Skip to main content

Injection via Mach Task Port

Remote Code Injection 

  1. Get the SEND right of the task port of the process 

  2. Allocate memory and write the shellcode into the target process 

  3. Create a remote thread and start it 

 

task_for_pid is similar to OpenProcess with ALL_ACCESS flag on Windows. 

target_tport: Specify which task receives the task port 

pid: Target process ID 

t: Port name which will store the received port right 

mach_task_self() returns SEND rights for the task's own task port. 

 

 

mach_vm_allocate is similar to VirtualAlloc on Windows 

target: The task port of the target 

address: Memory address where we want to perform the allocation 

size: Amount of memory we want to allocate 

flag: How the memory is allocated. 

 

Allocated memory for both our code and the stack to be used by our thread. 

 

mach_vm_write is similar to WriteProcessMemory 

address: Memory address we want to write to 

data: Memory address in our process from which we copy data 

dataCnt: Size of data we will write 

 

vm_protect() is similar to VirtualProtect on Windows. 

 

RX permission for the code, RW for the stack. 

 

Next, set various CPU registers to the required value, similar to setting thread context in Windows. 

remoteThreadState64 stores the thread state. Then, shift the remote stack pointer to the middle of the allocated memory, and set RIP and RBP/RSP. RIP will point to the beginning of the shellcode, RBP and RSP point to remoteStack64. 

 

Create a thread 

thread_create_running, similar to CreateRemoteThread. 

flavor: Type of thread state we pass 

new_state: Address of the thread state 

new_stateCnt: Size of the thread state 

child_act: The address of the code to be run by the thread