added tiny_interpose

Author: Antibioticss

.clang-format

@@ -7,5 +7,8 @@ Language: Cpp
 # Force pointers to the type for C++.
 ColumnLimit: 120
 AlignConsecutiveMacros: AcrossEmptyLines
-AllowShortFunctionsOnASingleLine: None
-...
+AllowShortFunctionsOnASingleLine: false
+AllowShortIfStatementsOnASingleLine: true
+BreakBeforeBraces: Custom
+BraceWrapping:
+  BeforeElse: true

README.md

@@ -21,9 +21,10 @@ int tiny_hook_ex(th_bak_t *bak, void *function, void *destination, void **origin
 
 int tiny_unhook_ex(th_bak_t *bak);
 
-/*
-insert a function call (bl / call) at `address`, auto select far or near
-*/
+/* interpose a symbol in a given image */
+int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacement);
+
+/* insert a function call (bl / call) at `address`, auto select far or near */
 int tiny_insert(void *address, void *destination);
 ```
 

include/tinyhook.h

@@ -31,6 +31,9 @@ int tiny_unhook_ex(th_bak_t *bak);
 
 int tiny_insert(void *address, void *destination);
 
+/* interpose */
+int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacement);
+
 /* objective-c runtime */
 int ocrt_hook(const char *cls, const char *sel, void *destination, void **origin);
 

src/interpose.c

@@ -0,0 +1,87 @@
+#include "../include/tinyhook.h"
+#include "private.h"
+
+#include <mach-o/dyld.h>
+#include <mach-o/loader.h>
+#include <mach-o/nlist.h>
+#include <mach/mach_init.h> // mach_task_self()
+#include <mach/mach_vm.h>   // mach_vm_*
+#include <stdint.h>
+#include <string.h>
+
+static int update_pointer(struct section_64 *sym_sec, intptr_t slide, char *str_tbl, struct nlist_64 *nl_tbl,
+                          uint32_t *indirect_sym_tbl, const char *symbol_name, void *replacement) {
+    if (!sym_sec) return 1;
+    void **sym_ptrs = (void *)sym_sec->addr + slide;
+    uint32_t *indirect_sym_entry = indirect_sym_tbl + sym_sec->reserved1; // reserved1 is an index!
+    int nptrs = sym_sec->size / sizeof(void *);
+    for (int i = 0; i < nptrs; i++) {
+        uint32_t symtab_index = indirect_sym_entry[i];
+        if (symtab_index == INDIRECT_SYMBOL_LOCAL || symtab_index == (INDIRECT_SYMBOL_LOCAL | INDIRECT_SYMBOL_ABS)) {
+            continue;
+        }
+        if (strcmp(symbol_name, str_tbl + nl_tbl[symtab_index].n_un.n_strx) == 0) {
+            int kr = mach_vm_protect(mach_task_self(), (mach_vm_address_t)sym_ptrs, sym_sec->size, FALSE,
+                                     VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY);
+            if (kr != 0) return 1;
+            sym_ptrs[i] = replacement;
+            return 0;
+        }
+    }
+    return 1;
+}
+
+int tiny_interpose(uint32_t image_index, const char *symbol_name, void *replacement) {
+    intptr_t image_slide = _dyld_get_image_vmaddr_slide(image_index);
+    struct mach_header_64 *mh_header = (struct mach_header_64 *)_dyld_get_image_header(image_index);
+    struct load_command *ld_command = (void *)mh_header + sizeof(struct mach_header_64);
+    struct section_64 *nl_sym_sect = NULL;
+    struct section_64 *la_sym_sect = NULL;
+    struct symtab_command *symtab_cmd = NULL;
+    struct dysymtab_command *dysymtab_cmd = NULL;
+    struct segment_command_64 *linkedit_cmd = NULL;
+    for (int i = 0; i < mh_header->ncmds; i++) {
+        if (ld_command->cmd == LC_SEGMENT_64) {
+            const struct segment_command_64 *segment = (struct segment_command_64 *)ld_command;
+            if (strcmp(segment->segname, "__DATA_CONST") == 0) {
+                if (nl_sym_sect) continue;
+                struct section_64 *data_const_sect = (void *)(segment + 1);
+                for (int i = 0; i < segment->nsects; i++) {
+                    if ((data_const_sect[i].flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) {
+                        nl_sym_sect = data_const_sect + i;
+                    }
+                }
+            }
+            else if (strcmp(segment->segname, "__DATA") == 0) {
+                if (la_sym_sect) continue;
+                struct section_64 *data_sect = (void *)(segment + 1);
+                for (int i = 0; i < segment->nsects; i++) {
+                    if ((data_sect[i].flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) {
+                        la_sym_sect = data_sect + i;
+                    }
+                }
+            }
+            else if (strcmp(segment->segname, "__LINKEDIT") == 0) {
+                linkedit_cmd = (struct segment_command_64 *)ld_command;
+            }
+        }
+        else if (ld_command->cmd == LC_SYMTAB) {
+            symtab_cmd = (struct symtab_command *)ld_command;
+        }
+        else if (ld_command->cmd == LC_DYSYMTAB) {
+            dysymtab_cmd = (struct dysymtab_command *)ld_command;
+        }
+        ld_command = (void *)ld_command + ld_command->cmdsize;
+    }
+    intptr_t linkedit_base = image_slide + linkedit_cmd->vmaddr - linkedit_cmd->fileoff;
+    char *str_tbl = (void *)linkedit_base + symtab_cmd->stroff;
+    struct nlist_64 *nl_tbl = (void *)linkedit_base + symtab_cmd->symoff;
+    uint32_t *indirect_sym_tbl = (void *)linkedit_base + dysymtab_cmd->indirectsymoff;
+
+    if ((update_pointer(nl_sym_sect, image_slide, str_tbl, nl_tbl, indirect_sym_tbl, symbol_name, replacement) != 0) &&
+        (update_pointer(la_sym_sect, image_slide, str_tbl, nl_tbl, indirect_sym_tbl, symbol_name, replacement) != 0)) {
+        LOG_ERROR("tiny_interpose: no matching indirect symbol found!");
+        return 1;
+    }
+    return 0;
+}

src/symsolve/symexport.c

@@ -36,7 +36,8 @@ static void *trie_query(const uint8_t *export, const char *name) {
                 }
             }
             break;
-        } else {
+        }
+        else {
             go_child = false;
             cur_pos = child_off;
             uint8_t child_count = *(uint8_t *)cur_pos++;
@@ -73,7 +74,8 @@ void *symexp_solve(uint32_t image_index, const char *symbol_name) {
             if (strcmp(segment->segname, "__LINKEDIT") == 0) {
                 linkedit_cmd = (struct segment_command_64 *)ld_command;
             }
-        } else if (ld_command->cmd == LC_DYLD_INFO_ONLY || ld_command->cmd == LC_DYLD_INFO) {
+        }
+        else if (ld_command->cmd == LC_DYLD_INFO_ONLY || ld_command->cmd == LC_DYLD_INFO) {
             dyldinfo_cmd = (struct dyld_info_command *)ld_command;
             if (linkedit_cmd != NULL) {
                 break;
@@ -87,13 +89,14 @@ void *symexp_solve(uint32_t image_index, const char *symbol_name) {
     }
     // stroff and strtbl are in the __LINKEDIT segment
     // Its offset will change when loaded into the memory, so we need to add this slide
-    intptr_t linkedit_slide = linkedit_cmd->vmaddr - linkedit_cmd->fileoff;
-    uint8_t *export_offset = (uint8_t *)image_slide + linkedit_slide + dyldinfo_cmd->export_off;
+    intptr_t linkedit_base = image_slide + linkedit_cmd->vmaddr - linkedit_cmd->fileoff;
+    uint8_t *export_offset = (uint8_t *)linkedit_base + dyldinfo_cmd->export_off;
     symbol_address = trie_query(export_offset, symbol_name);
 
     if (symbol_address != NULL) {
         symbol_address += image_slide;
-    } else {
+    }
+    else {
         LOG_ERROR("symexp_solve: symbol not found!");
     }
     return symbol_address;

src/symsolve/symtable.c

@@ -22,7 +22,8 @@ void *symtbl_solve(uint32_t image_index, const char *symbol_name) {
             if (strcmp(segment->segname, "__LINKEDIT") == 0) {
                 linkedit_cmd = (struct segment_command_64 *)ld_command;
             }
-        } else if (ld_command->cmd == LC_SYMTAB) {
+        }
+        else if (ld_command->cmd == LC_SYMTAB) {
             symtab_cmd = (struct symtab_command *)ld_command;
             if (linkedit_cmd != NULL) {
                 break;
@@ -32,9 +33,9 @@ void *symtbl_solve(uint32_t image_index, const char *symbol_name) {
     }
     // stroff and strtbl are in the __LINKEDIT segment
     // Its offset will change when loaded into the memory, so we need to add this slide
-    intptr_t linkedit_slide = linkedit_cmd->vmaddr - linkedit_cmd->fileoff;
-    struct nlist_64 *nl_tbl = (void *)image_slide + linkedit_slide + symtab_cmd->symoff;
-    char *str_tbl = (void *)image_slide + linkedit_slide + symtab_cmd->stroff;
+    intptr_t linkedit_base = image_slide + linkedit_cmd->vmaddr - linkedit_cmd->fileoff;
+    struct nlist_64 *nl_tbl = (void *)linkedit_base + symtab_cmd->symoff;
+    char *str_tbl = (void *)linkedit_base + symtab_cmd->stroff;
     for (int j = 0; j < symtab_cmd->nsyms; j++) {
         if ((nl_tbl[j].n_type & N_TYPE) == N_SECT) {
             if (strcmp(symbol_name, str_tbl + nl_tbl[j].n_un.n_strx) == 0) {
@@ -45,7 +46,8 @@ void *symtbl_solve(uint32_t image_index, const char *symbol_name) {
     }
     if (symbol_address != NULL) {
         symbol_address += image_slide;
-    } else {
+    }
+    else {
         LOG_ERROR("symtbl_solve: symbol not found!");
     }
     return symbol_address;

src/tinyhook.c

@@ -52,9 +52,6 @@ static int calc_far_jump(uint8_t *output, void *src, void *dst, bool link) {
     return jump_size;
 }
 
-int position = 0;
-mach_vm_address_t vm;
-
 bool need_far_jump(void *src, void *dst) {
     long long distance = dst > src ? dst - src : src - dst;
 #ifdef __aarch64__
@@ -111,7 +108,8 @@ static int save_head(void *src, void *dst, size_t min_len, int *skip_lenp, int *
             *(uint16_t *)(bytes_out + head_len) = X86_64_MOV_RM64;
             bytes_out[head_len + 2] = insn.modrm_reg << 3 | insn.modrm_reg;
             head_len += 3;
-        } else {
+        }
+        else {
             memcpy(bytes_out + head_len, bytes_in + skip_len, insn.len);
             head_len += insn.len;
         }
@@ -133,22 +131,25 @@ int tiny_hook(void *src, void *dst, void **orig) {
     if (orig == NULL) {
         jump_size = calc_jump(jump_insns, src, dst, false);
         kr = write_mem(src, jump_insns, jump_size);
-    } else {
-        if (!position) {
+    }
+    else {
+        static int position = 0;
+        static mach_vm_address_t trampoline = 0;
+        if (!trampoline) {
             // alloc a vm to store headers and jumps
-            kr = mach_vm_allocate(mach_task_self(), &vm, PAGE_SIZE, VM_FLAGS_ANYWHERE);
+            kr = mach_vm_allocate(mach_task_self(), &trampoline, PAGE_SIZE, VM_FLAGS_ANYWHERE);
             if (kr != 0) {
                 LOG_ERROR("mach_vm_allocate: %s", mach_error_string(kr));
             }
         }
         int skip_len, head_len;
-        *orig = (void *)(vm + position);
+        *orig = (void *)(trampoline + position);
         jump_size = calc_jump(jump_insns, src, dst, false);
-        kr |= save_head(src, (void *)(vm + position), jump_size, &skip_len, &head_len);
+        kr |= save_head(src, (void *)(trampoline + position), jump_size, &skip_len, &head_len);
         kr |= write_mem(src, jump_insns, jump_size);
         position += head_len;
-        jump_size += calc_jump(jump_insns, (void *)(vm + position), src + skip_len, false);
-        kr |= write_mem((void *)(vm + position), jump_insns, jump_size);
+        jump_size += calc_jump(jump_insns, (void *)(trampoline + position), src + skip_len, false);
+        kr |= write_mem((void *)(trampoline + position), jump_insns, jump_size);
         position += jump_size;
     }
     return kr;

test/hook/example.c

@@ -25,15 +25,17 @@ int fake_add(int a, int b) {
 }
 
 __attribute__((visibility("default"))) void exported_func() {
+    printf("This is an exported function\n");
     return;
 }
 
 __attribute__((constructor(0))) int load() {
     fprintf(stderr, "=== libexample loading...\n");
 
     // get an exported symbol address
-    void *func_fake = symexp_solve(1, "_exported_func");
+    void (*func_fake)(void) = symexp_solve(1, "_exported_func");
     fprintf(stderr, "=== exported_func() address: %p\n", func_fake);
+    func_fake();
 
     // hook a function by symbol
     void *func_add = symtbl_solve(0, "_add");
@@ -49,5 +51,9 @@ __attribute__((constructor(0))) int load() {
     fprintf(stderr, "=== Removing hook\n");
     tiny_unhook_ex(&printf_bak);
     printf("Hook is removed!\n");
+
+    // or use interpose to hook it!
+    fprintf(stderr, "=== Now interposing printf\n");
+    tiny_interpose(0, "_printf", my_printf);
     return 0;
 }