Date: Thu, 28 Mar 2024 15:37:59 +0000 (UTC) Message-ID: <1939781151.955.1711640279855@instance-2.us-central1-a.c.lazenca.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_954_1767013758.1711640279855" ------=_Part_954_1767013758.1711640279855 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
<= /p>
E= xcuse the ads! We need some help to keep our site up.
Theos/Setup
1 | Process attach | =EC=82=AC=EC=9A=A9=EC=9E=90 =EB=A0=88=EB=B2=A8= =EC=97=90=EC=84=9C =ED=94=84=EB=A1=9C=EC=84=B8=EC=8A=A4 =EC=A3=BC=EC=86=8C = =EA=B3=B5=EA=B0=84=EC=97=90 =EC=A0=91=EA=B7=BC=ED=95=98=EA=B8=B0 =EC=9C=84= =ED=95=B4 task_for_pid()=EB=A5=BC =EC=82=AC=EC=9A=A9=ED=95=B4 =EB=8C= =80=EC=83=81 =ED=94=84=EB=A1=9C=EC=84=B8=EC=8A=A4=EB=A5=BC =EC=97=B0=EA=B2= =B0=ED=95=A9=EB=8B=88=EB=8B=A4. |
---|---|---|
2 | Check the process memory area | =ED=9A=A8=EC=9C=A8=EC=A0=81=EC=9D=B8 Memory =EB= =B6=84=EC=84=9D=EC=9D=84 =EC=9C=84=ED=95=B4 =EB=8C=80=EC=83=81 =ED=94=84=EB= =A1=9C=EC=84=B8=EC=8A=A4=EA=B0=80 =EC=82=AC=EC=9A=A9=ED=95=98=EB=8A=94 Memo= ry =EC=A0=95=EB=B3=B4(Memory map)=EB=A5=BC =ED=99=95=EC=9D=B8=ED=95=A9=EB= =8B=88=EB=8B=A4. |
3 | Memory access | =EB=8C=80=EC=83=81 =ED=94=84=EB=A1=9C=EC=84=B8= =EC=8A=A4=EC=9D=98 Memory=EB=A5=BC =EB=B6=84=EC=84=9D =EB=B0=8F =EB=B3=80= =EA=B2=BD=ED=95=98=EA=B8=B0 =EC=9C=84=ED=95=B4 vm_read_overwrite, vm_write= =EB=A5=BC =EC=82=AC=EC=9A=A9=ED=95=B4 =EB=A9=94=EB=AA=A8=EB=A6=AC=EC=9D=98 = =EA=B0=92=EC=9D=84 =EC=9D=BD=EA=B3=A0 =EB=B3=80=EA=B2=BD=ED=95=A9=EB=8B=88= =EB=8B=A4. |
#include= <sys/types.h> #include <sys/sysctl.h> int sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *new= p, size_t newlen);
CTL_KERN |
|
---|---|
KERN_PROC |
|
=09int m= ib[4] =3D {CTL_KERN, KERN_PROC, KERN_PROC_ALL, 0}; size_t miblen =3D 4; size_t size =3D 0; int st =3D sysctl(mib, miblen, NULL, &size, NULL, 0); struct kinfo_proc *process =3D NULL; struct kinfo_proc *newprocess =3D NULL; =20 do { size +=3D size / 10; newprocess =3D (kinfo_proc * )realloc(process, size); if (!newprocess){ if (process){ free(process); } return nil; } process =3D newprocess; st =3D sysctl(mib, miblen, process, &size, NULL, 0); } while (st =3D=3D -1 && errno =3D=3D ENOMEM); =09for (int i =3D nprocess - 1; i >=3D 0; i--){ =09NSString *processID =3D [[NSString alloc] initWithFormat:@"%d", proc= ess[i].kp_proc.p_pid]; =09NSString *processName =3D [[NSString alloc] initWithFormat:@"%s", pr= ocess[i].kp_proc.p_comm]; =09=09[processID release]; =09=09[processName release]; =09} =09free(process);
BSD Library Functions Manual - SYSCTL(= 3)
#include= <mach/mach.h>=20 kern_return_t task_for_pid(struct task_for_pid_args *args);
kern_return_t task_for_pid(struct task= _for_pid_args *args)
int atta= ch(){ kern_return_t kret; tmp_target_task =3D 0; kret =3D task_for_pid(mach_task_self(),pid,&tmp_target_task); if (kret) { printf("task_for_pid() failed with message %s!\n",mach_error_string= (kret)); }else{ printf("attach - target_task : %d, tmp_target_task : %d\n",target_t= ask, tmp_target_task); kret =3D task_suspend(target_task); if (kret !=3D KERN_SUCCESS) { printf("task_suspend() failed with message %s!\n",mach_error_st= ring(kret)); }else{ printf("task_suspend - Success\n"); return 1; } } return 0; }
#include= <mach/mach.h> kern_return_t vm_region_recurse( =09vm_map_t map, =09vm_offset_t *address, =09vm_size_t *size, =09natural_t *depth, =09vm_region_recurse_info_t info32, =09mach_msg_type_number_t *count)
kern_ret= urn_t vm_map_region_recurse_64( =09vm_map_t=09=09 map, =09vm_map_offset_t=09*address, =09vm_map_size_t=09=09*size, =09natural_t=09 =09*nesting_depth, =09vm_region_submap_info_64_t=09submap_info, =09mach_msg_type_number_t=09*count)
vm_region_recurse() and vm_map_region_= recurse_64()
struct v= m_region_submap_info { =09vm_prot_t=09=09=09protection; /* present access protection */ =09vm_prot_t=09=09=09max_protection; /* max avail through vm_prot */ =09vm_inherit_t=09=09inheritance;/* behavior of map/obj on fork */ =09uint32_t=09=09=09offset;=09=09/* offset into object/map */ unsigned int =09user_tag;=09/* user tag on map entry */ unsigned int =09pages_resident;=09/* only valid for objects */ unsigned int =09pages_shared_now_private; /* only for objects */ unsigned int =09pages_swapped_out; /* only for objects */ unsigned int =09pages_dirtied; /* only for objects */ unsigned int =09ref_count;=09 /* obj/map mappers, etc */ unsigned short =09shadow_depth; =09/* only for obj */ unsigned char =09external_pager; /* only for obj */ unsigned char =09share_mode;=09/* see enumeration */ =09boolean_t=09=09=09is_submap;=09/* submap vs obj */ =09vm_behavior_t=09=09behavior;=09/* access behavior hint */ =09vm32_object_id_t=09object_id;=09/* obj/map name, not a handle */ =09unsigned short=09=09user_wired_count;=20 };
struct vm_region_submap_info
int find= WriteableRegions(){ vm_size_t size; vm_address_t address; natural_t nesting_depth; mach_msg_type_number_t infoCnt; regionList.clear(); size =3D 0; address =3D 0; struct vm_region_submap_info info; infoCnt =3D VM_REGION_SUBMAP_INFO_COUNT; for (; !vm_region_recurse(target_task,&address,&size,&nesti= ng_depth,(vm_region_recurse_info_t)&info,&infoCnt);) { if (info.is_submap) { ++nesting_depth; }else{ if ((info.protection & (VM_PROT_WRITE | VM_PROT_READ)) =3D= =3D 3 && (info.max_protection & (VM_PROT_WRITE | VM_PROT_READ))= =3D=3D 3) { regionStruct.startAddr =3D address; regionStruct.endAddr =3D size + address; regionStruct.size =3D size; regionList.push_back(regionStruct); printf("region: %016x-%016x\n",regionStruct.startAddr,regio= nStruct.endAddr); } address +=3D size; } } return 1; }
=ED=95=B4=EB=8B=B9 =ED=95=A8=EC=88=98=EB=93=A4=EC=9D=80 =EC=A7=80=EC= =A0=95=EB=90=9C =EB=8C=80=EC=83=81 =EC=9E=91=EC=97=85=EC=9D=98 =EC=A3=BC=EC= =86=8C =EA=B3=B5=EA=B0=84 =EB=B2=94=EC=9C=84=EB=A5=BC =EC=9D=BD=EC=96=B4 = =EB=93=A4=EC=9E=85=EB=8B=88=EB=8B=A4.
vm_read_overwrite() =ED=95=A8=EC=88=98 =EA=B0=9C=EC=9A=94=EB=8A=94 =EB=8B=A4=EC=9D=
=8C=EA=B3=BC =EA=B0=99=EC=8A=B5=EB=8B=88=EB=8B=A4.
4=EB=B2=88=EC=A7=B8 =EC=9D=B8=EC=9E=90 =EA=B0=92=EC=97=90=EB=8A=94 =
=EC=9D=BD=EC=96=B4 =EB=93=A4=EC=9D=B8 =EB=A9=94=EB=AA=A8=EB=A6=AC =EC=98=81=
=EC=97=AD=EC=9D=98 =EA=B0=92=EC=9D=84 =EC=A0=80=EC=9E=A5 =ED=95=A0 =EA=B3=
=B5=EA=B0=84=EC=9D=84 =EC=A0=84=EB=8B=AC=ED=95=A9=EB=8B=88=EB=8B=A4.
5=EB=B2=88=EC=A7=B8 =EC=9D=B8=EC=9E=90 =EA=B0=92=EC=97=90=EB= =8A=94 =EC=9D=BD=EC=96=B4 =EB=93=A4=EC=9D=B8 =EB=A9=94=EB=AA=A8=EB=A6=AC = =EC=98=81=EC=97=AD=EC=9D=98 =ED=81=AC=EA=B8=B0=EB=A5=BC =EC=A0=80=EC=9E=A5 = =ED=95=A0 =EA=B3=B5=EA=B0=84=EC=9D=84 =EC=A0=84=EB=8B=AC=ED=95=A9=EB=8B=88= =EB=8B=A4.
#include= <mach/mach.h> kern_return_t vm_read_overwrite( vm_map_t =09map, vm_address_t address, vm_size_t =09size, vm_address_t data, vm_size_t =09*data_size);
kern_ret= urn_t vm_read( =09vm_task_t=09=09target_task, =09vm_address_t=09address, =09vm_size_t=09=09size, =09size=09=09=09data_out, =09target_task=09=09data_count);
vm_read_overwrite and vm_read
void get= ValueArea(vm_address_t startAddress,vm_address_t endAddress, void* buffer,l= ong number){ kern_return_t result; long readArea =3D 0; vm_size_t outsize; while(endAddress > startAddress){ =09=09if (readArea !=3D (startAddress & 0xFFFFFFFFFFFFF000)) { =09=09=09readArea =3D startAddress & 0xFFFFFFFFFFFFF000; =20 =09=09=09outsize =3D 0; =09=09=09result =3D vm_read_overwrite(target_task, readArea, 4096, (vm_addr= ess_t)buffer, &outsize); =20 =09=09=09if(!outsize){ =09=09=09=09printf("stardAddress 64 : %lx, %lx\n",startAddress,endAddress); =09=09=09=09fprintf(stderr,"vm_read_overwrite failed: %lu\n",startAddress &= amp; 0xFFFFFFFFFFFFF000); =09=09=09} =09=09} =20 =09=09if (result =3D=3D KERN_SUCCESS) { =09for (int i=3D0; i<512; i++) { =09=09=09=09memInfoStruct.address =3D startAddress; =09=09=09=09memInfoStruct.value =3D *(long*)((char*)buffer + ((startAddress= - (startAddress & 0xFFFFFFFFFFFFF000)) & 0xFFFFFFFFFFFFFFF8)); =09=09=09=09memDataList.push_back(memInfoStruct); =09=09=09=09startAddress +=3D 8; =09=09=09} =09=09}else{ =09=09=09startAddress +=3D 8; =09=09} } }
#include= <mach/mach.h> kern_return_t vm_write( =09vm_map_t =09=09=09map, =09vm_address_t =09=09address, =09pointer_t =09=09=09data, =09mach_msg_type_number_t size)
void Mem= oryWrite(vm_address_t address,long value){ vm_size_t outsize; vm_address_t startAddress =3D 0; =20 unsigned int data; vm_read_overwrite(target_task, startAddress & 0xFFFFFFFFFFFFFFF8, 8= , (vm_address_t)&data, &outsize); =20 if (!outsize) { printf("vm_read_overwrite(%11lx) failed 1.",startAddress & 0xFF= FFFFFFFFFFFFF8); } =20 =20 unsigned int write_data; write_data =3D value; =20 kern_return_t kr; kr =3D vm_write(target_task, address, (vm_address_t)&write_data, 8)= ; if(kr){ printf("Fail %x\n", kr); }else{ printf("Sucess!\n"); } }
<= /p>