darwin: Initialize TLV thunk during mapping

frida · Jan 31, 2023 · 3100050 · 3100050
1 parent cd026ff
commit 3100050
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 0 deletions.
diff --git a/gum/backend-darwin/gumdarwinmapper.c b/gum/backend-darwin/gumdarwinmapper.c
@@ -10,6 +10,7 @@
 
 #include "gumdarwin.h"
 #include "gumdarwinmodule.h"
+#include "gumdarwinmodule-priv.h"
 #include "helpers/fixupchainprocessor.h"
 
 #include <dlfcn.h>
@@ -116,6 +117,7 @@ struct _GumMapContext
   GumDarwinMapper * mapper;
   gboolean success;
   GError ** error;
+  GumAddress tlv_get_addrAddr;
 };
 
 static void gum_darwin_mapper_constructed (GObject * object);
@@ -175,6 +177,8 @@ static GumDarwinMapping * gum_darwin_mapper_add_alias_mapping (
     GumDarwinMapper * self, const gchar * name, const GumDarwinMapping * to);
 static gboolean gum_darwin_mapper_resolve_chained_imports (
     const GumDarwinChainedFixupsDetails * details, gpointer user_data);
+static gboolean gum_darwin_mapper_fixup_thread_local_var_descriptor (
+    const GumDarwinThreadLocalVariableDescriptorDetails * details, gpointer user_data);
 static gboolean gum_darwin_mapper_append_chained_symbol (GumDarwinMapper * self,
     gint library_ordinal, const gchar * symbol_name, gboolean is_weak,
     gint64 addend, GError ** error);
@@ -656,6 +660,30 @@ gum_darwin_mapper_init_footprint_budget (GumDarwinMapper * self)
   self->chained_fixups_count = runtime.chained_fixups_count;
 }
 
+gboolean
+gum_darwin_mapper_find_tlv_get_addr (const GumDarwinSectionDetails * details, gpointer user_data)
+{
+  GumMapContext *ctx = user_data;
+  GumDarwinModule *module = ctx->mapper->module;
+  GumMachHeader32 *header;
+
+  gum_darwin_module_ensure_image_loaded(module, NULL);
+  header = module->image->data;
+
+  if (strcmp(details->section_name, "__dyld4") == 0) {
+    if (header->magic == GUM_MH_MAGIC_32)
+      ctx->tlv_get_addrAddr = (GumAddress) ((GumFixedSizeLibdyldDyld4Section32*) details->vm_address)->tlv_get_addrAddr;
+    else if (header->magic == GUM_MH_MAGIC_64)
+      ctx->tlv_get_addrAddr = (GumAddress) ((GumFixedSizeLibdyldDyld4Section64*) details->vm_address)->tlv_get_addrAddr;
+    else
+      return FALSE;
+
+    ctx->success = TRUE;
+    return FALSE;
+  }
+  return TRUE;
+}
+
 gboolean
 gum_darwin_mapper_map (GumDarwinMapper * self,
                        GumAddress base_address,
@@ -666,6 +694,7 @@ gum_darwin_mapper_map (GumDarwinMapper * self,
   GumAddress macho_base_address;
   GSList * cur;
   GumDarwinModule * module = self->module;
+  GumDarwinModule * libdyld;
   mach_port_t task = self->resolver->task;
   guint i;
   mach_vm_address_t mapped_address;
@@ -715,6 +744,17 @@ gum_darwin_mapper_map (GumDarwinMapper * self,
   if (!ctx.success)
     goto beach;
 
+  libdyld = gum_darwin_module_resolver_find_module (self->resolver, "libdyld.dylib");
+  ctx.success = FALSE;
+  gum_darwin_module_enumerate_sections(libdyld, gum_darwin_mapper_find_tlv_get_addr, &ctx);
+  if (!ctx.success)
+    goto beach;
+
+  gum_darwin_module_enumerate_thread_local_var_descriptors (module,
+    gum_darwin_mapper_fixup_thread_local_var_descriptor,&ctx);
+  if (!ctx.success)
+    goto beach;
+
   gum_darwin_mapper_alloc_and_emit_runtime (self, base_address, total_vm_size);
 
   for (i = 0; i != module->segments->len; i++)
@@ -2324,6 +2364,17 @@ gum_darwin_mapper_append_chained_symbol (GumDarwinMapper * self,
   return TRUE;
 }
 
+static gboolean
+gum_darwin_mapper_fixup_thread_local_var_descriptor (
+    const GumDarwinThreadLocalVariableDescriptorDetails * details,
+    gpointer user_data)
+{
+  GumMapContext *ctx = user_data;
+
+  * (guint64*) details->address = ctx->tlv_get_addrAddr;
+  return TRUE;
+}
+
 static gboolean
 gum_darwin_mapper_rebase (const GumDarwinRebaseDetails * details,
                           gpointer user_data)

diff --git a/gum/gumdarwinmodule-priv.h b/gum/gumdarwinmodule-priv.h
@@ -62,6 +62,8 @@ typedef struct _GumNList64 GumNList64;
 typedef struct _GumFindDarwinThreadLocalVarDescriptorsContext GumFindDarwinThreadLocalVarDescriptorsContext;
 typedef struct _GumFixedSizeTLVThunk32 GumFixedSizeTLVThunk32;
 typedef struct _GumFixedSizeTLVThunk64 GumFixedSizeTLVThunk64;
+typedef struct _GumFixedSizeLibdyldDyld4Section32 GumFixedSizeLibdyldDyld4Section32;
+typedef struct _GumFixedSizeLibdyldDyld4Section64 GumFixedSizeLibdyldDyld4Section64;
 
 struct _GumFatHeader
 {
@@ -416,6 +418,22 @@ struct _GumFixedSizeTLVThunk64 {
   guint64 offset;
 };
 
+struct _GumFixedSizeLibdyldDyld4Section32 {
+    guint32 apis;
+    guint32 allImageInfos;
+    guint32 defaultVars[5];
+    guint32 dyldLookupFuncAddr;
+    guint32 tlv_get_addrAddr;
+};
+
+struct _GumFixedSizeLibdyldDyld4Section64 {
+    guint64 apis;
+    guint64 allImageInfos;
+    guint64 defaultVars[5];
+    guint64 dyldLookupFuncAddr;
+    guint64 tlv_get_addrAddr;
+};
+
 G_END_DECLS
 
 #endif