1

I have a small project which implements function hooking in MAC using mach_override() by Jonathan 'Wolf' Rentzsch:https://github.com/rentzsch/mach_override

I have hooked one of the functions of kextstat process from mac.

So when I am executing

$kextstat

OSX is killing this process saying below error:

CODE SIGNING: process 2211[kextstat]: rejecting invalid page at address 0x7fff5132d000 from offset 0xca53000 in file "/private/var/db/dyld/dyld_shared_cache_x86_64h" (cs_mtime:1531207073.366350606 == mtime:1531207073.366350606) (signed:0 validated:0 tainted:0 nx:0 wpmapped:1 dirty:1 depth:2)

my dynamic library is code-signed. In my initial observation, i could conclude that mach_override() function in failing in following code:

atomic_mov64((uint64_t *)originalFunctionPtr, jumpRelativeInstruction);

above code could be found : mach_override.c:342 https://github.com/rentzsch/mach_override

hrishikesh chaudhari
  • 908
  • 1
  • 8
  • 15

1 Answers1

3

Firstly, you should note that public discussion of Apple's Developer Beta software is a breach of Apple's terms and conditions. Such questions should be posted to Apple's forums, which has a specific section for Beta releases.

That being said, the technology and problem you're seeing is SIP, which includes denial of code injection, as well as protecting system files from being overwritten. The detail that follows is nothing new and exists in pre 10.14 macOS builds, though disabled (by default) in those versions.

When an application is signed, it creates a hash of each file page in the binary, and a super hash of all those hashes. During execution of a binary, when a page fault occurs, or a file (e.g. dylib) is mmap'd into the executing process, amfid (Apple Mobile File Integrity daemon) verifies that the new code is signed and that its signature matches that of the executing binary. If the signature or hashes do not match, then the code is denied loading, or in some cases, the process is killed.

In this case, kextstat contains an Apple certificate that does not match the certificate of your code that you're attempting to inject into kextstat. In addition, the certificate of kexstat includes the platform binary flag, which Developer certificates do not have.

Without a zero-day vulnerability, you're not going to be able to hook kextstat in a commercial environment. If it's just research you want to do, then you can either disable SIP, or remove the signature from the kextstat binary, causing amfid to ignore the certificate verification.

TheDarkKnight
  • 27,181
  • 6
  • 55
  • 85
  • Hi, according to your explanation, the amfid matches certificate of the file that being mmap to that of the executable file... I thought that it matches certificates of the executable of the injector process with the executable of process that's being injected. isn't it the case here ? –  Aug 05 '18 at 07:39
  • @osxUser No the injector binary is irrelevant, it's the new code injected into a process that is verified. – TheDarkKnight Aug 13 '18 at 16:03