mach_inject crashes target in OSX 10.12 (Sierra), unless if launched through Xcode

[loco41211]

Is this working for you in 10.12/Sierra?

I have an odd situation where mach_inject works perfectly fine, when my app is launched through Xcode. If I launch my app directly, the target process crashes as soon as it attempts to inject:

Date/Time:             2016-09-21 22:55:58.682 +0100
OS Version:            Mac OS X 10.12 (16A323)
Report Version:        12
Anonymous UUID:        8AD07C6C-3EFE-5D39-B58B-393D95473947


Time Awake Since Boot: 3400 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000e50d34ab
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

External Modification Warnings:
Thread creation by external task.

VM Regions Near 0xe50d34ab:
    Stack                  00000000bf800000-00000000c0000000 [ 8192K] rw-/rwx SM=PRV  
--> 
    Submap                 00000000ffff0000-00000000ffff1000 [    4K] r--/r-- SM=PRV  process-only VM submap

Does you have any ideas on how to tackle this?

[scen]

i've never tried running it on sierra. you may want to check out issue #2 which i think originally was about sierra issues.

[SFaghihi]

Actually there's a fundamental issue with the bootstrap function as when it's loaded into the osxinj process the symbol stubs are actually resolved in the osxinj process space NOT in the injected process space. So basically you have the bootstrap function that's calling osxinj's _pthread_set_self which is NOT the same address as the one in the injected process so you get a EXC_BAD_ACCESS. Now I think that Xcode uses a debug friendly version of the libraries and caches them into a big file so the __pthread_set_self address stays the same even in different processes. That's probably why it works in Xcode and not outside of it, basically because of os's ASLR. I made an assembly version of bootstrap where you find two necessary functions' (_pthread_set_self and dlopen) address inside the injected process space and pass them in the registers to the bootstrap function where you initialize the thread using _pthread_set_self and just load the payload using os's dlopen after that you also need to suspend the thread which I did using a syscall.

[loco41211]

@SFaghihi Odd, when you state "assembly version of bootstrap", does that mean you can't get the bootstrap function working either unless you use your assembly version? Could you share that, if so? I wonder if there's a non ASM way of ensuring the pthread_set_self points to the target process rather than the local process.