Comments (5)
So you're saying that HookCase can miss a process that was run by using execv without fork?
That would surprise me. Please post a detailed demonstration of this, including the source for all your scripts.
Yes, HookCase injects its "hook library" into a process when the process is created. That's because the purpose of HookCase is to set hooks, and when a process starts is the best time to set them.
from hookcase.
ok, i will post my demonstration.
my test dylib like this:
//
// testInject.m
// testInject
//
// Created by ye liuyi on 2023/3/16.
//
#import <Foundation/Foundation.h>
typedef struct _hook_desc {
const void *hook_function;
union {
// For interpose hooks
const void *orig_function;
// For patch hooks
const void *func_caller_ptr;
};
const char *orig_function_name;
const char *orig_module_name;
} hook_desc;
#define PATCH_FUNCTION(function, module) \
{ reinterpret_cast<const void*>(Hooked_##function), \
reinterpret_cast<const void*>(&function##_caller), \
"_" #function, \
#module }
#define INTERPOSE_FUNCTION(function) \
{ reinterpret_cast<const void*>(Hooked_##function), \
reinterpret_cast<const void*>(function), \
"_" #function, \
"" }
__attribute__((constructor)) static void sandbox_entry() {
printf("hello inject %s\n", getprogname());
}
int Hooked_access(const char *path, int mode) {
printf("hooked access: %s!\n", path);
return access(path, mode);
}
__attribute__((used)) static const hook_desc test_hooks[]
__attribute__((section("__DATA, __hook"))) =
{
INTERPOSE_FUNCTION(access),
};
It only printf when access be called.
Then i have two executable file, test1 will exec test2:
// test1
#include <iostream>
#include <unistd.h>
int main(int argc, const char * argv[]) {
std::cout << "hello test1!" << std::endl;
access("aaa", F_OK);
execv("test2", NULL);
return 0;
}
// test2
#include <iostream>
#include <unistd.h>
int main(int argc, const char * argv[]) {
std::cout << "hello test2!" << std::endl;
access("bbb", F_OK);
return 0;
}
and i run HC_INSERT_LIBRARY=libtestInject.dylib ./test1
the result will be:
hello inject test1
hello test1!
hooked access: aaa!
hello test2!
obviously, test2 hasn't been injected.
from hookcase.
Thanks for your testcase. You're right -- it shows HookCase missing a process that was launched using execv()
.
This is definitely not how HookCase was designed. Using execv()
launches the new process over the old one -- the new process has the same pid
as the old one. But HookCase should catch both processes, and often does. The xpcproxy example shows this. Likewise if you load any hook library with a constructor function into Safari, and make the function include a call to NSLog()
or LogWithFormat()
(after [NSObject load]
). You'll often see the "same" process (sharing the same pid
) being launched twice -- once as xpcproxy
and once as something else.
I'll be working on this.
Thanks for both this report and your other one. I don't get enough bug reports like these. I use HookCase a lot in my own reverse engineering. I fix all the problems I find. But inevitably I tend to keep using it the same way, so there are some problems that I'd never find on my own.
from hookcase.
I just released HookCase 7.1.2, which should fix this problem. It also fixes issues with forked processes.
from hookcase.
I just released HookCase 7.1.2, which should fix this problem. It also fixes issues with forked processes.
Yes, HookCase wonβt miss this case, and i will try to use HookCase in more cases.
from hookcase.
Related Issues (20)
- Kernel panic on 11.3.1 HOT 4
- HookCase doesn't (yet) support macOS 12 HOT 3
- macOS 12.1 (build 21C52) breaks HookCase HOT 2
- Error in "sudo kmutil load -p /usr/local/sbin/HookCase.kext" macOS Big Sur 11.6.1 HOT 3
- macOS 12.3 breaks HookCase HOT 1
- macOS 12.4 breaks HookCase HOT 4
- macOS 12.5 breaks HookCase HOT 1
- macOS 10.15.7 build 19H2026 breaks HookCase HOT 1
- not Found private symbol "_proc_lock" and "_proc_unlock" On Intel hardware for MacOS 12.5 HOT 1
- which part of the key code to remove the signature restriction about DYLD_INSERT_LIBRARIES HOT 2
- Loading hook library in 'open' no longer loads it in its children
- Interpose hooks largely broken on macOS 13 (Ventura) HOT 10
- Weirdness hooking calls to `open()` in terminal apps HOT 6
- Intermittent double fault kernel panics HOT 8
- Hooked_openat_dprotected_np function cause hookcase disabled HOT 4
- Some NSObject methods crash if used from constructor functions HOT 14
- Persistent double fault kernel panics, probably caused by OpenCore Legacy Patcher HOT 24
- macOS 13.3 breaks HookCase HOT 1
- macOS 14.4 breaks HookCase HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hookcase.