Deal with breakage caused by macOS 11.4 (fixes issue steven-michaud#28)

0-whats-new.md

@@ -1,3 +1,14 @@
+# What's New in Version 5.0.5
+
+macOS 11.4 broke HookCase, just like macOS 11.3 did. macOS 11.4 made
+further changes to `struct thread`, of a kind that normally only takes
+place in a new major release. These changes caused a kernel panic
+every time you tried to load a hook library into an application. The
+problem is fixed by HookCase 5.0.5. `struct thread` is one of several
+kernel structures that HookCase needs to access directly. For more
+information see
+[Issue #28](https://github.com/steven-michaud/HookCase/issues/28).
+
 # What's New in Version 5.0.4
 
 This version of HookCase fixes a bug that caused intermittent
@@ -215,12 +226,12 @@ can now hook methods that aren't in their module's symbol table.  For
 more information see
 [Hooked_sub_123abc() in the hook library template](HookLibraryTemplate/hook.mm#L1105).
 
-* Version 2.0 [fixes a bug](HookCase/HookCase/HookCase.cpp#L9870) that
+* Version 2.0 [fixes a bug](HookCase/HookCase/HookCase.cpp#L9914) that
 prevented interpose hooks from working outside the shared cache of
 system modules.
 
 * Version 2.0
-[fixes a previously undiscovered edge case](HookCase/HookCase/HookCase.cpp#L11361)
+[fixes a previously undiscovered edge case](HookCase/HookCase/HookCase.cpp#L11405)
 of an Apple kernel panic bug that was partially fixed in version 1.
 
 * Version 2.0

1-more-about.md

@@ -88,5 +88,5 @@ allow the original `dyld::InitializeMainExecutable()` method to run
 (which, among other things, runs the process's C++ initializers).
 
 For more information, the best place to start is the
-[long series of comments](HookCase/HookCase/HookCase.cpp#L6987)
+[long series of comments](HookCase/HookCase/HookCase.cpp#L7031)
 in `HookCase.cpp` before the definition of `C_64_REDZONE_LEN`.

HookCase/HookCase.xcodeproj/project.pbxproj

@@ -231,7 +231,7 @@
 				MODULE_NAME = org.smichaud.HookCase;
 				MODULE_START = HookCase_start;
 				MODULE_STOP = HookCase_stop;
-				MODULE_VERSION = 5.0.4;
+				MODULE_VERSION = 5.0.5;
 				PRODUCT_BUNDLE_IDENTIFIER = org.smichaud.HookCase;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				WRAPPER_EXTENSION = kext;
@@ -247,7 +247,7 @@
 				MODULE_NAME = org.smichaud.HookCase;
 				MODULE_START = HookCase_start;
 				MODULE_STOP = HookCase_stop;
-				MODULE_VERSION = 5.0.4;
+				MODULE_VERSION = 5.0.5;
 				PRODUCT_BUNDLE_IDENTIFIER = org.smichaud.HookCase;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				WRAPPER_EXTENSION = kext;

HookCase/HookCase/HookCase.cpp

@@ -332,6 +332,16 @@ bool macOS_BigSur_less_than_3()
   return ((OSX_Version() & 0xFF) < 0x40);
 }
 
+bool macOS_BigSur_4_or_greater()
+{
+  if (!((OSX_Version() & 0xFF00) == MAC_OS_X_VERSION_10_16_HEX)) {
+    return false;
+  }
+  // The output of "uname -r" for macOS 11.4 is actually "20.5.0", and
+  // for 11.3 is "20.4.0".
+  return ((OSX_Version() & 0xFF) >= 0x50);
+}
+
 bool OSX_Version_Unsupported()
 {
   return (((OSX_Version() & 0xFF00) < MAC_OS_X_VERSION_10_9_HEX) ||
@@ -3902,6 +3912,19 @@ typedef struct thread_fake_bigsur_3
   vm_map_t map;         // Offset 0x6a8
 } thread_fake_bigsur_3_t;
 
+typedef struct thread_fake_bigsur_4
+{
+  uint32_t pad1[24];
+  integer_t options;    // Offset 0x60
+  uint32_t pad2[15];
+  // Actually a member of thread_t's 'machine' member.
+  void *ifps;           // Offset 0xa0
+  uint32_t pad3[230];
+  int iotier_override;  // Offset 0x440
+  uint32_t pad4[155];
+  vm_map_t map;         // Offset 0x6b0
+} thread_fake_bigsur_4_t;
+
 typedef struct thread_fake_bigsur_development
 {
   uint32_t pad1[26];
@@ -3928,6 +3951,19 @@ typedef struct thread_fake_bigsur_development_3
   vm_map_t map;         // Offset 0x718
 } thread_fake_bigsur_development_3_t;
 
+typedef struct thread_fake_bigsur_development_4
+{
+  uint32_t pad1[26];
+  integer_t options;    // Offset 0x68
+  uint32_t pad2[15];
+  // Actually a member of thread_t's 'machine' member.
+  void *ifps;           // Offset 0xa8
+  uint32_t pad3[248];
+  int iotier_override;  // Offset 0x490
+  uint32_t pad4[163];
+  vm_map_t map;         // Offset 0x720
+} thread_fake_bigsur_development_4_t;
+
 typedef struct thread_fake_catalina
 {
   uint32_t pad1[24];
@@ -4276,7 +4312,15 @@ bool initialize_thread_offsets()
     }
   }
 
-  if (macOS_BigSur_less_than_3()) {
+  if (macOS_BigSur_4_or_greater()) {
+    if (kernel_type_is_release()) {
+      g_iotier_override_offset =
+        offsetof(struct thread_fake_bigsur_4, iotier_override);
+    } else if (kernel_type_is_development()) {
+      g_iotier_override_offset =
+        offsetof(struct thread_fake_bigsur_development_4, iotier_override);
+    }
+  } else if (macOS_BigSur_less_than_3()) {
     if (kernel_type_is_release()) {
       g_iotier_override_offset =
         offsetof(struct thread_fake_bigsur, iotier_override);

HookCase/HookCase/Info.plist

@@ -15,11 +15,11 @@
 	<key>CFBundlePackageType</key>
 	<string>KEXT</string>
 	<key>CFBundleShortVersionString</key>
-	<string>5.0.4</string>
+	<string>5.0.5</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleVersion</key>
-	<string>5.0.4</string>
+	<string>5.0.5</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2021 Steven Michaud. All rights reserved.</string>
 	<key>OSBundleLibraries</key>

examples-kernel-logging.md

@@ -23,7 +23,7 @@ kernel extensions whose `start()` method fails.
 
 Note that there's a workaround, which involves installing a serial
 port and using `kprintf()` to write to it.  For more information see
-[HookCase_start()](HookCase/HookCase/HookCase.cpp#L12659).
+[HookCase_start()](HookCase/HookCase/HookCase.cpp#L12703).
 
 The root of the problem is that the messages received by Apple's new
 logging subsystem no longer contain full strings.  Instead each