

DIY: kernel panic OS X and iOS in 10 LOC - oleavr
https://medium.com/@oleavr/diy-kernel-panic-os-x-and-ios-in-10-loc-c250d9649159

======
albertzeyer
[http://www.frida.re/](http://www.frida.re/) looks actually very interesting.

~~~
taftster
The author linked to the site something like 37 times in the article. It made
me not want to click through, thinking the article was just a shill blog post.
Your short comment reinforces this.

Why exactly do you think Frida looks interesting?

~~~
albertzeyer
I haven't tested it yet but I like to be able to inject into running native
apps and control them, debug them, etc.

On MacOSX, there is the SIMBL project which enables such a plugin architecture
for any OSX apps. E.g. you can get extra features like window-always-on-top,
window-transparency, etc. And you can automate / script some apps which would
not be scriptable otherwise or to such extend. Or you could add specific
features to applications. E.g. Dropbox on MacOSX uses a technic like this to
display some state-icon of its Dropbox directory in Finder.

Some links to SIMBL: [https://github.com/norio-
nomura/EasySIMBL](https://github.com/norio-nomura/EasySIMBL)
[https://code.google.com/p/simbl/wiki/SIMBLPlugins](https://code.google.com/p/simbl/wiki/SIMBLPlugins)

SIMBL would inject other native code into to some app. In most cases you would
inject other ObjC code.

I like the idea to dynamically script or mess around with an app. For that
reason, I used SIMBL to inject Python + iTerm + PyObjC. That way, you can
interactively interact with any app with Python.
[https://github.com/albertz/Pyjector](https://github.com/albertz/Pyjector)

A similar project is this:
[https://github.com/albertz/FScriptAnywhereSIMBL](https://github.com/albertz/FScriptAnywhereSIMBL)

And this Frida looks like a similar more modern project with JavaScript and
support for Windows, Mac, Linux, iOS and Android.

------
zuck9
What does it look like when it crashes on iOS? Does just the app crash,
springboard crashes or the device restarts?

~~~
ttflee
Just tried with iOS 8.1 SDK. It seems that <mach/mach_vm.h> is not supported
on iOS. So far, I failed to reproduce the crash/kernel panic with code snippet
from the original post.

~~~
LeoNatan25
It is supported, just need an expanded SDK or you can provide the OS X variant
of mach_vm.h and import that.

~~~
ttflee
But clang did not treat it as an error when I commented the #include line. I
have no idea if it was actually dynamically linked.

~~~
_wmd
Includes don't control linking, and traditional C did not require function
prototypes, so most compilers (in non-C++ mode at least) will happily compile
calls to unknown functions, it just assumes a default signature.

~~~
ttflee
I know that and mach_* are supposed to be dynamically loaded. But what I
failed to get is to reproduce the kernel panic, not to build and run on my
iPhone 5. By now that piece of code could run but only result in normal crash,
not kernel panic.

------
jdmoreira
I set up a Xcode project to test it on iOS
[https://github.com/jdmoreira/KernelPanic-10LOC](https://github.com/jdmoreira/KernelPanic-10LOC)

It doesn't work on my device running iOS 8.1.2 Can someone confirm?

 _Edit: It works now!_

~~~
oleavr
Is it a 64-bit device? Does the program crash or exit gracefully? If it
crashes, try bumping the library index argument here:

library = (char *) _dyld_get_image_header (1);

If you're unlucky library at index 1 contains mach_vm_read_overwrite and is
suddenly no longer executable (since we change its second memory page from R-X
to RW- due to stock kernels not allowing RWX pages).

~~~
jdmoreira
I changed the code to
[https://gist.github.com/cfr/425812debdb2a6d0449f](https://gist.github.com/cfr/425812debdb2a6d0449f)

It works now! Device restarts ;)

~~~
oleavr
Excellent! :)

------
swang
Hello I just checked out Frida (been meaning to just forgot the name)

I get a kernel panic in Mac OSX Mavericks (10.9.4) running this

import frida p = frida.attach("cat") print(p.enumerate_modules())

Not sure if this is a similar problem or not but doing print([x.name for x in
p.enumerate_modules()]) instead works just fine.

Edit: Looks like the problem may be attaching to a program a second time. Not
sure if I need to run some detach command or whatnot.

~~~
oleavr
Hey,

and thanks for checking it out! The currently released version of Frida,
1.6.8, doesn't have the work-around and triggers the kernel panic described in
the blog post. The work-around landed in git last night and will be part of
1.6.9 to be released soon; hopefully by tomorrow if all goes to plan. Feel
free to clone and build Frida yourself if you'd like to play with it in the
meantime (or make sure you never attach more than once to any process). Sorry
for the inconvenience!

Feel free to drop by #frida on irc.freenode.net, btw!

Cheers!

------
i2
A very nice reminder that there's no such thing as code without bugs.

~~~
stefantalpalaru
I see it as a reminder not to run software than you cannot patch yourself.

~~~
k-mcgrady
So unless you're a software developer don't use software?

~~~
stefantalpalaru
Unless you're a software developer, don't call yourself a "hacker" and don't
waste your time on Hacker News.

~~~
threeseed
I'm a developer of 20+ years and have no idea how to patch most open source
software and have it "just work".

Software has progressed to the point where the complexity and
interconnectedness is far beyond what any one developer can do. Everyone just
knows a few subsections.

~~~
Gurkenmaster
Some projects also have terrible project layouts. I have to poke around for
several minutes just to find the source folder.

------
max-a
Well, on my rMBP I don't need to write a single line.

~~~
tambourine_man
You probably have a hardware problem or kext. Haven't had a KP in years.

------
rismay
Damn.

