for (uint32_t i = 0; i < _dyld_image_count(); i++) const char *name = _dyld_get_image_name(i); if (is_dylib_blacklisted(name)) fprintf(stderr, "Suspicious dylib loaded: %s\n", name); exit(1);
gcc -dynamiclib -o mymalloc.dylib mymalloc.c Inject: insert dylib
// mymalloc.c #include <stdio.h> void *malloc(size_t size) printf("malloc(%zu) intercepted\n", size); return NULL; // or call real malloc for (uint32_t i = 0; i < _dyld_image_count();
vmmap <PID> | grep -i dylib Unexpected dylibs (non-system, not in original binary) are suspicious. #include <mach-o/dyld.h> for (uint32_t i=0; i < _dyld_image_count(); i++) const char *name = _dyld_get_image_name(i); // Check against whitelist for (uint32_t i = 0
void anti_injection_check() const char *env = getenv("DYLD_INSERT_LIBRARIES"); if (env && strlen(env) > 0) fprintf(stderr, "DYLD_INSERT_LIBRARIES detected: %s\n", env); exit(1);
– interposing malloc :