[mac] (could be linux) How do you determine where a module is stored in memory?

[Tanaris4]

So if I fire up GDB, hook wow, and type "info shared" it will list out all of the modules that wow loaded, as well as where their starting point is in memory.

Well, I'd like to figure out where the warden module is stored (I prevent it from being private by editing the NSLinkModule parameters). I was going to use this to then dynamically hook some function calls.

Anyone have any ideas? I downloaded the GDB source code + looked @ "info shared" and it didn't help me at all, I couldn't trace it back to any system calls that provide this information.

Example of "info shared":

Code:

114 RawCamera                    B 0x927c6000        dyld Y Y /System/Library/CoreServices/RawCamera.bundle/Contents/MacOS/RawCamera at 0x927c6000 (offset 0x927c6000)
115 AudioIPCPlugIn               B 0x16ed3000        dyld Y Y /System/Library/Extensions/AudioIPCDriver.kext/Contents/Resources/AudioIPCPlugIn.bundle/Contents/MacOS/AudioIPCPlugIn at 0x16ed3000 (offset 0x16ed3000)
116 AppleHDAHALPlugIn            B 0x16edc000        dyld Y Y /System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleHDAHALPlugIn.bundle/Contents/MacOS/AppleHDAHALPlugIn at 0x16edc000 (offset 0x16edc000)
117 CoreAudio                    - 0x70000000        dyld Y Y /System/Library/Components/CoreAudio.component/Contents/MacOS/CoreAudio at 0x70000000 (offset 0x0)
118 Battle.net.bundle            - 0x25900000        dyld Y Y /Volumes/HD/Applications/World of Warcraft/World of Warcraft.app/Contents/Frameworks/Battle.net.bundle at 0x25900000 (offset 0x25900000)
119 LDAP                         F 0x96417000        dyld Y Y /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP at 0x96417000 (offset 0x96417000)
120 libssl.0.9.8.dylib           - 0x913bc000        dyld Y Y /usr/lib/libssl.0.9.8.dylib at 0x913bc000 (offset 0x913bc000)
121 MachOLoader2                 - 0x2e7e6000        dyld Y Y MachOLoader2 at 0x2e7e6000 (offset 0x2e7e6000)
                                                 (objfile is) [memory object "MachOLoader2" at 0x2e7e6000]

Another random question, anyone know why hooking memcpy would fail (the game locks up)?

[MaiN]

I'm only speaking for the Windows client here, but I assume it also goes for Mac.
The module is on Windows not actually loaded like a normal library. WoW allocates memory for it, and then manually maps it into the allocated memory and does all relocations etc. manually. The module is therefore not a normal module, just a bunch of normal allocated memory.

[Tanaris4]

It's a normal module on OS X - it's linked using NSLinkModule, but none of the functions involved actually mention WHERE it's mapped into memory once it's loaded as a module vs. it being raw data. So I have to like manually re-compile my injected module w/the address after I attach w/GDB to type "info shared", it sucks :/

[MaiN]

It's a normal module on OS X - it's linked using NSLinkModule, but none of the functions involved actually mention WHERE it's mapped into memory once it's loaded as a module vs. it being raw data. So I have to like manually re-compile my injected module w/the address after I attach w/GDB to type "info shared", it sucks :/

Just check the Warden functions. They use it all the time.

[Tanaris4]

Just check the Warden functions. They use it all the time.

wow good call I'm an idiot, I'll just find a function that is passed the address when it calls a module func... TY sir