macOS 12.4 breaks HookCase

[0x3c3e]

The kernel extension HookCase.kext refuses to load.

The error message from sudo kmutil -p /usr/local/sbin/HookCase.kext is:

Error Domain=KMErrorDomain Code=71 "Kernel request failed: (libkern/kext) kext (kmod) start/stop routine failed (-603946985)" UserInfo={NSLocalizedDescription=Kernel request failed: (libkern/kext) kext (kmod) start/stop routine failed (-603946985)}

Same as in #33

[steven-michaud]

Thanks for your report. I'm inclined to wait until macOS 12.4 is released. Then if this problem still exists, I'll work around it.

It probably will still exist. And Apple may add yet more breakage. So I want to wait for the release and then fix everything at once.

[steven-michaud]

The macOS 12.4 release still breaks HookCase (version 6.0.2), but in a different way. HookCase.kext now loads successfully, but you get a kernel panic when you try to use it. (I tried to run the events example.)

I haven't seen this kind of panic before. It may take me a while to figure out what's wrong, and what Apple did.

    panic(cpu 0 caller 0xffffff800491b5d9): vm_map_delete(0xffffff907cac90a8,0xffffffb07fb30000,0xffffffb07fb32000): Attempting to remove permanent VM map entry 0xffffff907cacd5f0 [0xffffffb07fac0000:0xffffffb09fac0000] @vm_map.c:7801
    Panicked task 0xffffffaa15749700: 1 threads: pid 94799: Safari
    Backtrace (CPU 0), panicked thread: 0xffffff9bb034daa0, Frame : Return Address
    0xffffffe57a8b5440 : 0xffffff8004081c8d mach_kernel : _handle_debugger_trap + 0x41d
    0xffffffe57a8b5490 : 0xffffff80041e1596 mach_kernel : _kdp_i386_trap + 0x116
    0xffffffe57a8b54d0 : 0xffffff80041d0963 mach_kernel : _kernel_trap + 0x4d3
    0xffffffe57a8b5520 : 0xffffff8004021a70 mach_kernel : _return_from_trap + 0xe0
    0xffffffe57a8b5540 : 0xffffff800408205d mach_kernel : _DebuggerTrapWithState + 0xad
    0xffffffe57a8b5660 : 0xffffff8004081816 mach_kernel : _panic_trap_to_debugger + 0x2b6
    0xffffffe57a8b56c0 : 0xffffff8004915163 mach_kernel : _panic + 0x84
    0xffffffe57a8b57b0 : 0xffffff800491b5d9 mach_kernel : _vm_packing_pointer_invalid + 0x53f
    0xffffffe57a8b57e0 : 0xffffff8004138fd8 mach_kernel : _vm_map_switch + 0xf28
    0xffffffe57a8b58f0 : 0xffffff80041382c6 mach_kernel : _vm_map_switch + 0x216
    0xffffffe57a8b5940 : 0xffffff8004144092 mach_kernel : _vm_map_copyin_internal + 0x17f2
    0xffffffe57a8b5a50 : 0xffffff7f9e1eddbf org.smichaud.HookCase : __Z11proc_mapoutP8ipc_portPKvPymb + 0x7d
    0xffffffe57a8b5aa0 : 0xffffff7f9e1f4926 org.smichaud.HookCase : __Z26setup_call_orig_func_blockP8ipc_portP5_hook + 0x6e
    0xffffffe57a8b5ae0 : 0xffffff7f9e1f5708 org.smichaud.HookCase : __Z9set_hooksP4procP8ipc_portP5_hookPb + 0x86
    0xffffffe57a8b5b40 : 0xffffff7f9e1f5dc0 org.smichaud.HookCase : __Z19process_hook_flyingP5_hookP17x86_saved_state_t + 0xf9
    0xffffffe57a8b5f90 : 0xffffff7f9e1e89cf org.smichaud.HookCase : _user_trampoline + 0x6f
          Kernel Extensions in backtrace:
             org.smichaud.HookCase(6.0.2)[BD1E1BC5-131F-3E31-B5A9-0365A90D6C40]@0xffffff7f9e1e8000->0xffffff7f9e1f9fff
    
    Process name corresponding to current thread (0xffffff9bb034daa0): Safari
    Boot args: keepsyms=1 kernel_stack_pages=6
    
    Mac OS version:
    21F79
    
    Kernel version:
    Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:22 PDT 2022; root:xnu-8020.121.3~4/RELEASE_X86_64
    Kernel UUID: 3C587984-4004-3C76-8ADF-997822977184
    KernelCache slide: 0x0000000003e00000
    KernelCache base:  0xffffff8004000000
    Kernel slide:      0x0000000003e10000
    Kernel text base:  0xffffff8004010000
    __HIB  text base: 0xffffff8003f00000
    System model name: VMware7,1 (Mac-27AD2F918AE68F61)
    System shutdown begun: NO
    Panic diags file available: YES (0x0)
    Hibernation exit count: 0

[steven-michaud]

Note that HookCase still works fine with macOS 11.6.6 (build 20G624) and macOS 10.15.7 build 19H1922, which Apple released at the same time as macOS 12.4.

[steven-michaud]

I've just released HookCase 6.0.3, which works around the breakage caused by macOS 12.4.

This time it was a bit different from what it usually is. 12.4 did make changes to internal kernel structures used by HookCase, but none of these broke anything. Instead it was two behavior changes that broke HookCase 6.0.2:

1. The vm_map_copyin() method has a bool src_destroy parameter that (if true) tells it to remove the region corresponding to source from the kernel address space. As of macOS 12.4 this causes a kernel panic (the one I reported above). This was probably always an error, but until now it wasn't fatal. So now I always set src_destroy to false and release source by hand.

2. HookCase.kext's proc_copyout() method "unsigns" a "private" region before writing to it (and subsequently re-"signing" it). Before macOS 12.4 a private region always had share_mode == SM_PRIVATE. Now its share_mode may also be SM_PRIVATE_ALIASED. I changed proc_copyout()'s code accordingly.