Problems with interpose hooks

[qiuwenqiao]

I hooked preview with the code, and log the pdf operation(open close) INTERPOSE_FUNCTION(open), INTERPOSE_FUNCTION(read), INTERPOSE_FUNCTION(write), INTERPOSE_FUNCTION(close), INTERPOSE_FUNCTION(mmap), INTERPOSE_FUNCTION(msync), INTERPOSE_FUNCTION(munmap), ... It works well in macOS10.15.7 when I open a pdf file. The logs like these open pdf.file fd:10 close fd:10 open pdf.file fd:10 close fd:10 open pdf.file fd:10 mmap fd:10 offset:xxx len:xxx close fd:10

I copy the Preview.app and my dylib to macOS11.1(avoid different version). It doesn't work. the logs like these open pdf.file fd:10 close fd:10

[steven-michaud]

You didn't report it, but I found problems logging from hooks for mmap(), msync() and munmap(). I suspect you saw them, but didn't realize what they were. Once I've figured them out, I'll rewrite this bug to cover them.

I copy the Preview.app and my dylib to macOS11.1

Don't copy Preview.app from Catalina. Applications that come with macOS are meant to run only on the versions of it that they came with. Big Sur has its own copy of Preview.app in /System/Library/Applications. You should use that.

And you really shouldn't copy your hook.dylib, either. Instead you should build it again on Big Sur.

[steven-michaud]

I've figured this bug out, I think. In fact it's not a bug at all.

But in the meantime I've uncovered what looks like a kernel panic bug in HookCase on macOS 10.15.7. I'll need to deal that first, before I come back to this bug.

[steven-michaud]

Here's the hook library I've been testing with, as a patch on hook.mm from HookCase 5.0.1's interpose library template. I tested with it on the latest versions of macOS 11.2 (build 20D64), 10.15.7 (build 19H512), 10.14.6 (build 18G8012), 10.13.6 (build 17G14042) and 10.12.6 (build 16G2136), with several different applications, including Safari and Preview. I didn't see any problems. But that was only after I made some changes.

The first thing I noticed was that having lots of interpose hooks made it easy to trigger the kernel panics I reported in Issue #22. Or maybe it was just these interpose hooks. I haven't done much testing with interpose hooks. But this bug gave me the opportunity, and I'm glad I had it. Issue #22 is fixed in the latest HookCase release -- version 5.0.1.

Version 5.0.1 also fixes another problem I saw only on macOS 10.15.7: The Open menu item often didn't work (the file chooser didn't open). I fixed this by making a small change to the interpose library template.

But the basic problem that you were presumably having is that LogWithFormat() itself calls mmap() and munmap() indirectly. This can lead to crashes. My hook library contains a workaround. But this isn't a bug in HookCase. It could happen using any software that supports hooking functions.

Make sure you download and install HookCase 5.0.1 before you do any further testing. Build it on every system where you're going to install it -- don't copy the HookCase.kext binary from one version of macOS to another. Also rebuild your hook libraries for each version of macOS you test on.

Your bug report was very unclear, so I'm not completely sure what problems you had. I've had to write my own hook library and guess what they were. So I'm going to close this bug, to keep it from getting more confusing. If you keep having problems, please open a new bug on them.