Figure out how to hook symbols exported from libsystem_kernel.dylib

[pmarkowsky]

Wrote some code below to hook exit using interposing. I think we can use this but should we use a library like https://github.com/ccurtsinger/interpose

Can we write a beefed up version of RR's preload

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

/// Structure exposed to the linker for interposition
struct __osx_interpose {
    const void* new_func;
    const void* orig_func;
};

#define OSX_INTERPOSE_STRUCT(NEW, OLD) \
  static const struct __osx_interpose __osx_interpose_##OLD \
    __attribute__((used, section("__DATA, __interpose"))) = \
    { (const void*)((uintptr_t)(&(NEW))), \
      (const void*)((uintptr_t)(&(OLD))) }

void myexit(int code) {
        printf("CALLED from hook\n");
    exit(10);
}

OSX_INTERPOSE_STRUCT(myexit, exit);

[kallsyms]

Got some rust working to do this: see https://github.com/kallsyms/mrr/blob/interpose/src/interpose/lib.rs#L52

[pmarkowsky]

Nice. Now we just need to add the proto / capnp serialization. And simple building blocks for sizeof etc.

[pmarkowsky]

Looks like we can get a lot of the definitions we need out of darling's libsyscall

[pmarkowsky]

Looked at their xtrace utility which print out all of bsd, mach, and machine dependent syscalls.

This looks really workable and has all of the args / returns enumerated, and has handling for errno.

They use an assembly trampoline to push all args on to the stack then call back into their entry and exit routines we should be able to bypass this step.

I'm trying to hack up something that does this today with the interpose hooks.

[kallsyms]

https://github.com/apple/darwin-xnu/blob/2ff845c2e033bd0ff64b5b6aa6063a1f8f65aa32/bsd/sys/spawn.h#L59

[pmarkowsky]

Realized this exists. https://github.com/rentzsch/mach_override

[pmarkowsky]

This also exists https://github.com/steven-michaud/HookCase/

[pmarkowsky]

Running into some minor issues with the libkern_hook when running make after a make clean

clang -v -o posix_spawn_args.o -Werror -Wno-comment -Wno-int-to-void-pointer-cast -c -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/System.framework/Versions/B/PrivateHeaders/ -I. -lc ./posix_spawn_args.c
Apple clang version 14.0.3 (clang-1403.0.22.14.1)
Target: arm64-apple-darwin22.4.0
Thread model: posix
InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
clang: error: -lc: 'linker' input unused [-Werror,-Wunused-command-line-argument]
make: *** [posix_spawn_args.o] Error 1

[kallsyms]

Just pushed up some changes I made when I ran into similar building on my personal machine

[pmarkowsky]

Just realized that open is listed as NO_SYSCALL_STUB; in the syscalls.master file. This means we have to hook each variant.

[pmarkowsky]

After the last pull I'm now getting a bunch of error: declaration does not declare anything and availability errors e.g. error: availability does not match previous declaration [-Werror,-Wavailability]

/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/System.framework/Versions/B/PrivateHeaders/mach/message.h:1082:1: error: availability does not match previous declaration [-Werror,-Wavailability]

[kallsyms]

dur forgot to add a file. try again?

[pmarkowsky]

Works!

[pmarkowsky]

And found out this exists https://github.com/facebook/fishhook why does google fail me these days.

[pmarkowsky]

Also we need to check binaries for their own interposing sections. Might need to scan the dyld_cache.

Apparently dyld also supports dynamic interposing? See https://chromium.googlesource.com/chromium/src/+/18a4f63fd5dc592a6b31f2a832de145b151adbde/media/audio/mac/coreaudio_dispatch_override.cc#27