使用 mprotect 使文本段在 macOS 上可写 [英] Using mprotect to make text segment writable on macOS

问题描述

这基本上就是我想要做的，

This is essentially what I'm trying to do,

#include <sys/mman.h>

int zero() {
    return 0;
}

int main(int argc, const char *argv[]) {
    return mprotect((void *) &zero, 4096, PROT_READ | PROT_WRITE);
}

所以我试图使代码可写，本质上.这在当前的 macOS (Catalina 10.15.2) 上不起作用，它只返回 -1 并将 errno 设置为 EACCES，即据我所知是因为缺乏权利/代码签名.我找到了我需要设置的权利，但我不知道如何去做，也不知道如何实际签署..

so I'm trying to make code writable, essentially. This doesn't work on the current macOS (Catalina 10.15.2), it just returns -1 and sets errno to EACCES, which as far as I know is because of lack of entitlement/code signing. I've found the entitlement I need to set, but I have no idea how to go about that, nor how to actually sign it..

如果我运行 codesign -d --entitlements :- <path_to_app>，它会失败，代码对象根本没有签名，即使我已经尝试过配置在 Xcode 中签名一段时间(我有一个证书等等).那么我应该怎么做呢?实际上，使用 Xcode 签署它并不明显，所以我相当无能为力.

If I run codesign -d --entitlements :- <path_to_app>, it fails with code object is not signed at all, even though I've tried configuring signing in Xcode for a while (I have a certificate and so on). So how should I go about this? Actually signing it isn't obvious with Xcode, so I'm fairly clueless.

推荐答案

这不是一个确定的答案，但它是一种解决方法.

This is not a definitive answer, but it's a workaround.

您的问题是由 macOS Catalina 中链接器 (ld64) 的更改引起的.Mach-O 标头中 __TEXT 段的 max_prot 属性的默认值已更改.

Your problem is caused by changes of the linker (ld64) in macOS Catalina. The default value of the max_prot attribute of the __TEXT segment in the Mach-O header has been changed.

以前 max_prot 默认值为 0x7 (PROT_READ | PROT_WRITE | PROT_EXEC).
默认值现已更改为 0x5 (PROT_READ | PROT_EXEC).

Previously max_prot default value was 0x7 (PROT_READ | PROT_WRITE | PROT_EXEC).
The default value has now been changed to 0x5 (PROT_READ | PROT_EXEC).

这意味着 mprotect 不能使位于 __TEXT 内的任何区域可写.

This means that mprotect cannot make any region that resides within __TEXT writable.

理论上，这应该通过提供链接器标志-segprot __TEXT rwx rx 来解决，但事实并非如此.从 Catalina 开始，max_prot 字段被忽略.相反，max_prot 设置为 init_prot 的值(参见 此处).

In theory, this should be resolved by providing the linker flag -segprot __TEXT rwx rx, but this is not the case. Since Catalina, the max_prot field is ignored. Instead, max_prot is set to the value of init_prot (see here).

最重要的是，init_prot 不能设置为 rwx 要么是因为 macOS 拒绝执行具有可写 __TEXT(init_prot) 属性.

To top it all off, init_prot cannot be set to rwx either due to macOS refusing to execute a file which has a writable __TEXT(init_prot) attribute.

一个粗暴的解决方法是在链接后手动修改并将__TEXT(max_prot)设置为0x7.

A brute workaround is to manually modify and set __TEXT(max_prot) to 0x7 after linking.

printf 'x07' | dd of=<executable> bs=1 seek=160 count=1 conv=notrunc

由于该代码片段依赖于硬编码到 0xA0 的 __TEXT(max_prot) 偏移量，作为替代，我创建了一个 插入式替换/包装器 用于 ld 尊重 max_prot 参数segprot.

Since that code snippet relies on the __TEXT(max_prot) offset being hardcoded to 0xA0, as an alternative, I've created a drop-in replacement/wrapper for ld which respects the max_prot parameter of segprot.

这篇关于使用 mprotect 使文本段在 macOS 上可写的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！