plthook failed to hook function calls of system library on macOS platform

kubo / plthook

Hook function calls by replacing PLT(Procedure Linkage Table) entries.

762 stars 156 forks source link

plthook failed to hook function calls of system library on macOS platform #19

Closed JerryGinger closed 5 years ago

JerryGinger commented 5 years ago

When i hook read/write of socket function on macOS Platform as follows, it reported "segmentation fault".

ssize_t hook_read(int fildes, void *buf, size_t nbyte) {
    ssize_t rv;
    rv = read(fildes, buf, nbyte);
    printf("Hook read end\n");
    return rv;
}

void install_hook() {
    plthook_t *plthook;
    void *handle;
    // const char *filename = "/usr/lib/libc.dylib";  // this also not work
    const char *filename = "/usr/lib/libSystem.B.dylib";
    if (plthook_open(&plthook, filename) != 0) {
        printf("plthook_open error: %s\n", plthook_error());
        return;
    }
    if (plthook_replace(plthook, "read", (void*)hook_read, NULL) != 0) {
        printf("plthook_replace error: %s\n", plthook_error());
        plthook_close(plthook);
        return;
    }
    plthook_close(plthook);

}

kubo commented 5 years ago

Thanks for reporting the issue. I'll fix the segmentation fault later.

I have a question. Do you want to hook read/write called by libSystem.B.dylib? The _read symbol is undefined in libSystem.B.dylib.

$ nm /usr/lib/libSystem.B.dylib | grep ' _read$'
                 U _read

It is defined in /usr/lib/system/libsystem_kernel.dylib

$ nm /usr/lib/system/libsystem_kernel.dylib | grep ' _read$'
0000000000002ee8 T _read

Otherwise do you want to hook all read/write calls? If the latter, use funchook instead.

JerryGinger commented 5 years ago

Thanks for your prompt reply. I tried to hook "/usr/lib/libc.dylib" but segmentation fault also happened. funchook tool really works well.