Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alternatives for injection #11

Open
dragonfax opened this issue Jan 27, 2019 · 3 comments
Open

Alternatives for injection #11

dragonfax opened this issue Jan 27, 2019 · 3 comments

Comments

@dragonfax
Copy link

Could we perhaps use DYLD_INSERT_LIBRARIES for injecting the server into a binary. By providing a dylib that "overrides" a function that you know is called in the application and called early before opengl is used?

I'm thinking of steamlib and SteamAPI_Init as an example.

This is a callback to the old LD_PRELOAD thats always existed on unix for the same purpose.

@zakk4223
Copy link
Owner

It's likely it would work, yes. You'd lose the ability to inject into a running process, but maybe that's not such a big deal. You also could not inject into any SIP protected applications (so nothing in /Applications that's signed by Apple, but again, probably not a big deal).

The most annoying part is that the mechanism for changing and querying things like which buffer to publish and x/y/width/height relies upon the OSAScript injection, so that would have to be completely redone.

@dragonfax
Copy link
Author

Ah. I'm a software engineer, but this isn't my area of expertise. I'm just looking for the right avenue to attack this.

It seems this wouldn't work out so great either. it seems that SIP also kills DYLD_INSERT_LIBRARIES usage.

I thought SIP was enabled system wide, even for apps outside of /Applications (such as steam games).

I'm wondering if some sort of kext is needed to get past these issues.

@zakk4223
Copy link
Owner

SIP doesn't kill DYLD_INSERT_LIBRARIES for all applications, only protected ones. You can see if a particular file/binary is protected via ls -alO, it should show 'restricted' in the ls output.

It more or less only protects binaries apple ships with the system. You can see this is the case if you copy something like /usr/bin/ruby to your home directory, and then run it with a DYLD_* environment variable. It'll still be in that process's environment, but NOT if you use /usr/bin/ruby.

The biggest issue is that things like /usr/bin/sh are protected and will have those variables stripped upon execution. If the program you're trying to inject into uses some sort of shell script wrapper (or python, ruby etc) you're going to have to go muck around to get that to work.

A kext could solve the issue, but there's no way anyone is going to be able to produce a signed kext that does this. Kext signing requires special permission from Apple, and they require you to explain what the extension does. If they find your developer cert is distributing a kext that basically allows arbitrary code injection globally they're going to just revoke your certificate.

You could distribute an unsigned kext, but that requires users to go and disable parts of SIP anyways. Might as well have them disable the bit that stops SyphonInject from working instead.

Ideally apple would have an API like CGDisplayStream, but for individual windows. There's kind of an private API for this, but it's built around CALayers and I've yet to make it work with rendering to an arbitrary surface (I think the rendering is internal to window server so it can't be off-screen rendered like a traditional layer)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants