{"id":15398547,"url":"https://github.com/jryans/interpose-experiments","last_synced_at":"2025-08-20T08:06:08.081Z","repository":{"id":137563056,"uuid":"265110097","full_name":"jryans/interpose-experiments","owner":"jryans","description":"A jumble of experiments and notes exploring paths to function interposition and code injection","archived":false,"fork":false,"pushed_at":"2021-09-01T20:24:04.000Z","size":6,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-08T07:38:03.211Z","etag":null,"topics":["code-injection","interpose","interposition","mach-o","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jryans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-19T01:35:30.000Z","updated_at":"2022-03-12T07:35:16.000Z","dependencies_parsed_at":"2023-04-19T19:16:53.369Z","dependency_job_id":null,"html_url":"https://github.com/jryans/interpose-experiments","commit_stats":{"total_commits":5,"total_committers":1,"mean_commits":5.0,"dds":0.0,"last_synced_commit":"af7cb3dc282d248b1b2843f221b72fe6bbfd09d8"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jryans/interpose-experiments","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jryans%2Finterpose-experiments","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jryans%2Finterpose-experiments/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jryans%2Finterpose-experiments/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jryans%2Finterpose-experiments/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jryans","download_url":"https://codeload.github.com/jryans/interpose-experiments/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jryans%2Finterpose-experiments/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271285506,"owners_count":24732923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-20T02:00:09.606Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-injection","interpose","interposition","mach-o","reverse-engineering"],"created_at":"2024-10-01T15:44:32.941Z","updated_at":"2025-08-20T08:06:07.869Z","avatar_url":"https://github.com/jryans.png","language":"Rust","readme":"This repo contains a jumble of experiments and notes exploring paths to function\ninterposition and code injection.\n\n## macOS\n\n**Target version**: macOS 10.15\n\nmacOS is the main focus of this work, as it seems to apply the most complex and\nconvoluted layers out of all of the major desktop platforms at the moment.\n\n### Protections to investigate\n\n* [App Sandbox][as] ([guide][asdg])\n  * Blocks access to files and system resources when entitlement set\n  * Can be relaxed through further entitlements\n  * Apps get a special app container directory to work with that only they can\n    access\n* Sandboxing via profiles (sometimes called \"Seatbelt\") such as those in\n  `/System/Library/Sandbox/Profiles/*`\n  * While this is marked as deprecated, it's far more powerful than the newer\n    App Sandbox, and remains heavily used by macOS system components, browsers,\n    etc.\n  * The newer App Sandbox makes use of this older system internally by applying\n    the profile `/System/Library/Sandbox/Profiles/application.sb` during app\n    startup\n* [Hardened Runtime][hr]\n  * Blocks code injection, memory access, debugger access when signing option\n    (`-o runtime`) set\n  * Can be relaxed through further entitlements\n* [Notarization][nz]\n  * Developers send apps to Apple's notarization service which staples them with\n    a signature if they pass various undocumented checks\n  * macOS 10.14.5 and later require apps and kernel extensions to be notarized\n  * Requirements include:\n    * Code signature\n    * Hardened Runtime enabled\n    * Secure timestamp in signature\n    * `com.apple.security.get-task-allow` entitlement must not be present (but\n      perhaps [permissible when hosting plugins][nzplugins] and disabling\n      library validation as well)\n    * Link against macOS 10.9 or later SDK\n    * Must have properly-formatted XML ASCII entitlements\n* [System Integrity Protection][sip]\n  * Blocks access to various system files via:\n    * Paths listed in `/System/Library/Sandbox/rootless.conf`\n    * Files marked with `com.apple.rootless` xattr\n  * [Blocks access][sipruntime] to Mach tasks for protected apps and those\n    without the `get-task-allow` entitlement (all apps, or just hardened\n    runtime?)\n      * `SecTaskAccess` plist key on requester also plays some role\n  * Blocks unsigned kernel extensions from loading\n  * Can be disabled via `csrutil` in Recovery OS\n* `task_for_pid` access enforcement\n  * Some parts checked by kernel, others passed off to `taskgated` daemon\n  * Flags examined by these checks may include:\n    * SIP protection status of target\n    * `get-task-allow` entitlement on target\n    * `SecTaskAccess` plist key on requester\n    * `debugger` entitlement on requester\n\n### Injection strategies to explore\n\n* Custom kernel extension\n* Parent process spawning app via various methods\n  * NSTask\n  * XPC services\n  * `spawn`\n  * `launchApplication`\n* Stub process that absorbs code from disk and morphs into different app\n\n[as]: https://developer.apple.com/documentation/security/app_sandbox\n[asdg]: https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/\n[hr]: https://developer.apple.com/documentation/security/hardened_runtime\n[nz]: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution\n[nzplugins]: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087731\n[sip]: https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/\n[sipruntime]: https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjryans%2Finterpose-experiments","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjryans%2Finterpose-experiments","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjryans%2Finterpose-experiments/lists"}