Karol MazurekMay 26, 2024

I published the last part of my notes about debugging the loading process and analyzing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-xi-cef76bc8dc14?sk=v2%2F0b88b392-ae94-43d0-9120-109306051e00

Below is a brief overview by tags what you can expect inside:
prepare | APIs | isSimulatorPlatform | state.initializeClosureMode() | PrebuiltLoaders | JustInTimeLoader | PrebuilLoaderSet | dyld3 | dyld4 | Closures | initializeClosureMode | Loaders | validHeader | hasValidMagic | kmagic | dontUsePrebuiltForApp | findLaunchLoaderSet | cachePBLS | hasLaunchLoaderSetWithCDHash | findLaunchLoaderSetWithCDHash | findLaunchLoaderSet | allowOsProgramsToSaveUpdatedClosures | reserve | bit_ceil | allowNonOsProgramsToSaveUpdatedClosures | DYLD_USE_CLOSURES | reserveExact | getOnDiskBinarySliceOffset | STACK_ALLOC_OVERFLOW_SAFE_ARRAY | topLevelLoaders | loadDependents | notifyDebuggerLoad | notifyDtrace | DOF | addPermamentRanges | STACK_ALLOC_ARRAY | weakDefMap | buildInterposingTables | handleStrongWeakDefOverrides | visibility | applyFixups | applyCachePatches | doSingletonPatching | applyInterposingToDyldCache | Libdyld.dylib | libdyld4Section | allImageInfos | storeProcessInfoPointer | __chkstk_darwin | partitionDelayLoads | DYLD_JUST_BUILD_CLOSURE | prewarming | notifyMonitorNeeded | LC_MAIN | LC_THREAD | getEntry | appMain | restorePreviousState | TPRO | libSystemHelpers | __exit

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #re

DYLD — Do You Like Death? (XI) | Medium

The last article in the series describes how Dyld loads dependent dylibs, binds them, returns the address of the main(), calls it, and finally terminates.

Medium
Karol MazurekMay 11, 2024

I published another part of my notes about debugging the loading process and analyzing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-x-76408570c357?sk=v2%2F8b69c2f1-ce13-4d05-bba1-e0164c3de381

Below is a brief overview by tags what you can expect inside:
ExternallyViewableState | externallyViewable.init | dyld_all_image_info | exec_prefault_data | task_info | com.apple.security.get-task-allow | get_dyld_info | lsl:Vector | ProcessSnapshot | compact info | makeUnique | release | setDyldState | setInitialExternallyVisibleState | setShareCacheInfo | setDyld | inDyldCache | DYLD_IN_CACHE | recordFromInfo | FileRecord | Image | addImage | _snapshot | addImageInfo | setInitialImageCount | commit | compactInfoData | RemoteNotificationResponder

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #re

DYLD — Do You Like Death? (X) | Medium

Introducing ExternallyViewableState, which holds information about the external objects in the system that we are loading (dyld, executable, dylibs).

Medium
Karol MazurekMay 1, 2024

I published another part of my notes about debugging the loading process and analyzing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-ix-5052c865100e?sk=v2%2Fe078d739-ab30-4f2d-8a12-eefc63dd73b4

Below is a brief overview by tags what you can expect inside:
RuntimeState | ProcessConfig | finalizeListTLV | FileManager | _fsUUIDMap | OrderedMap | UUIDs | PermanentRanges | state APIs

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #re

DYLD — Do You Like Death? (IX) | Medium

Debugging Dyld, introducing RuntimeState which APIs are used for tracking process-related data, such as threads or loaded Mach-Os.

Medium
Karol MazurekApr 23, 2024

I published another part of my notes about debugging the loading process and analyzing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-viii-327d7e7f3c0f?sk=v2%2F6c6b611d-fee4-4d9d-8a36-d59a05116e23

Below is a brief overview by tags what you can expect inside:
ProcessConfig | Process::PathOverrides | Overrides and path fallbacks for Dylibs | security.allowEnvVarsPath | crashMsg | addEnvVar | DYLD_LIBRARY_PATH | DYLD_FRAMEWORK_PATH | DYLD_FALLBACK_FRAMEWORK_PATH | DYLD_FALLBACK_LIBRARY_PATH | DYLD_VERSIONED_FRAMEWORK_PATH | DYLD_VERSIONED_LIBRARY_PATH | DYLD_INSERT_LIBRARIES | DYLD_IMAGE_SUFFIX | DYLD_ROOT_PATH | _dylibPathOverridesExeLC | _dylibPathOverridesEnv | isLC_DYLD_ENV | CRSetCrashLogMessage2 | LC_DYLD_ENVIRONMENT | allowEmbeddedVars | _insertedDylibs | cryptexOSPath | VersionedPaths | processVersionedPaths | checkVersionedPath | LC_ID_DYLIB | sys.getDylibInfo | addPathOverride | dontUsePrebuiltForApp | adjustDevelopmentMode

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #re

DYLD — Do You Like Death? (VIII) | Medium

Debugging Dyld, analyzing ProcessConfig PathOverrides enumerates path-specific Dyld Environmental Variables, and understanding how overrides and path fallbacks work for Dylibs.

Medium
Karol MazurekApr 8, 2024

I published another part of my notes about debugging the loading process and analyzing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-vii-62c202f98610?sk=v2%2Fab26bfcf-ba56-493d-9af3-2d8790ca6208

Below is a brief overview by tags what you can expect inside:
ProcessConfig | Process::Logging | Process::dyldCache | DYLD_PRINT_TO_STDERR | DYLD_PRINT_INTERPOSING | allowEnvVarsSharedCache | allowEnvVarsPrint | openLogFile | DYLD_PRINT_TO_FILE | BSD open syscall | DYLD_SHARED_REGION | Shared Library Cache | DYLD_SHARED_CACHE_DIR | dyldCache | CacheFinder | Ignite | ignitionPayload | ignition | open_console | log_init | sysctlbyname | __sysctl | dyld_parse_boot_arg_int | dyld_parse_boot_arg_cstr | libignition | boot_init | stage_fire | getDyldCache | loadDyldCache | mapSplitCachePrivate | reuseExistingCache | mapSplitCacheSystemWide | jettison

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #re

DYLD — Do You Like Death? (VII) | Medium

Debugging Dyld, analyzing ProcessConfig Logging and DyldCache members along the DYLD_PRINT_TO_FILE, DYLD_SHARED_REGION, and DYLD_SHARED_CACHE_DIR environment variables.

Medium
Karol MazurekMar 5, 2024

I published another part of my notes about debugging the loading process and analysing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-vi-1013a69118ff?sk=v2%2F37b3a61f-8483-4b38-977d-7f860944862b

Below is a brief overview by tags what you can expect inside:
ProcessConfig | Process::Process | Process::Security | csr_check | CSR_ALLOW_APPLE_INTERNAL | csrctl | syscall_csr_check | AMFI | internalInstall | isRestricted | isFairPlayEncrypted | amfiFlags | amfi_check_dyld_policy_self | ___sandbox_ms | ___mac_syscall | mpo_policy_syscall_t | MAC policy | com.apple.driver.AppleMobileFileIntegrity | _policy_syscall | _check_dyld_policy_internal | macos_Dyld_policy_collect_state | logDyldPolicyData | DYLD_AMFI_FAKE | getAMFI | pruneEnvVars | com.apple.security.cs.allow-dyld-environment-variables

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #re

Karol MazurekFeb 27, 2024

I published another part of my notes about debugging the loading process and analysing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-v-c40a267573cb?sk=v2%2F4c9f16b2-59bd-406a-945d-10a1fba1001b

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #research #re

DYLD — Do You Like Death? (V) | Medium

The lifecycle of a Dynamic Loader from its creation to its termination. Debugging Dyld and analysing its EphemeralAllocator and PersistentAllocator.

Medium
Karol MazurekFeb 19, 2024

I have published Snake & Apple V.

https://karol-mazurek.medium.com/snake-apple-v-dyld-8b36b674cc44?sk=v2%2F4acb16f8-fa88-41f0-8d7c-1362f4060010

Inside, you will find an explanation of the Dynamic Loader #Dyld concept on #Apple #Mac (#macOS). It also shows a few #tips on how to read its #open #source #code. The article introduces some #debug #tools helpful for working with Dyld. It also describes how the #rebase and #bind #fixups work. You will also get information about dynamic #interposing and dyld-specific environment variables and how they can be used for #exploitation and #vulnerability #research. There is also some #reverse #engineering and #programming.

This #research results in some new #tools written in #Python, which, as usual, you will find in the repository. The most important is the #dyld module for #CrimsonUroboros.

Enjoy reading! 👨‍💻

Karol MazurekFeb 13, 2024

I published another part of my notes about debugging the loading process and analysing the low-level functionalities of dyld.

https://karol-mazurek.medium.com/dyld-do-you-like-death-iv-ede6b157752c?sk=v2%2F87ebe38d-004c-41a6-bc1f-43898494a512

Enjoy!
#apple #arm #c #dyld #debugging #programming #lldb #research

DYLD — Do You Like Death? (IV) | Medium

The lifecycle of a Dynamic Loader from its creation to its termination. Debugging Dyld and analysing its source code from RuntimeLocks through MemoryManager.

Medium
Karol MazurekFeb 9, 2024

I published another part of my notes about debugging the loading process and analysing the low-level functionalities of dyld.

So here it is: The DYLD - Do You Like Death? (III)
The lifecycle of a Dynamic Loader from its creation to its termination. Debugging Dyld and analysing its source code inside the handleDyldInCache function, starting from the getUuid.

Enjoy!
#apple #arm #c #dyld #debugging #programming

https://karol-mazurek.medium.com/dyld-do-you-like-death-iii-af77701a3034?sk=v2%2F06c92503-2db9-40e2-b139-c9ae0a35e7b3

DYLD — Do You Like Death? (III) | Medium

The lifecycle of a Dynamic Loader from its creation to its termination. Debugging Dyld and analysing its source code inside the handleDyldInCache function.

Medium