If you never heard of mach system calls and specifically task_for_pid() call on Mac OS X, you can consider yourself lucky. If you want to stay that way – stop reading now! Still here? In that case let’s start with disclaimer – author of this text is not and can not be in any way responsible for damage produced or influenced by this article.
Prior to the Mac OS X 10.4.X (Tiger), it was completely legal for one process to control another for the purpose of influencing its execution (single stepping, resuming, stopping etc) and inspecting or modifying its memory and registers. In one of the patches for Tiger, this policy was changed so that only a process owned by root or with a “primary effective group of procmod or procview” has this privilege. In Leopard (Mac OS X 10.5), this policy was changed again (that much about consistent security policy – nice work Apple) such that an inspector process now depends on the security framework to authorize use of the task_for_pid system service which gives a process the capability to control another process.
To build a utility that will use task_for_pid(), you need to do the following:
1. Create Info.plist file which will be embedded to your executable file and will enable code signing 2. Create self-signed code signing certificate using Keychain access 3. Write your program that uses security framework to obtain rights to execute task\_for_pid() 4. Compile your program and code-sign it.
So let’s get started.
Step 1 – Create Info.plist
I used one of the standard Info.plist files I could find in Xcode and changed some particular parts as can be seen in following example:
File /root/BLOG/clean-octopress/octopress/source/downloads/code/task_for_pid_info_plist.xml could not be found
The important part is key “SecTaskAccess” with value “allowed”.
Step 2 – Create self-signed code signing certificate
Open your Keychain Access and do the following:
When created – this certificate will be untrusted by default – change “When using this certificate” to “Always Trust” and you should be OK and ready to go for the next step.
Step 3 – Write your program
I wrote a very simple program that takes PID of a process you want to investigate (ran by your UID), connects to it and writes current register values for it. Code is pretty self-explaining so I won’t go into nifty details:
File /root/BLOG/clean-octopress/octopress/source/downloads/code/task_for_pid_prog.c could not be found
Step 4 – Compile and sign
To compile the program I used following command line:
To sign the code with certificate we prepared before – do this:
We can check if everything went OK:
1 2 3 4 5 6 7 8 9 10 11 12 13
This looks good – let’s test it.
Step 5 – Test program
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20