4

I need to interpose (get my functions called instead of the original functions) some OS X system calls to overcome a flaw in a piece of closed-source software.

Preferably, the resulting solution would work under 10.5 (Leopard) and newer, but I might be able to require 10.6 (Snow Leopard) if the argument were strong enough.

Preferably, the resulting solution would be an executable, but I might settle for a script.

Preferably, the resulting solution would be able to interpose ("steal the vectors") even after the target application is running, but I could settle for a technology that must inject itself as the application is loading.

Preferably, the resulting solution would be developed in C or C++, but I could settle for Objective-C or something else.

So far, I've experimented with:

1) DTrace scripting, which has taught me a lot, but the limitations of the D language (limited flow control, etc.) make it a major pain for what I'm doing, not to mention that the result would be a script, which isn't as tidy and self-contained as what I'm shooting for.

2) DYLD_INSERT_LIBRARIES interposition, which is slick in many ways, but perhaps due to namespace flattening (I won't pretend to deeply understand what this means), it works nicely against simpler executables, but makes my target application choke, even when I build a do-nothing library that doesn't actually interpose any calls.

My latest idea is to experiment with mach_star (https://github.com/rentzsch/mach_star), but I'm stopping here first, to ask the Stack Overflow community which invariably knows more than do I...

...should I be looking at something besides mach_star next?

bland328
  • 319
  • 1
  • 4
  • 13

1 Answers1

3

I think you've made the right choice looking at mach_star.

If you actually want to learn how the darwin link-loader works, etc., I'd put more time into your DYLD insertion problems. But obviously you're looking for a quick solution, not an in-depth learning experience. And I doubt anyone's going to be able to figure out the problems you're having without having access to your project. So, this is probably a dead end. Besides, Mach overriding and injection are more fun anyway.

The basics of Mach injection aren't actually that hard, but there are a ton of things you have to get right, most of which aren't well documented. You're going to get 11 things wrong before you get something that works on your system, and then it won't work for the next function you try, and then it won't work on 10.5 or 10.8, and… The mach_star library wraps up all that stuff for you. So, why not use it?

I should mention that I haven't used mach_star since pre-Intel days. But it looks like it's still being updated regularly-ish, with changes for x86_64 and 10.7 and Xcode 4 and so on.

abarnert
  • 354,177
  • 51
  • 601
  • 671
  • You are right that I'm looking for a solution more than edification, though the learning is (usually) fun. – bland328 Jul 18 '12 at 02:29
  • I'll give mach_star a try. I'm sorry I don't yet have enough reputation to upvote you! – bland328 Jul 18 '12 at 02:35
  • Well, as I said, Mach injection is more fun (if less portable) than POSIX-level link-loader interposition, and mach_star is a ready-made fount of working sample code to boot, so even if you were looking for edification primarily, it's still a good place to start. :) Anyway, I think you can probably accept an answer to your question, even if you can't upvote it, which will raise your statistics as well as mine, so you may want to do that. (Honestly, as soon as I got enough rep to enable editing my comments, I stopped caring about getting more…) – abarnert Jul 18 '12 at 18:48
  • I'm off to a terrible start, unable to get even the DisposeWindow+Beep sample running. I'm thinking maybe that shooting for 64-bit builds under Lion using Xcode 4.3.3 is a little too much for the current mach_star codebase, or maybe just for an OS X development noob like me. – bland328 Jul 20 '12 at 01:50
  • I probably won't be able to take a serious look at it until the weekend… but I'll do so when I can. (As I said, I haven't used it since 10.3 or 10.4 days.) Meanwhile, you may want to consider going directly to the mach_star community for help at this point, because it's such a small community, and I don't think Rentzsch participates here… – abarnert Jul 20 '12 at 02:00
  • Most generous of you, abarnert! I'm continuing to (ineffectively) hammer away at it, plus I'll also try hitting the mach_star community up. – bland328 Jul 20 '12 at 19:14
  • I don't find a "mach_star community", other than to report an Issue on GitHub. This is a shame, because mach_star + Lion + Xcode 4.3.3 is giving me a nervous breakdown ;-) What I wouldn't give just to get the DisposeWindow+Beep_Injector demo working! Do you have any experience with the inject_and_interpose project? – bland328 Jul 26 '12 at 05:25