Hello,

I am using xamarin for developing a mac application, my idea is to create a binding between mach_inject and xamarin. As a first step, i created a framework out of this project.To make sure it is working fine, i created a new xcode project and linked the framework. When i run the app, i am getting the following error

2014-10-31 17:58:27.429 BrainloopShareFramework[11184:303] an error occurred while installing com.aspiresys.BrainloopShareFramework.Installer (domain: kSMErrorDomainFramework (4097))
2014-10-31 17:58:27.430 BrainloopShareFramework[11184:303] Couldn't install MachInjectSample (domain: com.erwanb.MachInjectSample.ErrorDomain code: 1)

Am i going in correct approach. is it possible to use mach_inject in xamarin mac app by creating a binding. Please help me.

Hi Experts,
Really impressive idea and great work from great people. Thank you all!

I have studied the code of mach_inject, and got a basic idea on how it is working. Basically it injects a code into the target process, run that piece of code from the target process, and then that code will do a dlopen() function call to load more interesting code to run.

I am think the scenario that if the dylib library dlopen() tries to open is out of the sandbox container of the target process, that is, the target process is not allowed to access the library, then dlopen() function call will fail. Any way to overcome this? Or my understanding is wrong?

Thanks and appreciate if any comment.

Calvin

Hi,
on my system the compiler can't find following import because I use a case-sensitive filesystem:

include <mach/MACH_ERROR.h>

I think it should be:

include <mach/mach_error.h>

I have tried to run various examples of code_inject in Mavericks but they result in the target process crashing with the following stack:

Thread 6 Crashed:
0 libsystem_c.dylib 0x00007fff8e68c505 __xvprintf + 106

I am opening an issue hoping we can figure out a solution.

Seems like this won't work on M1 (arm) Macs. Not sure if this project is still alive or not but if someone with the knowledge updated it or made a fork with support for arm that would be dope.

Hi. I tried mach_inject + some Finder integration code on Mac OS X 10.10 Yosemite (Beta6) - and it fails in injected thread, on the first fopen/freopen/fwrite function call.
Everything works fine on Mavericks.

Anyone more experienced tried to run mach_inject on Yosemite? Or, somebody can recommend a way to debug this issue?
Thanks, all input is appreciated.

mach_inject: found threadEntry image at: 0xde000 with size: 9888
mach_inject failing.. (os/kern) invalid address

help me please

Some other people already mentioned the problem, but no one has created a ticket here. I'm doing that.

Here is a SO post describing the issue:
http://stackoverflow.com/questions/32943275/task-for-pid-stops-working-on-os-x-10-11

Googling around I found http://newosxbook.com/articles/PST2.html as a possible solution.

Will keep you posted.

When I inject into the process using mach_inject, that application crashes. I have observed this behaviour with one of my 10.12.6 machine(Not reproducible on all 10.12.6) and Mac OS X 10.13 (17A291j) Beta release of 10.13.

When the following code executes

// create thread and launch it
		err = thread_create_running( remoteTask, x86_THREAD_STATE64,
									 (thread_state_t) &remoteThreadState, x86_THREAD_STATE64_COUNT,
									 &remoteThread );

Application in which i am injecting get crashed.

On 10.12 when I disabled SIP, Issue vanished. and now not able to reproduce it even after re-enabling SIP.

I am able to swizzle a method like when a button is clicked but I can't swizzle a method like applicationDidFinishLaunching that runs before mach_inject injects the code. Is there a solution to this where I can run code inside the targeted app at injection time?

If Finder restarts, do I need to re-inject the bundle? If so, how to avoid asking admin credential again?

Thanks

mpg2025

In macOS 10.11 through 10.13, you didn't have to disable all of SIP in order to use mach_inject in Apple's apps. All that was necessary was to disable debug protections, i.e. csrutil enable --without debug.

Starting in 10.14, in order to inject into Apple processes it is also necessary to disable filesystem protections as well, i.e. csrutil enable --without debug --without fs. With debug protections disabled but filesystem protections enabled, using mach_inject on an Apple process will lead to that process crashing, and using mach_inject on non-Apple processes still works. I thought this was odd as mach_inject doesn't modify the filesystem at all, much less a protected part of it.

I'm not sure if this counts as a bug or if there's anything to be done about it, but I figured I'd bring it up here.

Hi there,
I used to create Firefox addons and would run code from within the process to manipulate the NSWindow's. NSWindow's, NSAlert's, etc (UIKit stuff) can only be manipulated from the main thread. ( UIKit operations for OSX and iOS must be on main thread - http://stackoverflow.com/questions/18467114/why-must-uikit-operations-be-performed-on-the-main-thread _

However recently there was a change and all code is from another process (native messaging API), so I needed to inject into the target process (browser/Firefox).

I was researching mach_inject and it seems to create a new thread in the targeted process. I was thinking of doing dispatch_async like this:

dispatch_async(dispatch_get_main_queue(), ^{
	NSAlert *alert = [[[NSAlert alloc] init] autorelease];
	[alert setMessageText:@"Hi there from main thread"];
	[alert runModal];
});

Do you think this will work? I'm very new to writing C/C++/ObjC so your reply would help my morale a lot :)

I noticed this issue after updating to Yosemite.

It always gives me this error:
module: 0x100014898
bootstrapfn: 0x1000d9d60
pid: 3443
mach_inject failing.. (ipc/send) invalid memory
MACH ERR: 268435468

here is how I'm calling mach_inject:
mach_error_t err = mach_inject((mach_inject_entry)bootstrapfn, lib.UTF8String, strlen(lib.UTF8String) + 1, pid, 0); if (err) printf("MACH ERR: %d\n", err);

Is this happening to anyone else after updating to 10.10 and how can I resolve this issue?

Since the code is diligently checking every return code, it should also check it here:

before:
// Allocate the code.
vm_address_t remoteCode = (vm_address_t)NULL;
if( !err )
err = vm_allocate( remoteTask, &remoteCode, imageSize, 1 );
err = vm_protect(remoteTask, remoteCode, imageSize, 0, VM_PROT_EXECUTE | VM_PROT_WRITE | VM_PROT_READ);

after:
// Allocate the code.
vm_address_t remoteCode = (vm_address_t)NULL;
if( !err )
err = vm_allocate( remoteTask, &remoteCode, imageSize, 1 );
if( !err )
err = vm_protect(remoteTask, remoteCode, imageSize, 0, VM_PROT_EXECUTE | VM_PROT_WRITE | VM_PROT_READ);

otherwise remoteCode could be undefined.

It seemed that after installing Mojave security update 2020-005 mach_inject no longer works. Whichever process gets a payload injected into it will crash. I can reproduce it with mach_inject_example, and it doesn't seem to matter which process I have it inject into.

At this point I'm not sure if any recent updates to macOS 10.15 or one of the Big Sur betas are also affected.

The crash report doesn't seem to be particularly revealing, but it does usually look like this for the crashing thread:

Thread 12 Crashed:
0   ???                           	0x000000010f735fc3 0 + 4554186691
1   libsystem_pthread.dylib       	0x00007fff5b49f2eb _pthread_body + 126
2   libsystem_pthread.dylib       	0x00007fff5b4a2249 _pthread_start + 66
3   libsystem_pthread.dylib       	0x00007fff5b49e40d thread_start + 13

edit: should add this still occurs when SIP is disabled

Hi!

I'm making a Finder "plugin" for Ubuntu One:
https://github.com/JoseExposito/U1-Finder-Plugin

Currently I'm using a SIMBL like loader making my plugin as a scripting addition:
https://github.com/JoseExposito/U1-Finder-Plugin/blob/master/U1%20Finder%20Injector/U1FinderInjector.m

But I don't like this method because I need to restart the Finder to allow to inject the plugin.

I see like some applications (like Dropbox) are able to use mach_inject without as for the admin password and my question is... How to do that??

Than you very much for the support in avance!

v1.2 is largely a version created just to draw a line in the sand and denote when i386 and x86_64 support was added. The rest of the project is kinda in shambles. I'd like updated Xcode project files (or abandon Xcode project files altogether like I did with mach_override) with a working example, ideally across ppc, i386 and x86_64. But I'd settle for targeting x86_64 at first.

Is this working for everyone else in 10.12/Sierra?

I have an odd situation where mach_inject works perfectly fine, when my app is launched through Xcode. If I launch my app directly, the target process crashes as soon as it attempts to inject:

Date/Time:             2016-09-21 22:55:58.682 +0100
OS Version:            Mac OS X 10.12 (16A323)
Report Version:        12
Anonymous UUID:        8AD07C6C-3EFE-5D39-B58B-393D95473947


Time Awake Since Boot: 3400 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000e50d34ab
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [0]

External Modification Warnings:
Thread creation by external task.

VM Regions Near 0xe50d34ab:
    Stack                  00000000bf800000-00000000c0000000 [ 8192K] rw-/rwx SM=PRV  
--> 
    Submap                 00000000ffff0000-00000000ffff1000 [    4K] r--/r-- SM=PRV  process-only VM submap

Does anyone have any ideas on how to tackle this?