You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> **NOTE:** At some point Apple being the party poopers that they are, slapped entitlement restrictions on the `thread_set_state(...)` API making it no longer usable in normal macOS machines (short of adding Apple entitlements and telling AMFI to get our of the way). This blocks my writeup's technique to create a breakpoint, but you can still get around this via the `[mach_]vm_protect()` APIs and making a breakpoint. This technique would require the process to be debugged, or not codesigned, or having something along the lines of `com.apple.security.cs.disable-executable-page-protection` (macOS) to create a breakpoint and modify executable code (like what lldb does). Maybe I'll update this one day...
# Chapter 16: Symbol Interposing & Hooking Shenanigans
Let's play a game: A series of code snippets and how they are compiled will be presented. In each code snippet, a challenge is given to execute a certain function that should be inaccessible unless you know the password. In order to execute this privileged function, you're not allowed to alter the source code nor how it's compiled in any way. Fortunately, you can assume that you have code execution in a dynamic library running in the same address space and loaded in via the `DYLD_INSERT_LIBRARIES` environment variable.
