What is "inter-process code injection" ?

It's a mean by which a process can inject code into another running process and eventually execute it remotely. Of course, this is subject to normal Unix security policy, meaning that a user can not inject code into a process running under another user.

 

 

What is "inter-process code injection" useful for ?

Many applications called "haxies" use this to customize Apple applications shipped with OS X. Many "Virtual Desktop" applications use this mechanism to inject some code in the Dock, the only process allowed to manipulate all windows on OS X.

 

 

Why do I need this framework on intel only ?

Apple added a security feature in Mac OS 10.4.4 for intel that prevents code injection from working for users that are not part of a unix group called "procmod". When created, a user is not part of procmod group.

Apple did not backport this restriction to ppc versions of OS X yet.

 

 

How do I use this framework in my application

First step is obviously to install it. The installer will copy InjectionControl.framework in /Library/Frameworks

Then, after linking your project with the framework, you should be able to use the main two calls:

 

    InjectionControlError setInjectionEnabledForCurrentUser(int enabled);

    InjectionControlError isInjectionEnabledForCurrentUser(int* enabled);

 

Since modifying a Unix group is a privileged operation, setInjectionEnabledForCurrentUser will require user to enter an admin password.

However, user will not be prompted if the call does not need to change the procmod group. In other words, enabling injection for a user which already did it will not prompt the authentication windows since there is no need to modify the group.

 

 

How do I distribute InjectionControl.framework as part of my own project

Although the BSD license gives you the right to do whatever you want with this code, you are strongly encouraged to distribute this package as-is, in its binary form (See section below).

If you want to avoid your users having to install InjectionControl as a separate package, distribute your application as a meta-package (pre-10.4) or as a Distribution (10.4 and above) and include the pre-built InjectControl installer package as part of this meta-package.

 

 

Why can't I directly compile the code as part of my application

Allowing injection requires root privileges. InjectControl uses a setuid tool which in turn requires admin authentication. This tool must be installed with the proper rights to avoid security risks.

Including this tool as part of your application would be a very bad idea.

 

 

My application doesn't use an installer, what options do I have

First and most straightforward option is to make an installer for your application.

If you are really against this idea, you can still ship InjectionControl within your application dmg, but this is not really user friendly.

Another option exists, which consists in weak linking against InjectionControl.framework and embedding InjectionControl installer within your application bundle. If your application realizes InjectionControl is not installed