frida-helper gets killed with "Process used task_for_pid()." on macOS 14.4+

[pajp]

Even after disabling SIP (csrutil disable) and enabling arm64e ABI (sudo nvram boot-args=-arm64e_preview_abi), I can't seem to attach to macOS system processes (specifically trying to attach to launchd, i.e. pid 1).

frida fails with "Failed to attach: the connection is closed":

rasmus@sonoma-beta-vm-1 xpc-tracer % sudo frida -l _agent.js -p 1
     ____
    / _  |   Frida 16.2.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Local System (id=local)
Failed to attach: the connection is closed                              
rasmus@sonoma-beta-vm-1 xpc-tracer % csrutil status
System Integrity Protection status: disabled.
rasmus@sonoma-beta-vm-1 xpc-tracer % nvram -p | grep boot-args
boot-args   -arm64e_preview_abi

and in ~/Library/Logs/DiagnosticReports I have a crash report from frida-helper that looks like this:

-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Process:               frida-helper [671]
Path:                  /private/var/root/*/frida-helper
Identifier:            frida-helper
Version:               ???
Code Type:             ARM-64 (Native)
Parent Process:        launchd [1]
Responsible:           Terminal [520]
User ID:               0

Date/Time:             2024-03-26 16:58:58.7041 +0200
OS Version:            macOS 14.4.1 (23E224)
Report Version:        12
Anonymous UUID:        61AE17D5-B18C-409E-5275-72476F9165FD

Time Awake Since Boot: 48 seconds

System Integrity Protection: disabled

Crashed Thread:        1  frida-helper-main-loop

Exception Type:        EXC_GUARD (SIGKILL)
Exception Codes:       GUARD_TYPE_MACH_PORT
Exception Codes:       0x0000000000000000, 0x0000000000000000

Termination Reason:    Namespace GUARD, Code 2305843030688530432 

External Modification Warnings:
Process used task_for_pid().

Thread 0::  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib                 0x1835b21f4 mach_msg2_trap + 8
1   libsystem_kernel.dylib                 0x1835c4b24 mach_msg2_internal + 80
2   libsystem_kernel.dylib                 0x1835bae34 mach_msg_overwrite + 476
3   libsystem_kernel.dylib                 0x1835b2578 mach_msg + 24
4   CoreFoundation                         0x1836d2058 __CFRunLoopServiceMachPort + 160
5   CoreFoundation                         0x1836d091c __CFRunLoopRun + 1208
6   CoreFoundation                         0x1836cfe0c CFRunLoopRunSpecific + 608
7   Foundation                             0x184803028 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
8   frida-helper                           0x10095533c 0x10094c000 + 37692
9   frida-helper                           0x100950074 0x10094c000 + 16500
10  dyld                                   0x18326a0e0 start + 2360

Thread 1 Crashed:: frida-helper-main-loop
0   libsystem_kernel.dylib                 0x1835b21f4 mach_msg2_trap + 8
1   libsystem_kernel.dylib                 0x1835c4b24 mach_msg2_internal + 80
2   libsystem_kernel.dylib                 0x1835e138c thread_set_state + 260
3   frida-helper                           0x10096b5f8 0x10094c000 + 128504
4   frida-helper                           0x10096b05c 0x10094c000 + 127068
5   frida-helper                           0x10096af34 0x10094c000 + 126772
6   frida-helper                           0x1009645bc 0x10094c000 + 99772
7   frida-helper                           0x1009a55d4 0x10094c000 + 366036
8   frida-helper                           0x1009a5628 0x10094c000 + 366120
9   frida-helper                           0x100a14e14 0x10094c000 + 822804
10  frida-helper                           0x100a14fdc 0x10094c000 + 823260
11  frida-helper                           0x100a151b0 0x10094c000 + 823728
12  frida-helper                           0x100950228 0x10094c000 + 16936
13  frida-helper                           0x100950358 0x10094c000 + 17240
14  frida-helper                           0x100a23dac 0x10094c000 + 884140
15  libsystem_pthread.dylib                0x1835f2f94 _pthread_start + 136
16  libsystem_pthread.dylib                0x1835edd34 thread_start + 8
…

[mymoomoo]

Might be related to https://blogs.oracle.com/java/post/java-on-macos-14-4 (apple broke everything related to JIT) ; Can you try to update to 14.4.1?

[pajp]

Yeah I think it's at least tangentially related, but unfortunately it seems 14.4.1 doesn't seem to work either. It seems calling task_for_pid() for system daemons is still completely disallowed, even if SIP is disabled. I realise this is not an issue with Frida as such, but this issue may still be useful to track here.

[jiska2342]

Following two tweets by CodeColorist and patch1t, I set the following boot args:

nvram boot-args="-arm64e_preview_abi amfi_get_out_of_my_way=1 thid_should_crash=0 tss_should_crash=0"

Since I've been doing this in a SIP disabled macOS VM, I didn't care about disabling AMFI, but it seems one can also re-sign frida-helper to get around this. Hope this helps some of you to get your research setup up and running again :)

[jiska2342]

Something weird is going on here... While this fixed it on macOS 14.4 and 14.4.1, the same crash occurs on the latest macOS 14.5. I also tried self-signing frida-helper and trusting that certificate for code signing, but it didn't help.

[leochou0729]

Same issue here. Does anyone find a solution? Thanks!

[hubert3]

frida-helper also crashing on macOS 14.5 Intel despite hid_should_crash=0 tss_should_crash=0 and SIP disabled, Frida 16.3.1

[leochou0729]

The XNU source for 14.5 is released. This is what thread_set_state_allowed function looks like: I have no idea how to bypass this check.