c'mon, Apple

DerekSelander · web-flow · commit 9a2b6262cfed · 2024-09-30T09:35:49.000-06:00
diff --git a/symbol interposing.md b/symbol interposing.md
@@ -1,3 +1,5 @@
+> **NOTE:** At some point Apple being the party poopers that they are, slapped entitlement restrictions on the `thread_set_state(...)` API making it no longer usable in normal macOS machines (short of adding Apple entitlements and telling AMFI to get our of the way). This blocks my writeup's technique to create a breakpoint, but you can still get around this via the `[mach_]vm_protect()` APIs and making a breakpoint. This technique would require the process to be debugged, or not codesigned, or having something along the lines of `com.apple.security.cs.disable-executable-page-protection` (macOS) to create a breakpoint and modify executable code (like what lldb does). Maybe I'll update this one day...
+
 # Chapter 16: Symbol Interposing & Hooking Shenanigans
 
 Let's play a game: A series of code snippets and how they are compiled will be presented. In each code snippet, a challenge is given to execute a certain function that should be inaccessible unless you know the password. In order to execute this privileged function, you're not allowed to alter the source code nor how it's compiled in any way. Fortunately, you can assume that you have code execution in a dynamic library running in the same address space and loaded in via the `DYLD_INSERT_LIBRARIES` environment variable.

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	+> NOTE: At some point Apple being the party poopers that they are, slapped entitlement restrictions on the `thread_set_state(...)` API making it no longer usable in normal macOS machines (short of adding Apple entitlements and telling AMFI to get our of the way). This blocks my writeup's technique to create a breakpoint, but you can still get around this via the `[mach_]vm_protect()` APIs and making a breakpoint. This technique would require the process to be debugged, or not codesigned, or having something along the lines of `com.apple.security.cs.disable-executable-page-protection` (macOS) to create a breakpoint and modify executable code (like what lldb does). Maybe I'll update this one day...
	`2`	`+`
`1`	`3`	`# Chapter 16: Symbol Interposing & Hooking Shenanigans`
`2`	`4`
`3`	`5`	Let's play a game: A series of code snippets and how they are compiled will be presented. In each code snippet, a challenge is given to execute a certain function that should be inaccessible unless you know the password. In order to execute this privileged function, you're not allowed to alter the source code nor how it's compiled in any way. Fortunately, you can assume that you have code execution in a dynamic library running in the same address space and loaded in via the `DYLD_INSERT_LIBRARIES` environment variable.