0

I'm trying my hand at some reverse engineering, and I'm a bit stumped on how to do in-memory patching. My target binary is a simple Hello World app that's signed. So while I can easily patch the binary, gatekeeper blows up (as it should).

The string is in-memory, so I thought I'd just use posix_spawn() with POSIX_SPAWN_START_SUSPENDED, patch the memory of the process with xnumem, and resume it. For some reason, that seems to fail as well. My test code;

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/wait.h>

#include "xnumem.h"

extern char **environ;

void run_cmd(char *cmd)
{
    pid_t pid;
    char *argv[] = {NULL};
    int status;
    printf("Run command: %s\n", cmd);
    status = posix_spawn(&pid, cmd, NULL, NULL, argv, environ);
    if (status == 0) {
        printf("Child pid: %i\n", pid);
        if (waitpid(pid, &status, 0) != -1) {
            printf("Child exited with status %i\n", status);
        } else {
            perror("waitpid");
        }
    } else {
        printf("posix_spawn: %s\n", strerror(status));
    }
}

int main (int argc, const char * argv[]) {
  char *arg;
  arg = "./hello-world";
  run_cmd(arg);

    return 0;
}

I don't seem to be getting any errors, just a loop of;

Run command: ./hello-world
Child pid: 53209
Run command: ./hello-world
Child pid: 53210
...

and then it terminates.

Can someone point me in the right direction? How can I start a process in a suspended state, alter its memory, and resume without tripping gatekeeper?

XeroxDucati
  • 5,130
  • 2
  • 37
  • 66
  • It is not entirely clear from your question and code what your problem actually is? – mttrb Jan 05 '17 at 01:47
  • I don't believe that Gatekeeper is ever involved when running a program through means other than Launch Services (e.g. open in Finder or from Dock). What makes you think it is? Also, from what I find of xnumem, it won't work unless it's run with root privileges. It relies on `task_for_pid()`, which is restricted. (You could probably also make it work by adding an embedded Info.plist with special keys to your program and then code-signing it with a system-trusted certificate. This is what must be done for one's own builds of debuggers like lldb or gdb.) – Ken Thomases Jan 05 '17 at 07:18
  • You're right - it's not. Running it thru posix_spawn is my way of trying to side-step gatekeeper. I'll try signing it, that might be the problem.. – XeroxDucati Jan 05 '17 at 13:30

0 Answers0