Hi Steven,

can you confirm that this extension works as expected on the latest version of macOS 10.14.4? For me the kext loads as expected but when injecting processes - the process won't start.

Thanks in advance.

I can't reproduce this problem in the latest version of macOS 10.4.4 -- at least not yet. I tried injecting my own test hook library (which simply hooks calls to dlopen()) into both Safari and a simple command line utility -- no problems with either.

I say "the latest version of macOS 10.4.4" advisedly, as you seem also to be doing. Over the last few days Apple has mysteriously re-offered additional system updates for macOS 10.13.6 and 10.12.6 with exactly the same names as the previous updates -- "Security Update 2019-002". So far I've only installed the second update for 10.12.6. It changed the low level version number by just one digit -- from 16G1917 to 16G1918. So presumably the second 2019-002 update wasn't identical to the first, though the change it made was probably also very small. I suspect the second 2019-002 updates were issued to handle some kind of emergency -- either a problem with the first 2019-002 updates or a very bad bug (possibly a security bug).

I had no problems with the second 2019-002 update on macOS 10.12.6. I'm about to install and test the second 2019-002 update for macOS 10.13.6. But I haven't yet been offered a second macOS 10.14.4 update -- I've checked several times in System Update and the App Store app, but each time I'm told my system is up to date.

As I mentioned above, I retested on my macOS 10.14.4 system (with as yet only the "first" 10.14.4 update). I had no problems.

What's the low level version number of your installation of macOS 10.14.4? Mine is 18E226.

Thinking it might make a difference, I changed my test hook library (the one that hooks dlopen()) from using a patch hook to using an interpose hook. It made no difference -- I still had no problems. I tested on macOS 10.14.4, and macOS 10.12.6 with the second 2019-002 security update.

I just finished installing the second "Security Update 2019-002" on macOS 10.13.6. It also bumped the low level version number by just one -- from 17G6029 to 17G6030. I just tested on it, and had no problems -- using either a patch hook or an interpose hook for calls to dlopen().

By any chance are you not codesigning your hook libraries? If so try doing that, and let me know if it makes a difference.

I should have mentioned that I also tested HookCase on the "first" versions of both 2019-002 security updates (for macOS 10.13.6 and 10.12.6), and had no problems.

Thanks for your extensive testing, I actually figured out what the problem is.

On 10.14.4 it really works without a problem. The library I loaded was codesigned but exactly this lib loaded a framework that wasn't. So, I'm soory for that, I should've tested further.

PS: On the latest 10.14.5 Beta (18F96h), it actually doesn't work. I know - it's a beta release - I just wanted to let you know.

Thanks again!

You're most welcome!

I'm glad you figured the problem out, and that it wasn't a bug. I'll keep it in mind that a signed hook library that pulls in an unsigned framework can cause the same trouble as the hook library itself would if it was unsigned. I haven't tested that configuration.

Thanks for the warning about the 10.14.5 beta. But I think I'll wait until it gets to the release version before I do anything about it. With luck the problem will have gone away by then :-)

Yeah, for sure. I‘ll happily close this issue and will open another one for the release candidate of 10.14.5 if it‘s neccessary.