Why mprotect not needed for osx?

[krackers]

HI,

Thank you for a wonderful tool. I was curious why mprotect(PROT_WRITE) was not needed before modifying the PLT on osx? I thought that TEXT and LINKEDIT segments did not have write permission?

[krackers]

Ah the PLT is part of __DATA__, __la_symbol_ptr segment which has rw permission. When code references the PLT it does an indirect jump where the operand is the address given by the entry in that table.

But another question: if we dyld does lazy binding, isn't it possible that our modification to PLT will get overwritten when we call original function (which if not previously bound will invoke dyld first?)

Edit: Ah

. Use the return value of dlsym(RTLD_DEFAULT, "foo_func") on Unixes. The fourth argument of plthook_replace() isn't available on Unixes because it doesn't set the address of the original before the address in the PLT entry is resolved.

[kubo]

if we dyld does lazy binding, isn't it possible that our modification to PLT will get overwritten when we call original function (which if not previously bound will invoke dyld first?)

It isn't as far as I googled. See "Lazy vs. non-lazy symbol binding" in https://adrummond.net/posts/macho.