Dylib - Insert

DYLD_INSERT_LIBRARIES=/path/to/my.dylib /path/to/target : dyld respects this environment variable unless restricted (see SIP, hardened runtime).

ps eww <PID> | tr ' ' '\n' | grep DYLD List loaded dylibs: insert dylib

gcc -dynamiclib -o mymalloc.dylib mymalloc.c Inject: DYLD_INSERT_LIBRARIES=/path/to/my

for (uint32_t i = 0; i < _dyld_image_count(); i++) const char *name = _dyld_get_image_name(i); if (is_dylib_blacklisted(name)) fprintf(stderr, "Suspicious dylib loaded: %s\n", name); exit(1); At startup, enumerate loaded dylibs and exit if

vmmap <PID> | grep -i dylib Unexpected dylibs (non-system, not in original binary) are suspicious. #include <mach-o/dyld.h> for (uint32_t i=0; i < _dyld_image_count(); i++) const char *name = _dyld_get_image_name(i); // Check against whitelist

// In main(), early unsetenv("DYLD_INSERT_LIBRARIES"); setenv("DYLD_LIBRARY_PATH", "", 1); Better: use posix_spawnattr_setflags with POSIX_SPAWN_CLOEXEC_DEFAULT and clear environment. At startup, enumerate loaded dylibs and exit if an unknown one appears. 7.6. Detect task_for_pid Abuse Monitor task_for_pid() calls using EndpointSecurity framework. 8. Code Example – Basic Protection #include <dlfcn.h> #include <stdlib.h> #include <mach-o/dyld.h> #include <stdio.h> #include <string.h> int is_dylib_blacklisted(const char *path) // Implement allowlist of known good paths if (strstr(path, "/malicious/")) return 1; return 0;

int main() anti_injection_check(); // ... rest of program