Dynamic Patching on Mac OS X
Back in the Old Times, when Macs still used PowerPC processors, I worked on desktop management software that needed to override core system functionality, for example disabling a menu item in Internet Explorer or Safari, or intercepting print commands to perform cost accounting. I ultimately worked out a way to inject code into other processes (we were running as root after all) and then patch any given function by swapping out its first instruction. When the Intel switch came, I figured out how to do the same thing for x86/IA-32.
The really fun part was getting it to work inside apps running via the Rosetta code-translation environment, which was a pretty special case. From the outside, the apps threads were all Intel-based, with one extra Intel thread running the translation process. Internally I needed to plant PowerPC code and patch PowerPC instructions, but where I’d normally add a new thread to do the work, now I could only add Intel threads, so I needed a hybrid approach.
Eventually x86_64 came along, and this threw a spanner in the works (I found an instruction stream parser for i32, but not for i64). I left the company in 2007, but in early 2009 I secured permission to share the source code and put it up on Github, along with a paper writing up the underlying theory. Since I’m going through old papers and presentations, it seems apropos to make it available here as well.