Hooked_openat_dprotected_np function cause hookcase disabled
sdwannfv opened this issue · 4 comments
hook.dylib
int Hooked_open(const char *path, int flags, ...)
{
int ret;
int mode = 0;
if (flags & O_CREAT) {
va_list ap;
va_start(ap, flags);
mode = va_arg(ap, int);
va_end(ap);
}
ret = open(path, flags, mode);
LogWithFormat(true, "[open](%s, 0x%x)-->%d", path, flags, ret);
return ret;
}
//int Hooked_openat_dprotected_np(int fd, const char* path, int flags, int dpclass, int dpflags, ...)
//{
// int mode = 0;
//
// if (flags & O_CREAT) {
// va_list ap;
// va_start(ap, dpflags);
// mode = va_arg(ap, int);
// va_end(ap);
// }
//
// return openat_dprotected_np(fd, path, flags, dpclass, dpflags, mode);
//}
INTERPOSE_FUNCTION(open),
command
HC_INSERT_LIBRARY=/path/to/hook.dylib ls -l
when above code Hooked_openat_dprotected_np is uncommented, hookcase will not work
I don't know what you mean by "hookcase will not work".
What version of macOS are you testing on? openat_dprotected_np() is present on macOS 13 but not on macOS 12.
I assume you're using interpose hooks for both open() and openat_dprotected_np(). Is that correct?
Edit: Let me take a guess. You built your hook library on macOS 13 (where openat_dprotected_np() is present) and ran it on macOS 12 (where it isn't). On macOS 12, of course, it will refuse to load because it can't find openat_dprotected_np().
thinks for reply, on macos 12.6.2, I using interpose hooks for open, Hooked_openat_dprotected_np is defined like that, not matter openat_dprotected_np is interpose hooked or not, it will cause log in Hooked_open disappear.
thinks for reply, on macos 12.6.2, I using interpose hooks for open, Hooked_openat_dprotected_np is defined like that, not matter openat_dprotected_np is interpose hooked or not, it will cause log in Hooked_open disappear.
very thinks, i guess it may be that on macos 12.6.2 openat_dprotected_np do not exist, so cause load hook.dylib failed.