Comments (7)
steven-michaud
commented on May 11, 2024
I'm able to reproduce what you report. HookCase.kext loaded fine. Then I tested with the "events" example. It produced no output at all. There also wasn't any output in the Console app when I filtered on "hook".
macOS 10.15.7 (build 19H1030) and 10.14.6 (build 18G9028) were also recently updated by Apple, but HookCase still works fine there (at least with the "events" example).
I'll be working on this. But I don't know what Apple's done, so I don't know how long it will take.
from hookcase.
ni-max
commented on May 11, 2024
It could be related to this:
via: https://support.apple.com/en-us/HT212325
AppleMobileFileIntegrity
Available for: macOS Big Sur
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza
and this: https://objective-see.com/blog/blog_0x64.html
from hookcase.
steven-michaud
commented on May 11, 2024
Thanks for the information.
I don't think the trouble with HookCase can be a direct effect of the changes Apple's made to fix this bug. HookCase.kext still loads, after all. But it might be a side effect. In any case, thanks to you I now know that the macOS 11.3 update contains a high-profile security fix -- which I didn't know before. In the past these have often been sources of trouble for HookCase.
from hookcase.
steven-michaud
commented on May 11, 2024
Apple's macOS 11.3 update changed the location of important fields in the kernel's task structure -- all_image_info_addr and all_image_info_size. This is the proximate cause of the failure you reported.
Apple normally makes this kind of change only in a new major release. Though this isn't the first time they've broken that (unstated) rule in a minor release. I'll need to re-check the location of all the fields HookCase references directly, if only to make sure they haven't changed, too. This will take at least a couple of days.
Then there's the possibility that Apple's also made other changes that would break HookCase. But I can only look into that after I've rechecked all the field offsets.
This kind of change could easily have led to a kernel panic. I suppose I should count myself lucky that didn't happen :-(
from hookcase.
steven-michaud
commented on May 11, 2024
I've now fixed this bug in HookCase 5.0.3. Two kernel structures were changed (struct task and struct thread), but macOS 11.3 doesn't seem to have introduced any other issues.
Please try it out. Let me know if you have any trouble.
from hookcase.
ni-max
commented on May 11, 2024
Awesome, That was fast! Thank you.
Edit. I checked and HookCase v5.0.3 is working as expected.
from hookcase.
steven-michaud
commented on May 11, 2024
I'm glad to hear things are back to normal!
from hookcase.
Related Issues (20)
- Kernel panic on 11.3.1 HOT 4
- HookCase doesn't (yet) support macOS 12 HOT 3
- macOS 12.1 (build 21C52) breaks HookCase HOT 2
- Error in "sudo kmutil load -p /usr/local/sbin/HookCase.kext" macOS Big Sur 11.6.1 HOT 3
- macOS 12.3 breaks HookCase HOT 1
- macOS 12.4 breaks HookCase HOT 4
- macOS 12.5 breaks HookCase HOT 1
- macOS 10.15.7 build 19H2026 breaks HookCase HOT 1
- not Found private symbol "_proc_lock" and "_proc_unlock" On Intel hardware for MacOS 12.5 HOT 1
- which part of the key code to remove the signature restriction about DYLD_INSERT_LIBRARIES HOT 2
- Loading hook library in 'open' no longer loads it in its children
- Interpose hooks largely broken on macOS 13 (Ventura) HOT 10
- Weirdness hooking calls to `open()` in terminal apps HOT 6
- Intermittent double fault kernel panics HOT 8
- Hooked_openat_dprotected_np function cause hookcase disabled HOT 4
- Some NSObject methods crash if used from constructor functions HOT 14
- HookCase can miss a process that was launched using execv() HOT 5
- Persistent double fault kernel panics, probably caused by OpenCore Legacy Patcher HOT 24
- macOS 13.3 breaks HookCase HOT 1
- macOS 14.4 breaks HookCase HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hookcase.