macOS 12.1 (build 21C52) breaks HookCase
steven-michaud opened this issue · 2 comments
The HookCase kernel extension loads correctly (using kmutil load -p /usr/local/sbin/HookCase.kext). But then no logging works. (I tried the events and xpcproxy examples, with Safari and Firefox.) Probably no hooks are being created.
It makes no difference whether SIP is on (csrutil enable --without kext) or off (csrutil disable).
Apple released other updates at the same time (macOS 11.6.2 build 20G314 and macOS 10.15.7 build 19H1615). Neither of these breaks HookCase. I suspect Apple has changed one of the kernel structures (on macOS 12.1) used internally by HookCase.
I'll be working on this.
I just discovered Apple hasn't yet released the kernel debug kit for 12.1 build 21C52. I'll wait a few days for it to appear, and then start work on this.
Apple made lots of changes to kernel structures in macOS 12.1. I've now worked around them in HookCase 6.0.1. I also fixed HookCase's copies of two kernel structures used on macOS 12.0.1. These flaws didn't effect behavior on 12.0.1. But they did cause me to add some oddball workarounds, which I've now been able to remove.