1.5 数据执行保护

iOS 中存在数据执行保护(DEP,Data Execution Prevention)机制,这一机制能够区分内存中哪些是可执行的代码,哪些是数据。该机制不允许执行数据,只允许执行代码。在默认情况下,数据段的属性是可读、可写、不可执行的,如果我们通过 vm_protect 函数把此属性修改为可读、可写、可执行,就会打印错误信息。代码如下:

unsigned int data = 0x12345678;

struct mach_header* image_addr = _dyld_get_image_header(0);   //获取镜像地址
vm_address_t offset = image_addr + (int)0x8000;   //数据段的偏移

kern_return_t err;
mach_port_t port = mach_task_self();
err = vm_protect(port, (vm_address_t) offset, sizeof(data), NO,
VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE);
if (err != KERN_SUCCESS) {
    NSLog(@"prot error: %s \n", mach_error_string(err));
    return;
}
vm_write(port, (vm_address_t) offset, (vm_address_t) & data, sizeof(data));

运行之后,打印的错误信息为:

2018-04-08 23:59:01.680009 vm_write[6222:265002] prot error: (os/kern) protection failure