- //printf("dylib opened at addr: 0x%llx\n", ret);
-
- mytk.deallocMem(dylibPathAddr, 0x100 + strlen(dylib) + 1);
-
- if (ret != 0){
- printf("No error occurred!\n");
- } else {
- uint64_t error = mytk.callfunc((void *)&dlerror, {});
- if (error == 0){
- printf("Error occurred, but dlerror returned NULL!\n");
- return -1;
- } else {
- uint64_t len = mytk.callfunc((void *)&strlen, {error});
- char *local_cstring = (char *)malloc(len + 1);
- mytk.readMem((void *)error, len + 1, local_cstring);
-
- printf("Error is %s\n", local_cstring);
-
- return -1;
- }
- }
-
- CFRunLoopRun();
- return 0;
- }
|