├── bundle.c
├── README.md
├── main.c
├── Makefile
└── LICENSE


/bundle.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | void execute()
4 | {
5 | 	printf("Executed!\n");
6 | }
7 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # macos_execute_from_memory
2 | I wanted to see how hard would it be to recreate in-memory macho execution used by Lazarus 6588d262529dc372c400bef8478c2eec sample.
3 | 
4 | this PoC is largely based on https://github.com/opensource-apple/dyld/tree/master/unit-tests/test-cases/bundle-memory-load and https://objective-see.com/blog/blog_0x51.html
5 | 
6 | turns out its easy
7 | 


--------------------------------------------------------------------------------
/main.c:
--------------------------------------------------------------------------------
 1 | #include <mach-o/dyld.h>
 2 | #include <sys/stat.h> 
 3 | #include <sys/mman.h> 
 4 | #include <fcntl.h>
 5 | 
 6 | 
 7 | int main()
 8 | {
 9 | 	NSObjectFileImage fileImage = NULL;
10 | 	NSModule module = NULL;
11 | 	NSSymbol symbol = NULL;
12 | 
13 | 	struct stat stat_buf;
14 | 	void (*function)();
15 | 
16 | 	int fd = open("test.bundle", O_RDONLY, 0);
17 | 	fstat(fd, &stat_buf);
18 | 	void* codeAddr = mmap(NULL, stat_buf.st_size, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0);
19 | 	close(fd);
20 | 
21 | 
22 | 	NSCreateObjectFileImageFromMemory(codeAddr, stat_buf.st_size, &fileImage);
23 | 	
24 | 	module = NSLinkModule(fileImage, "module", NSLINKMODULE_OPTION_NONE);
25 | 	symbol = NSLookupSymbolInModule(module, "_execute");
26 | 	function = NSAddressOfSymbol(symbol);
27 | 
28 | 	function();
29 | 
30 | 	NSUnLinkModule(module, NSUNLINKMODULE_OPTION_NONE);
31 | 	NSDestroyObjectFileImage(fileImage);
32 | 	
33 | 	return 0;
34 | }


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | ##
 2 | # Copyright (c) 2005 Apple Computer, Inc. All rights reserved.
 3 | #
 4 | # @APPLE_LICENSE_HEADER_START@
 5 | # 
 6 | # This file contains Original Code and/or Modifications of Original Code
 7 | # as defined in and that are subject to the Apple Public Source License
 8 | # Version 2.0 (the 'License'). You may not use this file except in
 9 | # compliance with the License. Please obtain a copy of the License at
10 | # http://www.opensource.apple.com/apsl/ and read it before using this
11 | # file.
12 | # 
13 | # The Original Code and all software distributed under the License are
14 | # distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 | # EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 | # INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 | # FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 | # Please see the License for the specific language governing rights and
19 | # limitations under the License.
20 | # 
21 | # @APPLE_LICENSE_HEADER_END@
22 | ##
23 | 
24 | 
25 | all-check: all check
26 | 
27 | check:
28 | 	./main
29 | 
30 | all: main test.bundle
31 | 
32 | main : main.c
33 | 	${CC} ${CCFLAGS} -o main main.c
34 | 
35 | test.bundle : bundle.c
36 | 	${CC} ${CCFLAGS} -bundle -o test.bundle bundle.c
37 | 
38 | clean:
39 | 	${RM} ${RMFLAGS} *~ main test.bundle
40 | 
41 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2023, Mythic Meta Configuration Information
 4 | 
 5 | Redistribution and use in source and binary forms, with or without
 6 | modification, are permitted provided that the following conditions are met:
 7 | 
 8 | 1. Redistributions of source code must retain the above copyright notice, this
 9 |    list of conditions and the following disclaimer.
10 | 
11 | 2. Redistributions in binary form must reproduce the above copyright notice,
12 |    this list of conditions and the following disclaimer in the documentation
13 |    and/or other materials provided with the distribution.
14 | 
15 | 3. Neither the name of the copyright holder nor the names of its
16 |    contributors may be used to endorse or promote products derived from
17 |    this software without specific prior written permission.
18 | 
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


--------------------------------------------------------------------------------