-
Notifications
You must be signed in to change notification settings - Fork 2
/
inline_hook.c
145 lines (120 loc) · 4.2 KB
/
inline_hook.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
//
// inline_hook.c
// makedebugpoint
//
// Created by zuff on 2019/3/1.
// Copyright © 2019 zuff. All rights reserved.
//
#include "inline_hook.h"
#include "trampline_manager.h"
#include "is_io_connect_method_trampline.h"
#include "kernel_info.h"
inline_hook_entry_t g_inline_hook_entry[INLINE_ENUM_MAX] = {0};
extern struct kernel_info g_kernel_info;
void init_inline_item(enum_inline_point_t index,
char * symName,
mach_vm_address_t trampFuncAddr,
mach_vm_address_t inlinedFuncAddr)
{
if (index < INLINE_ENUM_MAX)
{
mach_vm_address_t fnAddr = 0;
fnAddr = solve_kernel_symbol(&g_kernel_info, symName);
g_inline_hook_entry[index].symbol = symName;
g_inline_hook_entry[index].ori_func_addr = fnAddr;//original
g_inline_hook_entry[index].trampline_func_addr = trampFuncAddr;//trampline
g_inline_hook_entry[index].inlined_func_header_addr = inlinedFuncAddr;//inlined header
g_inline_hook_entry[index].bFuzzing = false;
}
}
kern_return_t init_inline_hook()
{
//moony debug
//__asm__ volatile ("int3");
kern_return_t kr = KERN_SUCCESS;
memset((char *)g_inline_hook_entry,0, sizeof(g_inline_hook_entry));
//Set API_SYMBOL_IS_IO_CONNECT_METHOD
init_inline_item(INLINE_ENUM_IS_IO_CONNECT_METHOD,
API_SYMBOL_IS_IO_CONNECT_METHOD,
trampline_is_io_connect_method,
inlined_part_is_io_connect_method);
//bFuzzing flags
g_inline_hook_entry[INLINE_ENUM_IS_IO_CONNECT_METHOD].bFuzzing = true;
kr = init_mutext_for_fuzz_sample();
return kr;
}
kern_return_t
install_inline_hook()
{
kern_return_t kr = 0;
char * symbol = 0 ;
char origBytes[TRAMPOLINE_SIZE+0x100] = {0};
mach_vm_address_t tramplineAddr = 0;
mach_vm_address_t origiAddr = 0;
mach_vm_address_t inlinedPartAddr = 0;
inline_hook_entry_t entry = {0};
printf("[DEBUG] install_inline_hook: start[%d]\r\n", INLINE_ENUM_MAX);
//__asm__ volatile ("int3");
for(int i = 0; i< INLINE_ENUM_MAX; i++)
{
//kr = find_inline_info(symbol, &entry);
entry = g_inline_hook_entry[i];
symbol = entry.symbol;
tramplineAddr = entry.trampline_func_addr;
origiAddr = entry.ori_func_addr;
inlinedPartAddr = entry.inlined_func_header_addr;
if (symbol)
{
//todo:bypass
//push rbp
//mov rbp, rsp
//sizeof=0x4
kr = install_trampoline_any(origiAddr, tramplineAddr, origBytes);
if (!kr)
{
memcpy(g_inline_hook_entry[i].ori_func_bytes, origBytes, TRAMPOLINE_SIZE);
g_inline_hook_entry[i].bSet = true;
}
}
}
//moony_modify//printf("[DEBUG] install_inline_hook: end[%d]\r\n", INLINE_ENUM_MAX);
return kr;
}
kern_return_t un_install_inline_hook()
{
kern_return_t kr = 0;
char * symbol = 0 ;
//char origBytes[TRAMPOLINE_SIZE+0x100] = {0};
mach_vm_address_t tramplineAddr = 0;
mach_vm_address_t origiAddr = 0;
mach_vm_address_t inlinedPartAddr = 0;
inline_hook_entry_t entry = {0};
//moony_modify//printf("[DEBUG] un_install_inline_hook: start [%d]\r\n", INLINE_ENUM_MAX);
for(int i = 0; i< INLINE_ENUM_MAX; i++)
{
//kr = find_inline_info(symbol, &entry);
entry = g_inline_hook_entry[i];
symbol = entry.symbol;
tramplineAddr = entry.trampline_func_addr;
origiAddr = entry.ori_func_addr;
inlinedPartAddr = entry.inlined_func_header_addr;
char * origBytes = 0;
if (g_inline_hook_entry[i].bSet && symbol)
{
kr = remove_trampoline_any(
origiAddr,
(origBytes=g_inline_hook_entry[i].ori_func_bytes));
if (!kr)
{
g_inline_hook_entry[i].bSet = false;
}
}
}
//moony_modify//printf("[DEBUG] un_install_inline_hook: end [%d]\r\n", INLINE_ENUM_MAX);
return kr;
}
kern_return_t un_init_inline_hook()
{
un_init_mutext_for_fuzz_sample();
return 0;
}