Closed adamierymenko closed 8 years ago
Also on a side note: does the force_flat_namespace ld option have any effect on the iOS 9 symbol binding optimization that broke fishhook?
Closing since I mostly answered my own question: this would allow RWX memory pages which aren't available on non-jailbroken iOS.
For the record, if you have a debugger active, the process is granted permission to run unsigned code - so if this is for testing, you may be able to use Substitute. If you need to do it in production... and the fact that you really shouldn't doesn't sway you... you'd have to find a way to sign modified versions of the OS code pages.
dyld options won't affect anything because the optimization is done when the dyld cache is built, which on iOS is done ahead of time by Apple as part of building the OS image.
Just to clarify, fishhook still works on iOS 9 for interposing functions exposed via custom Frameworks (ie. dylibs embedded in your App's package). The limitation you mentioned is only true if you're trying to hook functions in the iOS Frameworks within the dyld cache (Foundation, etc.).
@nabla-c0d3 Interposition also still works for calls from the application to iOS frameworks; it only fails for cache-to-cache calls.
@comex yes I got confused :p
This isn't a bug/issue, more of a question.
Without jailbreaking is it feasible for an iOS process to use these techniques on itself to interpose functions?
Since iOS 9 standard methods of interposition don't work on iOS due to a performance optimization in which they actually patch the JMPs in code to refer to their targets instead of doing indirection through DYLD tables. I'm looking into alternatives and have been researching the use of vm_remap() for this purpose. Technically it seems possible, and we were considering doing a test implementation, but then we happened upon this and it seems to do something similar.
End goal would be to end up with something like facebook/fishhook that works on iOS 9. We don't want it to require rooting and don't need it to operate on anything except the current running app itself within its own sandbox.