Chapter 11
Injecting, Hooking, and Swizzling
In Chapter 9, “Exploit Payloads,” we demonstrated a remote bundle-injection exploit payload. In this chapter, we show how to develop custom injectable bundles to perform mission logic using high-level languages such as C and Objective-C. This allows us to use any of the facilities or frameworks provided by Mac OS X in our attacks. We will begin by giving some background on Mach programming and describe the local bundle injector that can be used to develop injectable bundles for local and remote processes. We will also demonstrate function hooking and Objective-C method swizzling that allows us to override the behavior of the compromised process dynamically. In the course of explaining all of these topics, this chapter will demonstrate bundles to take snapshots with the user’s iSight camera, capture SSL traffic in Safari, and log iChats.
Introduction to Mach
To understand the injection tools in this chapter and the Mach-based rootkit techniques in the next one, you need at least a passing familiarity with Mach programming. We will cover some basic background here, but for a more in-depth treatment refer to Mac OS X Internals: A Systems Approach (Addison-Wesley, 2006) and Programming Under Mach (Addison-Wesley, 1993). As discussed in Chapter 1, “Mac OS X Architecture,” (and like its ancestor NeXTSTEP), Mac OS X uses a kernel based on both Mach and BSD. Whereas NeXSTSTEP’s kernel was a hybrid between Mach 2.5 and BSD 4.3, Mac OS X’s kernel ...