This updates the aarch64 payloads to include comments with the
corresponding instructions for each little-endian integer. It also fixes
the debug output for x64 payloads under rosetta.
This adds support for the dyld changes incorperated into Sonoma and
cleans up the existing support for Ventura. This does not break
compatibility with previous versions.
This adds support for the dyld changes incorperated into Ventura which
includes changes to the symbols used. This does not break compatibility
with previous versions.
This builds on Back from the dyld by adding the required aarch64
assembly code to enable the OSX loader to run on the m1. This enables
the use of native payloads on M1 or M2 devices that do not have Rosetta
installed.
The mmap permissions prior to mprotect during the region mapping should
be write only. I also added a few more comments detailing the usage of
structs in dyld4.
This fixes a floating `\t` in a struct definition. This also adds more
clarity to a set of dprintf statements regarding the region. This fixes
the indentation for a comment as well.
This fixes the corruption incidentally resolved by assigning to an
unused variable by properly allocating memory for structs before
assigning to them. This will resolve the segfault on return issue, as
the saved return address is no longer clobbered.
By replicating the functionality of APIs::dlopen_from, we can bypass the
temporary file created when calling NSCreateObjectFileImageFromMemory on
macOS 12 and above. Constructing a custom JustInTimeLoader and running
through all the dyld calls required to fix it up manually results in
fileless MachO execution.
We locate the dyld_shared_cache in memory to find and resolve the
functions we need in libdyld.dylib. We retain the original dyld location
method on osx versions before Sierra.
Explicitly set length for osx x64 initial stage
The rdx register, used for passing the payload length, is being
clobbered by a system call in the new MacOS version. Instead of relying
on the register being untouched, we set it equal to the payload length.
This changes the x86 version to the (10 bytes) larger variant that can
handle full 32-bit jumps which is necesary for maximum compatibility
within the framwork.
Additionally, numeric literals are expressed in hex for compatibility
with the keystone assembler allowing these files to be compatitble with
external tools.
adfoster-r7