search

comex / inject_and_interpose

like mach_inject
127 stars 53 forks source link

sjeng.ChessEngine (injection fails because dlopen thread crash) #9

Closed rtibdewal closed 12 years ago

rtibdewal commented 12 years ago

Steps:

  1. Start the chess application. With chess, sjeng.ChessEngine also starts.
  2. Inject dylib to the process, notice that injection fails and process will crash.
  3. This behavior is also observed with other apps but it can be consistently reproduced with the help of sjeng.ChessEngine.

Crash Log for refenrece:

Process: sjeng.ChessEngine [505] Path: /Applications/Chess.app/Contents/Resources/sjeng.ChessEngine Identifier: sjeng.ChessEngine Version: ??? (???) Code Type: X86-64 (Native) Parent Process: Chess [501]

Date/Time: 2012-09-11 10:21:54.386 +0200 OS Version: Mac OS X 10.6.8 (10K549) Report Version: 6

Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000002, 0x0000000000000000 Crashed Thread: 1

Thread 0: Dispatch queue: com.apple.main-thread 0 libSystem.B.dylib 0x00007fff82837982 read$NOCANCEL + 10 1 libSystem.B.dylib 0x00007fff828870ef __sread + 16 2 libSystem.B.dylib 0x00007fff8287ee34 _sread + 19 3 libSystem.B.dylib 0x00007fff8287ecca srefill + 41 4 libSystem.B.dylib 0x00007fff82889e8e srget + 17 5 libSystem.B.dylib 0x00007fff82889e4a getc + 63 6 sjeng.ChessEngine 0x000000010000455a 0x100000000 + 17754 7 sjeng.ChessEngine 0x00000001000013fc 0x100000000 + 5116 8 sjeng.ChessEngine 0x0000000100000884 0x100000000 + 2180

Thread 1 Crashed: 0 com.apple.CoreFoundation 0x00007fff8038c590 __CFInitialize + 1808 1 dyld 0x00007fff5fc0d5de ImageLoaderMachO::doImageInit(ImageLoader::LinkContext const&) + 138 2 dyld 0x00007fff5fc0d617 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 27 3 dyld 0x00007fff5fc0bcfc ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 236 4 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157 5 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157 6 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157 7 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157 8 dyld 0x00007fff5fc0bcad ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int) + 157 9 dyld 0x00007fff5fc0bdb6 ImageLoader::runInitializers(ImageLoader::LinkContext const&) + 58 10 dyld 0x00007fff5fc08fcf dlopen + 573 11 ??? 0x00000000deadbeef 0 + 3735928559 12 libSystem.B.dylib 0x00007fff8286ee89 thread_start + 13

Thread 1 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x00007fff8038ab58 rcx: 0x00007fff5fbffbe0 rdx: 0x00007fff5fbffb80 rdi: 0x0000000000000000 rsi: 0x00007fff5fbffb68 rbp: 0x0000000100398be0 rsp: 0x0000000100398390 r8: 0x00007fff5fc40548 r9: 0x0000000100406480 r10: 0x0000000000000000 r11: 0x0000000000000003 r12: 0x00007fff8038be80 r13: 0x00007fff5fc404a0 r14: 0x0000000000000005 r15: 0x0000000100400810 rip: 0x00007fff8038c590 rfl: 0x0000000000000246 cr2: 0x00007fff700a87e8

rtibdewal commented 12 years ago

This crash was not really a problem of injection code.

One cannot call dlopen a library linked with CoreFoundation in a (sub) thread if CoreFoundation wasn't initialized in the first place. CFInitialize is called, apparently checks if the thread is the main thread and if it is not, crashes with a SIGTRAP.