macOS 11.4 breaks HookCase about hookcase HOT 10 CLOSED

I just released another new version of HookCase to fix this problem.

I hope Apple's behavior with macOS 11.3 and 11.4 isn't a sign of things to come with 11.5 and 11.6. But I can only wait to find out. It's probably a good idea to disable loading HookCase.kext at boot before upgrading to either of these future versions of macOS.

from hookcase.

New security updates for macOS 10.15.7 and 10.14.6 also came out at the same time as macOS 11.4. As with #27, HookCase is not effected by these.

from hookcase.

For the record:

Apple fixed 5 Kernel bugs in 11.4

Kernel
Available for: macOS Big Sur
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved validation.
CVE-2021-30740: Linus Henze (pinauten.de)

Kernel
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-30704: an anonymous researcher

Kernel
Available for: macOS Big Sur
Impact: Processing a maliciously crafted message may lead to a denial of service
Description: A logic issue was addressed with improved state management.
CVE-2021-30715: The UK's National Cyber Security Centre (NCSC)

Kernel
Available for: macOS Big Sur
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved size validation.
CVE-2021-30736: Ian Beer of Google Project Zero

Kernel
Available for: macOS Big Sur
Impact: A local attacker may be able to elevate their privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-30739: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab

via: https://support.apple.com/en-us/HT212529

from hookcase.

This is presumably #27 over again.

Yup.

I've found a change in the kernel's struct thread that explains the kernel panics. But I need to continue going through all the kernel structures used directly by HookCase, to see if others haven't also changed. I expect that to take me another day or two.

from hookcase.

I hope Apple's behavior with macOS 11.3 and 11.4 isn't a sign of things to come with 11.5 and 11.6

Could you please elaborate on this, What do you think is coming?

from hookcase.

I'm afraid that macOS 11.5 and 11.6 will contain further changes to kernel structures that HookCase accesses directly. This will always cause some kind of breakage. It may be that it just stops working. Or (more likely) there will be kernel panics when you load a hook library, or even HookCase.kext itself.

In the past these kinds of changes happened mostly (though not always) in new major releases -- for example of macOS 11 or 10.15 or 10.14. It's true that 11.3 and 11.4 both contained significant kernel changes. So maybe that explains it. Or maybe Apple is now changing its behavior, and in the future important kernel structures will routinely be changed in "point" releases (like 11.3 and 11.4), as distinct from "point point" releases (like 11.2.3 and 11.3.1). Only time will tell.

In the meantime I strongly suggest you disable loading at boot before upgrading to a "point" release (like 11.5 or 11.6). If HookCase.kext triggers a kernel panic as it loads, your system may become unbootable. (Though you'd still probably be able to avoid the problem by pressing Cmd-R on restart, and booting into the recovery partition.)

from hookcase.

Thanks for the information. 🙏🏼

In the meantime I strongly suggest you disable loading at boot before upgrading to a "point" release (like 11.5 or 11.6). If HookCase.kext triggers a kernel panic as it loads, your system may become unbootable. (Though you'd still probably be able to avoid the problem by pressing Cmd-R on restart, and booting into the recovery partition.)

The way I load HookCase.kext is pretty safe, a wrapper gets loaded as root daemon which:

• loads HookCase.kext
• disables the daemon
• wait for 10 minutes
• enables the daemon

So reboot within 10 minutes will disable the extension.

from hookcase.

Actually, you'll still have trouble if HookCase.kext triggers a kernel panic as it loads. You'll reboot continuously until you somehow stop the cycle. (Cmd-R would probably work.)

What do you mean by "disables the daemon" and "enables the daemon"?

Edit: I misunderstood what you said. It's the daemon that gets loaded at boot. Still, though, it won't be able to disable itself if HookCase.kext triggers a kernel panic as it's loaded.

from hookcase.

Oops sorry, I made a mistake explaining the logic, actually the wrapper gets loaded by root daemon and:

• disables the daemon
• loads HookCase.kext
• wait for 5 minutes
• enables the daemon

This is the root daemon: /Library/LaunchDaemons/hookcase.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
    </dict>
    <key>Label</key>
    <string>hookcase</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/sbin/HookCase_Wrapper.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

And this is the wrapper: /usr/local/sbin/HookCase_Wrapper.sh

#!/bin/sh
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"

defaults write /var/db/com.apple.xpc.launchd/disabled.plist "hookcase" 1
chmod 644 /var/db/com.apple.xpc.launchd/disabled.plist
defaults write /Library/LaunchDaemons/hookcase.plist Disabled -bool TRUE
chmod 644 /Library/LaunchDaemons/hookcase.plist

kmutil load -p /usr/local/sbin/HookCase.kext

sleep 300

defaults write /var/db/com.apple.xpc.launchd/disabled.plist "hookcase" 0
chmod 644 /var/db/com.apple.xpc.launchd/disabled.plist
defaults delete /Library/LaunchDaemons/hookcase.plist Disabled
chmod 644 /Library/LaunchDaemons/hookcase.plist

Let me know what you think.

from hookcase.

Let me know what you think.

It looks fine to me. You've thought it all out very carefully.

from hookcase.