3

I'm using runtime memory decryption of one of the Mach-O sections. For doing this I'm using vm_protect like this:

uint8_t *section_start = 0;
unsigned long section_size = 0;
section_start = getsectiondata(&_mh_execute_header, "__TEXT", "__mysection", &section_size);

// change virtual memory protection
if (vm_protect(mach_task_self(), (vm_address_t)section_start, (vm_size_t)section_size, 0, VM_PROT_READ | VM_PROT_WRITE) != KERN_SUCCESS) {
    os_log_error(my_logger, "Virtual memory protection changing to write error");
    return false;
}

When I compile Debug configuration with Xcode 10, the vm_protect succeeds. However, the same code compiled with Xcode 11 fails.

I've tried to add these entitlements to the project:

com.apple.security.cs.disable-executable-page-protection
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory

, without success.

Also changed the signing certificate to Apple Development one that is specifically for Xcode 11, the same result.

Running the project gives the same results on Catalina and Mojave - if built with Xcode 10, succeeds, with Xcode 11 - fails.

Thanks in advance.

MeirS
  • 41
  • 3
  • I've forgotten to mention that SIP is disabled on testing machine. – MeirS Dec 19 '19 at 10:44
  • Perhaps the latest Xcode points to SDK where the implementation of `vm_protect` is different. Try to change the SDK for the same version as in Xcode 10. – Irad K Dec 19 '19 at 11:17
  • @MeirS would setting `rwx` permissions to whole `__TEXT` segment be of any use in your case as in https://stackoverflow.com/a/47951167/5329717 ? That's definitely not the most subtle approach though. – Kamil.S Jan 01 '20 at 20:05
  • @Meirs or even better perhaps you could simply move your `"__mysection"` outside of `__TEXT` segment altogether. – Kamil.S Jan 02 '20 at 08:28
  • First, what is the error code returned from `vm_protect()`? Also, have you tried the more modern function `mach_vm_protect()`? – Ken Thomases Jan 17 '20 at 15:23
  • Thanks for suggestions, I'll try all of these. – MeirS Jan 18 '20 at 16:30
  • I put a gist demonstrating the error here: https://gist.github.com/elsamuko/cbaf2d927939abf287cf0c5bfb08f7d0 The error code is KERN_PROTECTION_FAILURE: `vm_protect Error : 2, Undefined error: 0` – elsamuko Feb 06 '20 at 07:59

1 Answers1

1

I am also experiencing this same problem. If I have the Hardened Runtime enabled and specify all the entitlements (including those specified above) then I get the same problem. Also if I disabled the Hardened Runtime.

I tried compiling to an earlier SDK (as far back as 10.8) and the problem persists (even though it doesn't exist if you compile with an earlier version of XCode to the same SDK).

I also tried making the __TEXT segment to be writable using the linker flags: segprot,__TEXT,rwx,rwx. This time instead of vmprotect failing it crashes earlier with a dyld error: "__TEXT segment maps the start of the file but is writable"

Surely this is a bug with XCode 11?

Martin Payne
  • 21
  • 2
  • Check https://stackoverflow.com/q/60497896/5329717 for possible workarounds of "__TEXT segment maps the start of the file but is writable" – Kamil.S Jan 14 '21 at 19:39