liji32 / mip Goto Github PK

Hi, I tried my very first bundle today, its intent is to tweak Terminal.app window appearence. Here's its implementation, using swizzling since a category can not override a class method anymore.

TerminalMaterialDark.h:

// Version: $Id$
//
//

// Commentary:
//
//

// Change Log:
//
//

// Code:

#import <AppKit/AppKit.h>

// ///////////////////////////////////////////////////////////////////
//
// ///////////////////////////////////////////////////////////////////

@interface NSViewController(TerminalMaterialDark)

- (void)injected_viewDidLoad;

@end

//
// TerminalMaterialDark.h ends here

TerminalMaterialDark.m:

// Version: $Id$
//
//

// Commentary:
//
//

// Change Log:
//
//

// Code:

#import <Cocoa/Cocoa.h>

#import <objc/runtime.h>

#import "TerminalMaterialDark.h"

// ///////////////////////////////////////////////////////////////////
//
// ///////////////////////////////////////////////////////////////////

@implementation NSViewController(TerminalMaterialDark)

+ (void)load
{
    printf("MIP injected NSViewController::load\n");

    static dispatch_once_t onceToken;

    dispatch_once(&onceToken, ^{
        Class class = [self class];

        SEL originalSelector = @selector(viewDidLoad:);
        SEL swizzledSelector = @selector(injected_viewDidLoad:);

        Method originalMethod = class_getInstanceMethod(class, originalSelector);
        Method swizzledMethod = class_getInstanceMethod(class, swizzledSelector);

        BOOL didAddMethod =
            class_addMethod(class,
                originalSelector,
                method_getImplementation(swizzledMethod),
                method_getTypeEncoding(swizzledMethod));

        if (didAddMethod) {
            class_replaceMethod(class,
                swizzledSelector,
                method_getImplementation(originalMethod),
                method_getTypeEncoding(originalMethod));
        } else {
            method_exchangeImplementations(originalMethod, swizzledMethod);
        }
    });
}

- (void)injected_viewDidLoad
{
    printf("MIP injected viewDidLoad\n");

    [self injected_viewDidLoad];

    [[self.view window] setMovableByWindowBackground:YES];

     self.view.window.titlebarAppearsTransparent = true;
     self.view.window.titleVisibility = NSWindowTitleHidden;
     self.view.window.styleMask |= NSWindowStyleMaskFullSizeContentView;
     self.view.window.appearance = [NSAppearance appearanceNamed:NSAppearanceNameVibrantDark];
}

@end

//
// TerminalMaterialDark.m ends here

And Info.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>MIPUseBlacklistMode</key>
    <false/>
    <key>MIPBundleNames</key>
    <string>com.apple.Terminal</string>
    <key>MIPExecutableName</key>
    <string>Terminal</string>
    <key>CFBundleExecutable</key>
    <string>TerminalMaterialDark</string>
    <key>CFBundleIdentifier</key>
    <string>local.TerminalMaterialDark</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>TerminalMaterialDark</string>
    <key>CFBundlePackageType</key>
    <string>BNDL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    <key>CFBundleVersion</key>
    <string>1</string>
</dict>
</plist>

After a make && make install, lanching Terminal.app does not print anything whatsoever.

Am I missing something?

Thanks.

sudo ./inject 1234 xxx.dylib
get_thread_port_for_task failed！

Substrate's Bundles accepts any bundle identifier, not just application bundle IDs. For example, if you wanted to modify NSApp.mainMenu in every app, you would use com.apple.AppKit. Your tweak would load into all GUI apps (any process that links AppKit) to make a system wide tweak — without having to use a wildcard bundle and blacklist daemons.

Happy to put up a PR for this if you'd accept it!

buddy, please tell me how to know whether inject success or not in chrome subProcess when I click new Tab. I print log in console but show nothing , but I saw your "readme" desc that can support it. I just want to know how can I test it. thx

Hi,
When I try to inject some app with the inject tool on macOS 14.4, both the inject tool and the target app would crash.
I'm using a Intel-based macbook pro, but I think Macs with Apple silicon probably have the same issue.
Attached are the ips files.
ips.zip

copy inject and payload file to my project use to inject
but mach-o/dyld_images.h not Found

can you help me?

I don't know, if you still receive E-Mails from closed issues.
This is what I posted in "Support Rosetta Plz #25"
"Thx for the Rosetta 2 update.
I tested your new version with Monterey and Sonoma.
Works with Monterey but not with Ventura + Sonoma.

Just wanna let you know."

I can't give you any info about my testing.
My INTEL only apps just started without any injection.

Thx

Hi, first of all, pretty cool injection tool.

I played a little bit with MIP and noticed a settings.plist problem.
MIP doesn't read the plist cause you used NSKeyedUnarchiver.
I recommend to use:
NSDictionary *user_preferences = [NSDictionary dictionaryWithContentsOfFile:[@(MIP_user_data_path()) stringByAppendingPathComponent:@"settings.plist"]];

That will fix the problem.

CPU：Intel Core i7
Version：Monterey 12.6.3
SIP disabled
I followed README and use MacOSX10.13.sdk for compile, but it went Error. I really have no idea how to fix it, could you please give a look?

macOS 12.0.1 (21A559) M1

I succeeded in intel

as well as binutils for gobjcopy (brew install binutils), which should be linked as gobjcopy

No matter what I've tried I get this error.
mkdir -p build/injector/ cc -g -mmacosx-version-min=10.10 -I. -Werror -O3 -Wno-deprecated-declarations -isysroot -arch arm64e -c injector/lsd_injector.c -o build/injector/lsd_injector.c.o clang: error: no such file or directory: 'arm64e' clang: error: no such sysroot directory: '-arch' [-Werror,-Wmissing-sysroot] make: *** [build/injector/lsd_injector.c.o] Error 1

I booted the system and everything works (no complaint from the Helper App). After some time the commands no longer worked: opened the Helper App and sure enough, it said the bundle wasn't installed.
This has happened twice now. A reboot always fixes it.
macOS 12.4 M1-MBA

Payload crashes the injected process, including launchservicesd, when using MIP in High Sierra.

Hi, would be nice,
if you could add compatibility for macOS Ventura.

Thx

Hello again,
today I discovered an issue with MIP on M1 - macOS 12.6.2
MIP does not work anymore.
I have no idea what it caused - macOS update or XProtect update...
I tried to start it from terminal and got this:

Inject MIP to launchservicesd without a restart? [y/N] y
/bin/sh: line 1: 1378 Killed: 9 sudo inject launchservicesd /Library/Apple/System/Library/Frameworks/mip/lsdinjector.dylib
make: *** [install] Error 137

Watching console I got this:

Acquiring assertion targeting [app<application.com.apple.Console.1152921500311973676.1152921500311973681(501)>:954] from originator [daemon<com.apple.coreservices.launchservicesd>:146] with description <RBSAssertionDescriptor| "notification:954" ID:195-146-763 target:954 attributes:[
<RBSDomainAttribute| domain:"com.apple.launchservicesd" name:"LSNotification" sourceEnvironment:"(null)">
]>

Any idea?

PS: MIP still works on my INTEL Mac with Monterey 12.6.2

1、Mach Info
CPU：Intel Core i7 （2017）
Version：Macos Montery 12.6

ps: SIP already disable

2、Install Message

➜  MIP sudo make install
if [ -d /usr/lib/mip ]; then \
		sudo rm /Users/*/Library/MIP ;\
		sudo mkdir -p /Library/Apple/System/Library/Frameworks/ ;\
		sudo mv /usr/lib/mip /Library/Apple/System/Library/Frameworks/ ;\
		sudo ln -s /Library/Apple/System/Library/Frameworks/mip /usr/lib/mip ;\
	fi
sudo mkdir -p /Library/Apple/System/Library/Frameworks/mip/user_data
sudo mkdir -p /Library/Apple/System/Library/Frameworks/mip/Bundles
sudo mkdir -p /usr/local/include/mip
sudo cp build/lsdinjector.dylib build/loader.dylib /Library/Apple/System/Library/Frameworks/mip/
sudo cp build/inject /usr/local/bin/
sudo cp loader/loader_public.h /usr/local/include/mip/loader.h
sudo cp local.lsdinjector.plist /Library/LaunchDaemons/
sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true
(read -p "Inject MIP to launchservicesd without a restart? [y/N] " -n 1 -r; echo ; if [[ $REPLY =~ ^[Yy]$ ]]; then sudo inject launchservicesd /Library/Apple/System/Library/Frameworks/mip/lsdinjector.dylib; fi;)
Inject MIP to launchservicesd without a restart? [y/N] y
sudo: unable to execute /usr/local/bin/inject: Bad CPU type in executable
make: *** [install] Error 1

% inject
zsh: killed     inject

A similar error occurs when this is called during make install.

This is on macOS 12.4 on a 2020 MacBook Air (with M1.)

Today I updated Sonoma to 14.4.b2 and have sad news for MIP
MIP stopped working. I uninstalled it.
After a fresh install I got this in Terminal window:

Injecting to process 142
/bin/sh: line 1: 1665 Killed: 9 sudo inject launchservicesd /Library/Apple/System/Library/Frameworks/mip/lsdinjector.dylib
make: *** [install] Error 137

Any idea ?

After system reboot injection does not work most of the time on Big Sur+ (tried on 11.3 and 12.6), on limited amount of tries I did on Catalina it worked 100% of the time. Intel CPU.

Seems like daemon does run after reboot.

$ launchctl print system/local.lsdinjector
system/local.lsdinjector = {
	active count = 0
	path = /Library/LaunchDaemons/local.lsdinjector.plist
	state = not running

	program = /usr/local/bin/inject
	arguments = {
		/usr/local/bin/inject
		launchservicesd
		/Library/Apple/System/Library/Frameworks/mip/lsdinjector.dylib
		-w
	}

	default environment = {
		PATH => /usr/bin:/bin:/usr/sbin:/sbin
	}

	environment = {
		XPC_SERVICE_NAME => local.lsdinjector
	}

	domain = system
	minimum runtime = 1
	exit timeout = 5
	runs = 1
	last exit code = 0

	semaphores = {
		successful exit => 0
	}

	spawn type = daemon (3)
	jetsam priority = 4
	jetsam memory limit (active) = (unlimited)
	jetsam memory limit (inactive) = (unlimited)
	jetsamproperties category = daemon
	jetsam thread limit = 32
	cpumon = default

	properties = runatload | inferred program | system service
}

$ sudo launchctl load -w /Library/LaunchDaemons/local.lsdinjector.plist  
/Library/LaunchDaemons/local.lsdinjector.plist: service already loaded
Load failed: 37: Operation already in progress

Log message is the same regardless, if it succeeded after reboot or not:

Searching...
Injecting to process 130

I have to run these commands

$ sudo launchctl unload -w /Library/LaunchDaemons/local.lsdinjector.plist
$ sudo launchctl load -w /Library/LaunchDaemons/local.lsdinjector.plist

or this command and then restart applications that I have on bundle's whitelist to make injection work.

$ sudo inject launchservicesd /Library/Apple/System/Library/Frameworks/mip/lsdinjector.dylib -w

Steps to reproduce: install bundle (Alt-Zoom). Try launching word: it crashes.
Uninstall the Alt-Zoom bundle (ie delete) now Word works.

Getting the error
gobjcopy: No such file or directory

Hello, today I tried out the new macOS Sequoia with MIP
and encountered the same problem as the latest Sonoma 14.5.

Do you know what install error 137 is?

Thx

inject-2024-06-11-111355.ips.zip

I tried code on x86 with SIP enabled, and it works

This code does not support apple m1 processor

"MIP is currently unable to inject to Intel processes running through Rosetta. This will be addressed in a future version."
Could u plzzzzzzz support injection to Intel processes running through Rosetta ?
Just wait for a long time.
About a year.

Environment: M2 MacBook Air, macOS 12.6

I built and installed the project, enabled the preview abi boot arg, and rebooted. Then I made and installed the sample bundle. Everything installed fine, I checked. But when I open the Alt-Zoom app, it says it is not installed, which just means the class/plugin wasn't loaded.

The only thing I did differently is I used ldid -S $@ in place of the codesign command in both projects, to pseudo-sign the binaries. I don't know a lot about how code signing works, but I know this is what we use in the jailbreak world to sign binaries, and I am able to use it to sign modified app executables or frameworks to make them run on my mac, so I don't know why that might be an issue here.

Assuming that's not the issue, how do I troubleshoot this? (In the meantime, I'm going to try again with an actual codesigning identity just to be safe)

Edit: that was the issue! Strangely, I only had to re-sign and re-install MIP itself… I can still pseudo sign the tweaks themselves. Not a big deal I guess! I'll close this

I followed the instructions in the readme, but it kept saying "CodeSign: no identity found". I looked at the Makefile, and it turns out the variable is called SIGN_IDENTITY, not SIGNING_IDENTITY as it says in the readme.