2

I am using a 3rd party library that invokes a Core Foundation function.

Since that lib has a bug, passing incorrect values to a CF function, I need to intercept that call to fix the passed values.

How do I hook into the CF function call so that I can look at the passed parameters, change them and then call the actual (original) function?

I have the impression I can get to the actual function with the CFBundleGetFunctionPointerForName, passing CFBundleGetMainBundle()as the first parameter and the name of the CF function as the second parameter.

In my particular case, that would be:

void *p = CFBundleGetFunctionPointerForName (CFBundleGetMainBundle(), "CFRunLoopTimerCreate");

But that returns NULL.

I also tried this:

void *p = CFBundleGetFunctionPointerForName (CFBundleGetBundleWithIdentifier("com.apple.Cocoa"), "CFRunLoopTimerCreate");

That returns a non-null value but it still does not appear to be a pointer I could change but rather the actual starting address of the function's code.

So, how do I get an address of a function pointer to an imported API function that I can save and then change to point to my intercepting function? Or how else could I hook into an imported function?

Thomas Tempelmann
  • 11,045
  • 8
  • 74
  • 149

1 Answers1

1

CFBundleGetFunctionPointerForName will just return the address of a function in a given bundle; this will never let you change the destination of calls to the function. If you really want to do something like that, please refer to Is it possible to hook API calls on Mac OS? Note that this is highly not recommended.

Community
  • 1
  • 1
Jean-Baptiste Yunès
  • 34,548
  • 4
  • 48
  • 69
  • It appears that the "highly not recommended" part only applies to system-wide interceptions. I only want to intercept the call in my own app. But I also don't have any understanding how to use the quoted `DYLD_INSERT_LIBRARIES` for that as I'm using a development system that doesn't let me write my own linked commands. – Thomas Tempelmann Nov 25 '15 at 22:17
  • BTW, as I recall how external (imported) function calls work, it's always using an interim jmp call or something similar, meaning that all calls for a function generated by a compiler will jump to a single address, which will then perform the actual jump into the other dylib. So all I want to understand is how to reliably find that central point and patch it so that it calls my hook instead. – Thomas Tempelmann Nov 25 '15 at 22:21