It seems BigSur 11.3 broke HookCase

Question

It seems BigSur 11.3 broke HookCase

ni-max opened this issue 3 years ago · comments

Hi,

kext is loaded but it's not working under BigSur 11.3 :(
I don't know how to debug this.
Please let me know if I can be of any help and thanks for your work.

$ /usr/bin/kmutil showloaded |grep -i hook
No variant specified, falling back to release
  175    0 0xffffff7f9b5c7000 0x11000    0x11000    org.smichaud.HookCase (5.0.2) ED3C0F6A-FECE-3942-B356-82CB8DAF4B1B <8 6 5 3 2 1>

$ sysctl -a | grep osrelease
kern.osrelease: 20.4.0

$ uname -r
20.4.0

Steven Michaud · Answer 1 · Thu Apr 29 2021 23:50:48 GMT+0800 (China Standard Time)

I'm able to reproduce what you report. HookCase.kext loaded fine. Then I tested with the "events" example. It produced no output at all. There also wasn't any output in the Console app when I filtered on "hook".

macOS 10.15.7 (build 19H1030) and 10.14.6 (build 18G9028) were also recently updated by Apple, but HookCase still works fine there (at least with the "events" example).

I'll be working on this. But I don't know what Apple's done, so I don't know how long it will take.

ni-max · Answer 2 · Fri Apr 30 2021 00:13:43 GMT+0800 (China Standard Time)

It could be related to this:

via: https://support.apple.com/en-us/HT212325

AppleMobileFileIntegrity
Available for: macOS Big Sur
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza

and this: https://objective-see.com/blog/blog_0x64.html

Steven Michaud · Answer 3 · Fri Apr 30 2021 00:39:01 GMT+0800 (China Standard Time)

Thanks for the information.

I don't think the trouble with HookCase can be a direct effect of the changes Apple's made to fix this bug. HookCase.kext still loads, after all. But it might be a side effect. In any case, thanks to you I now know that the macOS 11.3 update contains a high-profile security fix -- which I didn't know before. In the past these have often been sources of trouble for HookCase.

Steven Michaud · Answer 4 · Fri Apr 30 2021 04:59:45 GMT+0800 (China Standard Time)

Apple's macOS 11.3 update changed the location of important fields in the kernel's task structure -- all_image_info_addr and all_image_info_size. This is the proximate cause of the failure you reported.

Apple normally makes this kind of change only in a new major release. Though this isn't the first time they've broken that (unstated) rule in a minor release. I'll need to re-check the location of all the fields HookCase references directly, if only to make sure they haven't changed, too. This will take at least a couple of days.

Then there's the possibility that Apple's also made other changes that would break HookCase. But I can only look into that after I've rechecked all the field offsets.

This kind of change could easily have led to a kernel panic. I suppose I should count myself lucky that didn't happen :-(

Steven Michaud · Answer 5 · Sat May 01 2021 05:44:26 GMT+0800 (China Standard Time)

I've now fixed this bug in HookCase 5.0.3. Two kernel structures were changed (struct task and struct thread), but macOS 11.3 doesn't seem to have introduced any other issues.

Please try it out. Let me know if you have any trouble.

ni-max · Answer 6 · Sat May 01 2021 20:31:36 GMT+0800 (China Standard Time)

Awesome, That was fast! Thank you.

Edit. I checked and HookCase v5.0.3 is working as expected.

Steven Michaud · Answer 7 · Sat May 01 2021 23:16:00 GMT+0800 (China Standard Time)

I'm glad to hear things are back to normal!