]> git.saurik.com Git - cycript.git/blob - Mach/Inject.cpp
projects / cycript.git / blob
? search:


74e5b308ec0579da634f2cd40fc206501f56a92c
[cycript.git] / Mach / Inject.cpp
1 /* Cycript - Optimizing JavaScript Compiler/Runtime
2 * Copyright (C) 2009-2013 Jay Freeman (saurik)
3 */
4
5 /* GNU General Public License, Version 3 {{{ */
6 /*
7 * Cycript is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published
9 * by the Free Software Foundation, either version 3 of the License,
10 * or (at your option) any later version.
11 *
12 * Cycript is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with Cycript. If not, see <http://www.gnu.org/licenses/>.
19 **/
20 /* }}} */
21
22 #include <dlfcn.h>
23
24 #include <mach/mach.h>
25
26 #ifdef __APPLE__
27 #include "TargetConditionals.h"
28 #endif
29
30 #ifdef TARGET_OS_IPHONE
31 #include <mach/vm_map.h>
32 #define mach_vm_allocate vm_allocate
33 #define mach_vm_protect vm_protect
34 #define mach_vm_write vm_write
35 #define mach_vm_address_t vm_address_t
36 #else
37 #include <mach/mach_vm.h>
38 #endif
39
40 #include <mach/machine/thread_status.h>
41
42 #include <cstdio>
43 #include <pthread.h>
44 #include <unistd.h>
45
46 #include "Baton.hpp"
47 #include "Exception.hpp"
48 #include "Pooling.hpp"
49 #include "Trampoline.t.hpp"
50
51 extern "C" void CYHandleServer(pid_t);
52
53 void InjectLibrary(pid_t pid) {
54 Dl_info addr;
55 _assert(dladdr(reinterpret_cast<void *>(&CYHandleServer), &addr) != 0);
56 const char *library(addr.dli_fname);
57
58 mach_port_t self(mach_task_self()), task;
59 _krncall(task_for_pid(self, pid, &task));
60
61 mach_msg_type_number_t count;
62
63 task_dyld_info info;
64 count = TASK_DYLD_INFO_COUNT;
65 _krncall(task_info(task, TASK_DYLD_INFO, reinterpret_cast<task_info_t>(&info), &count));
66 _assert(count == TASK_DYLD_INFO_COUNT);
67 _assert(info.all_image_info_addr != 0);
68
69 thread_act_t thread;
70 _krncall(thread_create(task, &thread));
71
72 #if defined (__i386__) || defined(__x86_64__)
73 x86_thread_state_t state;
74 #elif defined(__arm__)
75 arm_thread_state_t state;
76 #else
77 #error XXX: implement
78 #endif
79
80 memset(&state, 0, sizeof(state));
81 mach_msg_type_number_t read(MACHINE_THREAD_STATE_COUNT);
82 _krncall(thread_get_state(thread, MACHINE_THREAD_STATE, reinterpret_cast<thread_state_t>(&state), &read));
83 _assert(read == MACHINE_THREAD_STATE_COUNT);
84
85 Trampoline *trampoline;
86 size_t align;
87 size_t push;
88
89 #if defined(__i386__) || defined(__x86_64__)
90 switch (state.tsh.flavor) {
91 case i386_THREAD_STATE:
92 trampoline = &Trampoline_i386_;
93 align = 4;
94 push = 5;
95 break;
96 case x86_THREAD_STATE64:
97 trampoline = &Trampoline_x86_64_;
98 align = 8;
99 push = 2;
100 break;
101 default:
102 _assert(false);
103 }
104 #elif defined(__arm__)
105 trampoline = &Trampoline_armv6_;
106 align = 4;
107 push = 0;
108 #else
109 #error XXX: implement
110 #endif
111
112 static const size_t Stack_(8 * 1024);
113 size_t length(strlen(library) + 1), depth(sizeof(Baton) + length);
114 depth = (depth + align + 1) / align * align;
115
116 CYPool pool;
117 uint8_t *local(pool.malloc<uint8_t>(depth));
118 Baton *baton(reinterpret_cast<Baton *>(local));
119
120 baton->dyld = info.all_image_info_addr;
121 baton->pid = getpid();
122 memcpy(baton->library, library, length);
123
124 mach_vm_size_t size(depth + Stack_);
125 mach_vm_address_t stack;
126 _krncall(mach_vm_allocate(task, &stack, size, true));
127
128 mach_vm_address_t data(stack + Stack_);
129 _krncall(mach_vm_write(task, data, reinterpret_cast<mach_vm_address_t>(baton), depth));
130
131 mach_vm_address_t code;
132 _krncall(mach_vm_allocate(task, &code, trampoline->size_, true));
133 _krncall(mach_vm_write(task, code, reinterpret_cast<mach_vm_address_t>(trampoline->data_), trampoline->size_));
134 _krncall(mach_vm_protect(task, code, trampoline->size_, false, VM_PROT_READ | VM_PROT_EXECUTE));
135
136 uint32_t frame[push];
137 if (sizeof(frame) != 0)
138 memset(frame, 0, sizeof(frame));
139
140 #if defined(__i386__) || defined(__x86_64__)
141 switch (state.tsh.flavor) {
142 case i386_THREAD_STATE:
143 frame[1] = data;
144 state.uts.ts32.__eip = code + trampoline->entry_;
145 state.uts.ts32.__esp = stack + Stack_ - sizeof(frame);
146 break;
147 case x86_THREAD_STATE64:
148 state.uts.ts64.__rdi = data;
149 state.uts.ts64.__rip = code + trampoline->entry_;
150 state.uts.ts64.__rsp = stack + Stack_ - sizeof(frame);
151 break;
152 default:
153 _assert(false);
154 }
155 #elif defined(__arm__)
156 state.__r[0] = data;
157 state.__pc = code + trampoline->entry_;
158 state.__sp = stack + Stack_ - sizeof(frame);
159
160 if ((state.__pc & 0x1) != 0) {
161 state.__pc &= ~0x1;
162 state.__cpsr |= 0x20;
163 }
164 #else
165 #error XXX: implement
166 #endif
167
168 if (sizeof(frame) != 0)
169 _krncall(mach_vm_write(task, stack + Stack_ - sizeof(frame), reinterpret_cast<mach_vm_address_t>(frame), sizeof(frame)));
170
171 _krncall(thread_set_state(thread, MACHINE_THREAD_STATE, reinterpret_cast<thread_state_t>(&state), MACHINE_THREAD_STATE_COUNT));
172 _krncall(thread_resume(thread));
173
174 _krncall(mach_port_deallocate(self, task));
175 }
Cycript