It seems BigSur 11.3 broke HookCase

[ni-max]

Hi,

kext is loaded but it's not working under BigSur 11.3 :(
I don't know how to debug this.
Please let me know if I can be of any help and thanks for your work.

$ /usr/bin/kmutil showloaded |grep -i hook
No variant specified, falling back to release
  175    0 0xffffff7f9b5c7000 0x11000    0x11000    org.smichaud.HookCase (5.0.2) ED3C0F6A-FECE-3942-B356-82CB8DAF4B1B <8 6 5 3 2 1>

$ sysctl -a | grep osrelease
kern.osrelease: 20.4.0

$ uname -r
20.4.0

[steven-michaud]

I'm able to reproduce what you report. HookCase.kext loaded fine. Then I tested with the "events" example. It produced no output at all. There also wasn't any output in the Console app when I filtered on "hook".

macOS 10.15.7 (build 19H1030) and 10.14.6 (build 18G9028) were also recently updated by Apple, but HookCase still works fine there (at least with the "events" example).

I'll be working on this. But I don't know what Apple's done, so I don't know how long it will take.

[ni-max]

It could be related to this:

via: https://support.apple.com/en-us/HT212325

AppleMobileFileIntegrity
Available for: macOS Big Sur
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza

and this: https://objective-see.com/blog/blog_0x64.html

[steven-michaud]

Thanks for the information.

I don't think the trouble with HookCase can be a direct effect of the changes Apple's made to fix this bug. HookCase.kext still loads, after all. But it might be a side effect. In any case, thanks to you I now know that the macOS 11.3 update contains a high-profile security fix -- which I didn't know before. In the past these have often been sources of trouble for HookCase.

[steven-michaud]

Apple's macOS 11.3 update changed the location of important fields in the kernel's task structure -- all_image_info_addr and all_image_info_size. This is the proximate cause of the failure you reported.

Apple normally makes this kind of change only in a new major release. Though this isn't the first time they've broken that (unstated) rule in a minor release. I'll need to re-check the location of all the fields HookCase references directly, if only to make sure they haven't changed, too. This will take at least a couple of days.

Then there's the possibility that Apple's also made other changes that would break HookCase. But I can only look into that after I've rechecked all the field offsets.

This kind of change could easily have led to a kernel panic. I suppose I should count myself lucky that didn't happen :-(

[steven-michaud]

I've now fixed this bug in HookCase 5.0.3. Two kernel structures were changed (struct task and struct thread), but macOS 11.3 doesn't seem to have introduced any other issues.

Please try it out. Let me know if you have any trouble.

[ni-max]

Awesome, That was fast! Thank you.

Edit. I checked and HookCase v5.0.3 is working as expected.

[steven-michaud]

I'm glad to hear things are back to normal!