System Call Hooking Causing Kernel Panic

We have a kernel based product. We hook system calls by overriding the original system call table entries.


Till OSX 10.13, this mechanism was working but from OSX 10.14 (Mojave), we were unable to override the system call table entires.


We give read+write permission to page where system call table is available, but now even if page write permission is success, we are not able to write to the page. And this is causing Kernel Panic.

Is there any alternative way to give write permission to the system call page.


Thanks

Up vote post of dshiralkar Down vote post of dshiralkar
1.9k views
Posted by
dshiralkar
Reply
Add a Comment

Replies

We hook system calls by overriding the original system call table entries.

This is not supported (and has not been supported since we introduced formal KPI support in 10.4). If you provide more details about what you’re product is doing, I may be able to suggest an alternative approach.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment