hook.dylib

int Hooked_open(const char *path, int flags, ...)
{
    int ret;
    int mode = 0;

    if (flags & O_CREAT) {
        va_list ap;
        va_start(ap, flags);
        mode = va_arg(ap, int);
        va_end(ap);
    }

    ret = open(path, flags, mode);
    LogWithFormat(true, "[open](%s, 0x%x)-->%d", path, flags, ret);
    
    return ret;
}

//int Hooked_openat_dprotected_np(int fd, const char* path, int flags, int dpclass, int dpflags, ...)
//{
//    int mode = 0;
//
//    if (flags & O_CREAT) {
//        va_list ap;
//        va_start(ap, dpflags);
//        mode = va_arg(ap, int);
//        va_end(ap);
//    }
//
//    return openat_dprotected_np(fd, path, flags, dpclass, dpflags, mode);
//}

INTERPOSE_FUNCTION(open),

command

HC_INSERT_LIBRARY=/path/to/hook.dylib  ls -l

when above code Hooked_openat_dprotected_np is uncommented, hookcase will not work

I don't know what you mean by "hookcase will not work".

What version of macOS are you testing on? openat_dprotected_np() is present on macOS 13 but not on macOS 12.

I assume you're using interpose hooks for both open() and openat_dprotected_np(). Is that correct?

Edit: Let me take a guess. You built your hook library on macOS 13 (where openat_dprotected_np() is present) and ran it on macOS 12 (where it isn't). On macOS 12, of course, it will refuse to load because it can't find openat_dprotected_np().

thinks for reply, on macos 12.6.2， I using interpose hooks for open, Hooked_openat_dprotected_np is defined like that, not matter openat_dprotected_np is interpose hooked or not, it will cause log in Hooked_open disappear.

thinks for reply, on macos 12.6.2， I using interpose hooks for open, Hooked_openat_dprotected_np is defined like that, not matter openat_dprotected_np is interpose hooked or not, it will cause log in Hooked_open disappear.

very thinks, i guess it may be that on macos 12.6.2 openat_dprotected_np do not exist, so cause load hook.dylib failed.