search

ohroy / blog

A super blog lite -- just one page. use vue with github api !
https://blog.6h.work
Do What The F*ck You Want To Public License
148 stars 15 forks source link

ios modfiy code & data with running #14

Open ohroy opened 7 years ago

ohroy commented 7 years ago 
#include <substrate.h>
#import <mach/mach.h>
#import <unistd.h>
extern "C" kern_return_t mach_vm_region
(
 vm_map_t target_task,
 vm_address_t *address,
 vm_size_t *size,
 vm_region_flavor_t flavor,
 vm_region_info_t info,
 mach_msg_type_number_t *infoCnt,
 mach_port_t *object_name
 );
 extern "C" kern_return_t mach_vm_protect(
     vm_map_t target_task,
     mach_vm_address_t address,
     mach_vm_size_t size,
     boolean_t set_maximum,
     vm_prot_t new_protection
 );
typedef unsigned long zsize;
typedef unsigned long zaddr;
%ctor
{
    void* la=MSFindSymbol(NULL, "_NSFoundationVersionNumber");
//  mach_port_t task;
// #if defined(_MAC64) || defined(__LP64__)
//  NSLog(@"xxxxxxxfffff");
//  vm_region_basic_info_data_64_t info;
//  mach_msg_type_number_t info_count = VM_REGION_BASIC_INFO_COUNT_64;
//  vm_region_flavor_t flavor = VM_REGION_BASIC_INFO_64;
//  if (mach_vm_region(mach_task_self(), &region, &region_size, flavor, (vm_region_info_t)&info, (mach_msg_type_number_t*)&info_count, (mach_port_t*)&task) != KERN_SUCCESS)
//  {
//      NSLog(@"errorrrrrrrr2");
//  }
// #else
//  vm_region_basic_info_data_t info;
//  mach_msg_type_number_t info_count = VM_REGION_BASIC_INFO_COUNT;
//  vm_region_flavor_t flavor = VM_REGION_BASIC_INFO;
//  if (vm_region(mach_task_self(), &region, &region_size, flavor, (vm_region_info_t)&info, (mach_msg_type_number_t*)&info_count, (mach_port_t*)&task) != KERN_SUCCESS)
//  {
//      NSLog(@"errorrrrrrrr1");
//  }
// #endif
    kern_return_t kr;
    // zaddr address=(zaddr)la;
    // zsize size=sizeof(double);
    // zsize page_size;
    // zaddr aligned_addr;
    // zsize aligned_size;

    // page_size = getpagesize();
    // aligned_addr = (zaddr) address & ~(page_size - 1);
    // aligned_size =
    //         (1 + ((address + size - 1 - aligned_addr) / page_size)) * page_size;

    kr = vm_protect(mach_task_self(), (vm_address_t) la,
                         sizeof(double), false, (VM_PROT_ALL | VM_PROT_COPY));
    *(double*)la=100.0;
    //mach_vm_protect(mach_task_self(), aligned_addr, region_size, false, VM_PROT_READ);

    //NSLog(@"2222222:%f",*l);

    // *l=100.0;
}
jmpews commented 7 years ago

这个只对 data 有效, 如果改的是 code, 需要重新改回原来的内存属性, 否则会 exec bad address(code = 2)

ohroy commented 7 years ago

@jmpews 是啊,这个是当时做实验临时存上来的,实际上对于data来说,一般本来都是对齐的。。 我也想改回去原来的属性,但是这个mac os不像是windows,在windows下VirtualProtect函数修改内存属性后,会把原来的内存属性通过指针返回出来。但是macos上,我找了很多的地方都没找到能够获取原来内存属性的办法,所以也没法恢复。 但我看你的https://github.com/jmpews/HookZz/blob/master/src/zzdeps/darwin/memory-utils-darwin.c#L147这里面,是直接给了读和执行的权限,也不知道是否稳妥....

jmpews commented 7 years ago

你可以重新看下, 我添加了 darwin/linux 下的 get_memory_layout. (PS: darwin 下可以获取页的属性