HookCase can miss a process that was launched using execv() about hookcase HOT 5 CLOSED

So you're saying that HookCase can miss a process that was run by using execv without fork?

That would surprise me. Please post a detailed demonstration of this, including the source for all your scripts.

Yes, HookCase injects its "hook library" into a process when the process is created. That's because the purpose of HookCase is to set hooks, and when a process starts is the best time to set them.

from hookcase.

ok, i will post my demonstration.
my test dylib like this:

//
//  testInject.m
//  testInject
//
//  Created by ye liuyi on 2023/3/16.
//

#import <Foundation/Foundation.h>

typedef struct _hook_desc {
  const void *hook_function;
  union {
    // For interpose hooks
    const void *orig_function;
    // For patch hooks
    const void *func_caller_ptr;
  };
  const char *orig_function_name;
  const char *orig_module_name;
} hook_desc;

#define PATCH_FUNCTION(function, module)               \
  { reinterpret_cast<const void*>(Hooked_##function),  \
    reinterpret_cast<const void*>(&function##_caller), \
    "_" #function,                                     \
    #module }

#define INTERPOSE_FUNCTION(function)                   \
  { reinterpret_cast<const void*>(Hooked_##function),  \
    reinterpret_cast<const void*>(function),           \
    "_" #function,                                     \
    "" }


__attribute__((constructor)) static void sandbox_entry() {
    printf("hello inject %s\n", getprogname());
}

int Hooked_access(const char *path, int mode) {
    printf("hooked access: %s!\n", path);
    return access(path, mode);
}

__attribute__((used)) static const hook_desc test_hooks[]
  __attribute__((section("__DATA, __hook"))) =
{
    INTERPOSE_FUNCTION(access),
};

It only printf when access be called.
Then i have two executable file, test1 will exec test2:

// test1
#include <iostream>
#include <unistd.h>

int main(int argc, const char * argv[]) {
    std::cout << "hello test1!" << std::endl;
    access("aaa", F_OK);
    execv("test2", NULL);
    return 0;
}

// test2
#include <iostream>
#include <unistd.h>

int main(int argc, const char * argv[]) {
    std::cout << "hello test2!" << std::endl;
    access("bbb", F_OK);
    return 0;
}

and i run HC_INSERT_LIBRARY=libtestInject.dylib ./test1
the result will be:

hello inject test1
hello test1!
hooked access: aaa!
hello test2!

obviously, test2 hasn't been injected.

from hookcase.

Thanks for your testcase. You're right -- it shows HookCase missing a process that was launched using execv().

This is definitely not how HookCase was designed. Using execv() launches the new process over the old one -- the new process has the same pid as the old one. But HookCase should catch both processes, and often does. The xpcproxy example shows this. Likewise if you load any hook library with a constructor function into Safari, and make the function include a call to NSLog() or LogWithFormat() (after [NSObject load]). You'll often see the "same" process (sharing the same pid) being launched twice -- once as xpcproxy and once as something else.

I'll be working on this.

Thanks for both this report and your other one. I don't get enough bug reports like these. I use HookCase a lot in my own reverse engineering. I fix all the problems I find. But inevitably I tend to keep using it the same way, so there are some problems that I'd never find on my own.

from hookcase.

I just released HookCase 7.1.2, which should fix this problem. It also fixes issues with forked processes.

from hookcase.

I just released HookCase 7.1.2, which should fix this problem. It also fixes issues with forked processes.

Yes, HookCase won‘t miss this case, and i will try to use HookCase in more cases.

from hookcase.