Page 1 of 1

dyld interposing - broken in 10.9?

PostPosted: Mon Feb 03, 2014 4:07 pm
by int
Function interposing sounds like a useful technique. I tried it out on my olde macbook pro (10.8, slightly older dev environment) and it works great, but I was disappointed to find that it doesn't work on my newer (10.9) machine. Has something changed recently? I tried the example in http://www.newosxbook.com/src.jl?tree=l ... nterpose.c and this did not work; reproducing that code and steps exactly simply did not produce the desired result (I got the ls output, without any of the malloc_printfs). Has something changed between 10.8 and 10.9?

Thanks.

Re: dyld interposing - broken in 10.9?

PostPosted: Thu Feb 06, 2014 4:59 pm
by morpheus
It works just as well. What's "broken" is clang. If you check the dylib you compiled, you will likely see no __interpose section. clang doesn't honor the attribute - gcc, however, does. If you have the __DATA.__interpose, it will work as uhm.. advertised.

J

Re: dyld interposing - broken in 10.9?

PostPosted: Mon Feb 10, 2014 6:25 am
by int
Ah yes, sure enough otool -l indicates this. Thanks!

Re: dyld interposing - broken in 10.9?

PostPosted: Sun Feb 16, 2014 11:22 pm
by morpheus
You're welcome. Incidentally, I added another feature to jtool to dump the interpose section. If you use -d __DATA.__interpose, you should be able to see what gets interposed to what (as of v0.51)

And - btw - you can ensure interposing works by specifying __attribute(used)

Code: Select all
#define DYLD_INTERPOSE(_replacement,_replacee) \
   __attribute__((used)) static struct{ const void* replacement; const void* replacee; } _interpose_##_replacee \
            __attribute__ ((section ("__DATA,__interpose"))) = { (const void*)(unsigned long)&_replacement, (const void*)(unsigned long)&_replacee };

#endif