feedface [WIP] - OS X

Users browsing this thread: 1 Guest(s)
bottomy
Registered
feedface is a little injector/scanner and general process interaction tool for Mac OS X. Development on the tool is very slow, as it's only a small side project, and I will be holding off from doing anymore work on it until I upgrade to Mountain Lion and can do some testing on there (note that if it's severely broken on ML I'll just axe the project).

As of now the tool can only perform some simple injections, and has no scanning or more general interaction functionality yet.

The features that I plan on implementing are:

- Thread injection (the majority of it is complete, but still some issues I need to fix)
- Bundle injection (is dependent on thread injection)
- Memory scanning (similar style of scanning to Cheat Engine, e.g. filtering capabilities, etc.)
- Hooking functions
- Automatic class posing, either for those in the bundle or already in the application.
- Also cleaning up the usage, it's an unintelligible mess at the moment.


Usage examples:

***
Codecave examples
--------------------------
Program source.
Code:
#include <stdio.h>

int main(int argc, char *argv[])
{
    scanf("%*[^\n]");
    printf("some text\n");

    asm("nop ; nop ; nop ; nop");
    asm("nop ; nop ; nop ; nop");
    asm("nop ; nop ; nop ; nop");
    asm("nop ; nop ; nop ; nop");

    return 0;
}

Launch the program and attach GDB to it (so we can get pid "info pid" and look up injection address at the same time; but can go about this however you prefer), then detach it. If you want the addresses to be fixed, then just launch it in GDB.
Code:
(gdb) info pid
Inferior has process ID 2863.
(gdb) print/x main+72
$1 = 0x108b45ef9

Here is the code we want to inject/codecave to. It is asm written for GAS.
Code:
/*
e9 17 00 00 00 70 75 74 73 00 62 6c 61 68 20 62
6c 61 68 20 62 6c 61 68 20 3a 29 00 48 c7 c7 fe
ff ff ff 48 8d 35 db ff ff ff ff 15 17 00 00 00
48 8d 3d d3 ff ff ff ff d0
*/
    jmp Skip
puts_String:
    .asciz "puts"
Message:
    .asciz "blah blah blah :)"
Skip:

    movq $-2,%rdi
    leaq puts_String(%rip),%rsi
    call *dlsym(%rip)

    leaq Message(%rip),%rdi
    call *%rax

.space 14 //Space that the returning code would normal consume. On 32 bits it will use 5 bytes.
dlsym:

Then the command to inject the codecave.
Code:
sudo ./feedface 2863 -codecave 0x108b45ef9 e917007075747300626c616820626c616820626c6168203a290048c7c7feff488d35dbff15170048​8d3dd3ffd0
Password:
Injected to: 0x108b79000

Press enter on the program, and it should print:
Code:
some text
blah blah blah :)


Alternatively we could use the automatic relocation functionality to get the address for the puts function. Here is an example, it also demonstrates multiple inputs.
Code:
nm -m /usr/lib/system/libsystem_c.dylib
0011d9a (__TEXT,__text) external _puts

And the code to be injected:
Code:
/*
e9 1a 00 00 00

-relocated puts address-

62 6c 61 68 20 62 6c 61 68 20 62 6c 61 68 20 3a
29 00 48 8d 3d e7 ff ff ff ff 15 d9 ff ff ff
*/
    .section __TEXT,__text
    .globl _main
_main:

    jmp Skip
puts:
    .quad 0
Message:
    .asciz "blah blah blah :)"
Skip:

    leaq Message(%rip),%rdi
    call *puts(%rip)

The command:
Code:
sudo ./feedface 4220 -codecave rel[0x100ef8] e91a00 rel[0x11d9a:libsystem_c.dylib] 626c616820626c616820626c6168203a2900488d3de7ff15d9ff
Password:
Injected to: 0x10eff5000

The program will now print:
Code:
some text
blah blah blah :)
***
Byte Injection example
------------------------------
Using same program as above. Though running with fixed offsets.
Code:
sudo ./feedface 3008 -bytes 9090909090 0x100ef3

Press enter on the program, and it should not print anything.
***
String Injection example
------------------------------
Using same program as above. Though running with fixed offsets.
Code:
sudo ./feedface 2980 -string new\ string 0x100f63

Press enter on the program, and it should print:
Code:
new string


Or example of using relocations.
0x100f63 = the fixed virtual offset "some text" is located at.
Code:
sudo ./feedface 4214 -string blah rel[0x100f63]

Will then make it print:
Code:
blah text
***


A note of the syntax for relocations.
The general format is basically "rel[address:image name or path]", and if the image is omitted it will default to task as image. The syntax can also vary a bit.
e.g.
rel\ address
rel(address,/usr/lib/system/libsystem_c.dylib)


Source: http://pastebin.com/cxBb7AUU
For Compilation instructions or executable: See source. I'll keep the update information in there.

Use at your own risk. :)


On a side note, wow I'm so terrible at formatting posts. :P
yrmt
Grey Hair Nixers
Interesting read. I'll try it again.
bottomy
Registered
If anyone here has Mountain Lion it would be appreciated if you could test the program to see if it works. Also for convenience or if you're a little unsure about using the program, I did create a simplistic testing application you could use, and so you would only need to run it and post the results.

http://www.mediafire.com/?g526kt8cx3nk257

The application needs to be run as root. And you'll want to run it either in terminal or some other application that will display a program's stdout.

The output would look something like this for success (this succeeded in all 3 parts):
Code:
sudo feedface\ test.app/Contents/MacOS/feedface\ test
target: It works
Feedface: Success
Target: Success

If any of the 3 fields shows a different result then it means something failed, so I would like to see it! Or if you don't even see a result/it crashes, then let me know. Though if it does crash you should make sure to check if any of the processes are still running and kill them (these processes are all ran as root and are: "feedface test", "target", "feedface"), since depending on which ones are still running they may never exit (I didn't bother to add any precautions).

The source for the application is as follows (so you know what you're running):
There will be 3 applications ran, the tester (that's the application you'll start), the target (this is application the tester will start by itself and is the target for the string injection), and feedface (the tester will start this by itself, and is the same version as in OP, version 0.21)

The source for the tester: http://paste.unixhub.net/mtCj1JXK
The source for the target: http://paste.unixhub.net/Rys1yW4O

EDIT: It seems UH pastebin messes some things up. Such as removing '\' unless used as a double, as well as for the Obj-C classes it's lowercasing them.

So here's the correct tester: http://pastebin.com/mDsDfSFu
And tester: http://pastebin.com/HahtEK5F
xyzodiac
Members
(02-10-2012, 03:12 AM)bottomy Wrote: If anyone here has Mountain Lion it would be appreciated if you could test the program to see if it works. Also for convenience or if you're a little unsure about using the program, I did create a simplistic testing application you could use, and so you would only need to run it and post the results.

http://www.mediafire.com/?g526kt8cx3nk257

The application needs to be run as root. And you'll want to run it either in terminal or some other application that will display a program's stdout.

The output would look something like this for success (this succeeded in all 3 parts):
Code:
sudo feedface\ test.app/Contents/MacOS/feedface\ test
target: It works
Feedface: Success
Target: Success

If any of the 3 fields shows a different result then it means something failed, so I would like to see it! Or if you don't even see a result/it crashes, then let me know. Though if it does crash you should make sure to check if any of the processes are still running and kill them (these processes are all ran as root and are: "feedface test", "target", "feedface"), since depending on which ones are still running they may never exit (I didn't bother to add any precautions).

The source for the application is as follows (so you know what you're running):
There will be 3 applications ran, the tester (that's the application you'll start), the target (this is application the tester will start by itself and is the target for the string injection), and feedface (the tester will start this by itself, and is the same version as in OP, version 0.21)

The source for the tester: http://paste.unixhub.net/mtCj1JXK
The source for the target: http://paste.unixhub.net/Rys1yW4O

EDIT: It seems UH pastebin messes some things up. Such as removing '\' unless used as a double, as well as for the Obj-C classes it's lowercasing them.

So here's the correct tester: http://pastebin.com/mDsDfSFu
And tester: http://pastebin.com/HahtEK5F

I'm running ML. I'll give it a try this afternoon.
bottomy
Registered
I probably should've updated this awhile ago, but this project is dead, it has since been turned into a framework. The reason for doing that was that it was a lot more useful and powerful having it as a framework, and not to mention the scale of what the project would do grew a lot. The downside (well downside for some) from this is because of the scale of the project I decided to use Obj-C rather than straight C. One of the biggest changes/additions is that it also has a focus on exposing the Obj-C runtime now.

The framework can be found at [Feedface framework repo](https://github.com/ScrimpyCat/FeedFace)

The framework is not finished by any means, as there's a lot of features that haven't been added yet (hooks, proper error system, object instances interaction, few other kinds of injections, etc.) and some functionality that is supported for 64 bit processes that hasn't been added to 32 bit processes. But it can do a lot in its current state.
- - -
An example of some of the use cases of this framework can be found in the Examples folder. One particularly useful example is [example7](https://github.com/ScrimpyCat/FeedFace/b...example7.m) which is a very simple method logger.

The usage for the example7 program is: example7 [process] [class the method belongs to] [0/1 instance or class method] [method name]

So an example usage would be if we wanted to log all calls to -[NSObject dealloc] in the Dock process.
Code:
sudo ./example7 Dock NSObject 0 dealloc

Then you can look in the Console application to see the logs:
Code:
Dock[49401]: [<CALayerArray: 0x7fd7f0381cc0> dealloc]
Dock[49401]: [<CALayer: 0x7fd7f03823a0> dealloc]
Dock[49401]: [<CALayer: 0x7fd7f003c6e0> dealloc]
Dock[49401]: [<CALayerArray: 0x7fd7f03823e0> dealloc]
Dock[49401]: [<CALayer: 0x7fd7f0385610> dealloc]
Dock[49401]: [<CALayerArray: 0x7fd7f0385650> dealloc]
Dock[49401]: [<__NSArrayI: 0x7fd7eb893be0> dealloc]
Dock[49401]: [<_CTNativeGlyphStorage: 0x7fd7f0451b60> dealloc]
Dock[49401]: [<ECTextLayer: 0x7fd7eba5c600> dealloc]
Dock[49401]: [<CALayerArray: 0x7fd7f003b760> dealloc]
Dock[49401]: [<_CTNativeGlyphStorage: 0x7fd7f04691c0> dealloc]
Dock[49401]: [<ECTextLayer: 0x7fd7f0077d10> dealloc]
Dock[49401]: [<OS_dispatch_source: 0x7fd7edc16f00> dealloc]
Dock[49401]: [<__NSArrayM: 0x7fd7ebad99f0> dealloc]

After you're done just press enter to disable the logging. Otherwise if you kill it or the program crashes, you will want to kill the Dock so it stops logging.

Later this kind of functionality (along with a detailed method logger) will actually be in the core framework as it is quite useful (though this kind of stuff is typically better off done using stuff like DTrace). But this is a good example of how the framework could be used.