It seems BigSur 11.3 broke HookCase
ni-max opened this issue · 7 comments
Hi,
kext is loaded but it's not working under BigSur 11.3 :(
I don't know how to debug this.
Please let me know if I can be of any help and thanks for your work.
$ /usr/bin/kmutil showloaded |grep -i hook
No variant specified, falling back to release
175 0 0xffffff7f9b5c7000 0x11000 0x11000 org.smichaud.HookCase (5.0.2) ED3C0F6A-FECE-3942-B356-82CB8DAF4B1B <8 6 5 3 2 1>
$ sysctl -a | grep osrelease
kern.osrelease: 20.4.0
$ uname -r
20.4.0
I'm able to reproduce what you report. HookCase.kext
loaded fine. Then I tested with the "events" example. It produced no output at all. There also wasn't any output in the Console app when I filtered on "hook".
macOS 10.15.7 (build 19H1030) and 10.14.6 (build 18G9028) were also recently updated by Apple, but HookCase still works fine there (at least with the "events" example).
I'll be working on this. But I don't know what Apple's done, so I don't know how long it will take.
It could be related to this:
via: https://support.apple.com/en-us/HT212325
AppleMobileFileIntegrity
Available for: macOS Big Sur
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza
Thanks for the information.
I don't think the trouble with HookCase can be a direct effect of the changes Apple's made to fix this bug. HookCase.kext
still loads, after all. But it might be a side effect. In any case, thanks to you I now know that the macOS 11.3 update contains a high-profile security fix -- which I didn't know before. In the past these have often been sources of trouble for HookCase.
Apple's macOS 11.3 update changed the location of important fields in the kernel's task
structure -- all_image_info_addr
and all_image_info_size
. This is the proximate cause of the failure you reported.
Apple normally makes this kind of change only in a new major release. Though this isn't the first time they've broken that (unstated) rule in a minor release. I'll need to re-check the location of all the fields HookCase references directly, if only to make sure they haven't changed, too. This will take at least a couple of days.
Then there's the possibility that Apple's also made other changes that would break HookCase. But I can only look into that after I've rechecked all the field offsets.
This kind of change could easily have led to a kernel panic. I suppose I should count myself lucky that didn't happen :-(
I've now fixed this bug in HookCase 5.0.3. Two kernel structures were changed (struct task
and struct thread
), but macOS 11.3 doesn't seem to have introduced any other issues.
Please try it out. Let me know if you have any trouble.
Awesome, That was fast! Thank you.
Edit. I checked and HookCase v5.0.3 is working as expected.
I'm glad to hear things are back to normal!