plthook failed to hook function calls of system library on macOS platform

Question

plthook failed to hook function calls of system library on macOS platform

JerryGinger opened this issue 5 years ago · 2 comments

When i hook read/write of socket function on macOS Platform as follows, it reported "segmentation fault".

ssize_t hook_read(int fildes, void *buf, size_t nbyte) {
    ssize_t rv;
    rv = read(fildes, buf, nbyte);
    printf("Hook read end\n");
    return rv;
}

void install_hook() {
    plthook_t *plthook;
    void *handle;
    // const char *filename = "/usr/lib/libc.dylib";  // this also not work
    const char *filename = "/usr/lib/libSystem.B.dylib";
	if (plthook_open(&plthook, filename) != 0) {
        printf("plthook_open error: %s\n", plthook_error());
        return;
    }
    if (plthook_replace(plthook, "read", (void*)hook_read, NULL) != 0) {
        printf("plthook_replace error: %s\n", plthook_error());
        plthook_close(plthook);
        return;
    }
    plthook_close(plthook);

}

Answer 1 · 2019-09-18T12:23:47.000Z

Thanks for reporting the issue. I'll fix the segmentation fault later.

I have a question. Do you want to hook read/write called by libSystem.B.dylib?
The _read symbol is undefined in libSystem.B.dylib.

$ nm /usr/lib/libSystem.B.dylib | grep ' _read$'
                 U _read

It is defined in /usr/lib/system/libsystem_kernel.dylib

$ nm /usr/lib/system/libsystem_kernel.dylib | grep ' _read$'
0000000000002ee8 T _read

Otherwise do you want to hook all read/write calls? If the latter, use funchook instead.

Answer 2 · 2019-09-20T01:18:41.000Z

Thanks for your prompt reply. I tried to hook "/usr/lib/libc.dylib" but segmentation fault also happened. funchook tool really works well.