Reverse Engineering MacOS: HookCase
Reverse Engineering MacOS HookCase is a tool for debugging and reverse engineering applications on macOS (aka OS X), and the operating system itself. It re-implements and extends Apple’s DYLD_INSERT_LIBRARIES functionality. It can be used to hook any method defined in any module’s symbol table, whether or not that method is exported. In a single operation, it can be applied to a parent process and all its child processes, whether or not the child processes inherit their parent’s environment. So HookCase is considerably more powerful than DYLD_INSERT_LIBRARIES. It also doesn’t have the restrictions Apple has placed on DYLD_INSERT_LIBRARIES. So, for example, HookCase can be used with applications that have entitlements. HookCase runs on OS X 10.9 (Mavericks) through macOS 10.12 (Sierra). Apple’s DYLD_INSERT_LIBRARIES environment variable is used to load an “interpose library” into a process before any of its other modules. The interpose library cont...