Execute MachO binaries in memory using CGo

Overview

Execute Thin Mach-O Binaries in Memory

This is a CGo implementation of the initial technique put forward by Stephanie Archibald in her blog, Running Executables on macOS From Memory.

Usage

./macos_shell_memory [bin] [args]

Description

Given that [bin] is in $PATH, [bin] is loaded into memory and executed with [args] (if provided). Stdout and Stderr will be redirected during binary execution. Normally, when a Mach-O binary finishes execution, the program exits and returns back to the caller (like your terminal); however, this exit call, when called from your current process, will exit your loading process.

To disable this functionality, a new atexit routine is registered to rewind stack-state back to before the in-memory Mach-O main() function ever executed. Doing so causes instability, and as such, we call C._Exit over letting the Go program exit normally.

This weaponization could be modified to point to any thin Mach-O binary, and enforcing the [bin] to be in $PATH is an arbitrary constraint I've added.

Important Caveats

This works only for thin Mach-O binaries. This can be seen by issuing the following command:

codesign -vvvv -d /path/to/bin

For example, codesign -vvvv -d /bin/ps returns:

Executable=/bin/ps
Identifier=com.apple.ps
Format=Mach-O thin (x86_64)
... snip ...

There are certain nuances that I haven't worked out for fat and ARM binaries. Doing so will cause the program to irrecoverably segfault.

Examples

╭─[email protected] ~/go/src/github.com/djhohnstein/macos_shell_memory  ‹main*›
╰─$ ./macos_shell_memory ps                                                                      [21/05/20 |12:18PM]
[Go Code] Redirecting STDOUT...
[Go Code] Successfully recovered from bin exit(), captured the following output:

   PID TTY           TIME CMD
72116 ttys000    0:00.00 zsh
47918 ttys003    0:00.00 zsh
78749 ttys003    0:00.01 ./macos_shell_memory ps
  612 ttys004    0:00.00 zsh

╭─[email protected] ~/go/src/github.com/djhohnstein/macos_shell_memory  ‹main*›
╰─$ ./macos_shell_memory ls -alht                                                                [21/05/20 |12:18PM]
[Go Code] Redirecting STDOUT...
[Go Code] Successfully recovered from bin exit(), captured the following output:

 total 4752
drwxr-xr-x  13 djh  staff   416B May 20 12:18 .git
-rwxr-xr-x   1 djh  staff   2.3M May 20 12:16 macos_shell_memory
drwxr-xr-x  11 djh  staff   352B May 20 11:50 .
-rw-r--r--   1 djh  staff     0B May 20 11:50 README.md
-rw-r--r--   1 djh  staff   3.1K May 20 11:30 main.go
-rw-r--r--   1 djh  staff   3.9K May 20 11:23 shell_memory.c
drwxr-xr-x   5 djh  staff   160B May 18 16:04 ..
-rw-r--r--   1 djh  staff   883B May 17 16:43 go.sum
-rw-r--r--   1 djh  staff   253B May 17 16:43 go.mod
-rw-r--r--   1 djh  staff    19B May 16 17:15 .gitignore
-rw-r--r--   1 djh  staff   143B May 16 17:09 shell_memory.h

References

You might also like...
OpenXenium JTAG and Flash Memory programmer
OpenXenium JTAG and Flash Memory programmer

OpenXenium JTAG and Flash Memory programmer * Read: "Home Brew" on ORIGINAL XBOX - a detailed article on why and how * The tools in this repo will all

manually map driver for a signed driver memory space

smap manually map driver for a signed driver memory space credits https://github.com/btbd/umap tested system Windows 10 Education 20H2 UEFI installati

Memory instrumentation tool for android app&game developers.
Memory instrumentation tool for android app&game developers.

Overview LoliProfiler is a C/C++ memory profiling tool for Android games and applications. LoliProfiler supports profiling debuggable applications out

A single file drop-in memory leak tracking solution for C++ on Windows

MemLeakTracker A single file drop-in memory leak tracking solution for C++ on Windows This small piece of code allows for global memory leak tracking

Dump the memory of a PPL with a userland exploit
Dump the memory of a PPL with a userland exploit

PPLdump This tool implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping th

Implementation of System V shared memory (a type of inter process communication) in xv6 operating system.

NOTE: we have stopped maintaining the x86 version of xv6, and switched our efforts to the RISC-V version (https://github.com/mit-pdos/xv6-riscv.git)

An In-memory Embedding of CPython

An In-memory Embedding of CPython This repository contains all the build artifacts necessary to build an embedding of CPython 3.8.2 that can be run en

Initialize the 8-bit computer memory with a program to be executed automatically on powering.
Initialize the 8-bit computer memory with a program to be executed automatically on powering.

Initialize the 8-bit computer memory with a program to be executed automatically on powering. This project is small extension of Ben Eater's computer

Artifacts of that Memory Management Tsoding Session
Artifacts of that Memory Management Tsoding Session

Artifacts of those Memory Management Tsoding Sessions Quick Start $ make $ ./heap Limitations The pointers to the heap can only be located in the heap

Owner
Dwight Hohnstein
Operator at SpecterOps. Kali Contributor.
Dwight Hohnstein
Custom memory allocators in C++ to improve the performance of dynamic memory allocation

Table of Contents Introduction Build instructions What's wrong with Malloc? Custom allocators Linear Allocator Stack Allocator Pool Allocator Free lis

Mariano Trebino 1.4k Dec 1, 2022
MMCTX (Memory Management ConTeXualizer), is a tiny (< 300 lines), single header C99 library that allows for easier memory management by implementing contexts that remember allocations for you and provide freeall()-like functionality.

MMCTX (Memory Management ConTeXualizer), is a tiny (< 300 lines), single header C99 library that allows for easier memory management by implementing contexts that remember allocations for you and provide freeall()-like functionality.

A.P. Jo. 4 Oct 2, 2021
Memory-dumper - A tool for dumping files from processes memory

What is memory-dumper memory-dumper is a tool for dumping files from process's memory. The main purpose is to find patterns inside the process's memor

Alexander Nestorov 31 Nov 9, 2022
Mesh - A memory allocator that automatically reduces the memory footprint of C/C++ applications.

Mesh: Compacting Memory Management for C/C++ Mesh is a drop in replacement for malloc(3) that can transparently recover from memory fragmentation with

PLASMA @ UMass 1.5k Nov 29, 2022
STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

memory The C++ STL allocator model has various flaws. For example, they are fixed to a certain type, because they are almost necessarily required to b

Jonathan Müller 1.2k Dec 2, 2022
Fast C++ IPC using shared memory

Fast C++ IPC using shared memory

Dheeraj R Reddy 395 Nov 22, 2022
STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

Jonathan Müller 1k Dec 2, 2021
Malloc Lab: simple memory allocator using sorted segregated free list

LAB 6: Malloc Lab Main Files mm.{c,h} - Your solution malloc package. mdriver.c - The malloc driver that tests your mm.c file short{1,2}-bal.rep - T

null 1 Feb 28, 2022
Using shared memory to communicate between two executables or processes, for Windows, Linux and MacOS (posix). Can also be useful for remote visualization/debugging.

shared-memory-example Using shared memory to communicate between two executables or processes, for Windows, Linux and MacOS (posix). Can also be usefu

null 9 Aug 17, 2022
Public domain cross platform lock free thread caching 16-byte aligned memory allocator implemented in C

rpmalloc - General Purpose Memory Allocator This library provides a public domain cross platform lock free thread caching 16-byte aligned memory alloc

Mattias Jansson 1.7k Nov 22, 2022