Interposition doesn't work on iOS 9 and arm64

Question

Interposition doesn't work on iOS 9 and arm64

emonti opened this issue 9 years ago · 2 comments

Very strangely, interpose.c stopped working on some symbols on iOS 9, but only on arm64. For example, try hooking _SSLHandshake called from CFNetwork -- SocketStream::_PerformSecurityHandshake_NoLock. If we add logging to the hook insertion routine, you'll see the interposition gets installed on CFNetwork imports, but it is never invoked when SSLHandshake is called.

OTOH, if we try a hook on _open we see it gets invoked consistently when calling [NSString stringWithContentsOfFile:] via Foundation -- _NSReadBytesFromFileWithExtendedAttributes for example.

Also, both seem to work just fine on armv7 and even on arm64 on iOS 8.

Answer 1 · 2015-10-08T23:04:04.000Z

It's because of an optimization added in iOS 9 - calls from one library in the shared cache to another are now patched at cache build time into direct calls, skipping the dyld stubs. Since the offsets are encoded directly into the signed code, it is no longer possible to hook them on a non-jailbroken device without some relatively drastic measures (e.g. mprotect, hardware breakpoints, re-signing...).

Answer 2 · 2015-10-08T23:08:36.000Z

Ah. makes sense. Thanks for the response!