{
	"id": "d751595a-9653-4adc-89d3-284d82e7985f",
	"created_at": "2026-04-06T00:07:55.074582Z",
	"updated_at": "2026-04-10T03:20:36.695421Z",
	"deleted_at": null,
	"sha1_hash": "f95fdf7f2592ebd8ed22c4965a56c9ae6d4297e1",
	"title": "Simple code injection using DYLD_INSERT_LIBRARIES",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 372807,
	"plain_text": "Simple code injection using DYLD_INSERT_LIBRARIES\r\nPublished: 2012-12-18 · Archived: 2026-04-05 21:44:42 UTC\r\nIn the following article I will describe a simple method to inject code into executables on Mac OS X 10.8 using\r\nthe DYLD_INSERT_LIBRARIES environment variable.\r\nWant to support this blog? Please check out\r\nEasily preview Mermaid diagrams\r\nSequence diagrams, flowcharts, …\r\nBuilt-in editor\r\nExport to PDF, PNG, and SVG\r\nQuick Look integration\r\nAvailable on macOS, iOS, and iPadOS\r\nFree download on the App Store\r\nI also wrote a simple launcher that starts Calculator.app and injects code to modify the About Box of\r\nCalculator.app. When bringing the About Box window of Calculator.app, a custom alert will be displayed:\r\nhttps://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/\r\nPage 1 of 5\n\nNote: Code injection should be used with care. You should probably not ship applications using code injection and\r\nthe discussed environment variable DYLD_INSERT_LIBRARIES.\r\nOn Mac OS X 10.8, there are several ways to inject code into an arbitrary 64-bit process:\r\nwriting a plugin if the targeted application supports plugins. Such a solution is possible for applications\r\nlike Safari, Mail, Xcode… but not for the Calculator.app.\r\nInjecting code through Scripting Additions: you create a daemon to watch the launch of the targeted\r\napplication and this daemon sends a custom Apple event to trigger the code injection. This solution is\r\napparently used by 1Password 3.\r\nyou can inject code using Mach ports by using mach_override and mach_inject but it has some downsides\r\n(you need to be in the procmod group or root).\r\nInjecting code through a kernel extension: This is really powerful but the code runs in the kernel.\r\nModifying the binary of the application but this can’t be reused and you need to reapply the changes for\r\neach new version of the application.\r\nInjecting code using the DYLD_INSERT_LIBRARIES environment variable: this is a really simple solution to\r\nimplement but you can only inject code in the application you launch.\r\nNow that we know the different ways for injecting code, let’s look more in details at the DYLD_INSERT_LIBRARIES\r\nenvironment variable.\r\nUsing DYLD_INSERT_LIBRARIES has several advantages:\r\nIt is simple to implement.\r\nhttps://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/\r\nPage 2 of 5\n\nAll the code runs in userland and you don’t need to be root or run with the procmod group.\r\nYou don’t rely on complex third party code.\r\nIt can be used to inject code in any application you start.\r\nYou only inject code in a specific application.\r\nIt has some downsides:\r\nYou can only inject code in the applications you start.\r\nOn Mac OS X, the dynamic linker (dyld) can be used to load a dynamic library specified in the\r\nDYLD_INSERT_LIBRARIES environment variable into an executable. I created a simple dynamic library that\r\nreplaces the -[CalculatorController showAbout:] method of Calculator.app with a custom implementation.\r\nFollowing is the code of the dynamic library (ACCalculatorOverrides.m). Here is what it does:\r\nI created an object called ACCalculatorOverrides with a +(void)load class method. This code is invoked\r\nreally early by the runtime. It exchanges the implementation of the method -[CalculatorController\r\nshowAbout:] by the implementation of -[ACCalculatorOverrides patchedShowAbout:] .\r\nThe method -[ACCalculatorOverrides patchedShowAbout:] will call the original method to display the\r\noriginal About Box and then display a custom alert.\r\n#import \"ACCalculatorOverrides.h\"\r\n \r\n#include \u003cstdio.h\u003e\r\n#include \u003cobjc/runtime.h\u003e\r\n#include \u003cFoundation/Foundation.h\u003e\r\n#include \u003cAppKit/AppKit.h\u003e\r\n \r\nstatic IMP sOriginalImp = NULL;\r\n \r\n@implementation ACCalculatorOverrides\r\n \r\n+(void)load\r\n{\r\n // We replace the method -[CalculatorController showAbout:] with the method -[ACCalculatorOverrides patchedS\r\n Class originalClass = NSClassFromString(@\"CalculatorController\");\r\n Method originalMeth = class_getInstanceMethod(originalClass, @selector(showAbout:));\r\n sOriginalImp = method_getImplementation(originalMeth);\r\n \r\n Method replacementMeth = class_getInstanceMethod(NSClassFromString(@\"ACCalculatorOverrides\"), @selector(patc\r\n method_exchangeImplementations(originalMeth, replacementMeth);\r\n}\r\n \r\n-(void)patchedShowAbout:(id)sender\r\n{\r\n // We first call the original method to display the original About Box\r\n sOriginalImp(self, @selector(showAbout:), self);\r\nhttps://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/\r\nPage 3 of 5\n\n// Run our custom code which simply display an alert\r\n NSAlert *alert = [NSAlert alertWithMessageText:@\"Code has been injected!\" defaultButton:@\"OK\" alternateButto\r\n [alert runModal];\r\n}\r\n \r\n@end\r\nIt is possible to manually build this dynamic library by running in the Terminal:\r\ngcc -framework AppKit -framework Foundation -o CalculatorOverrides.dylib -dynamiclib ACCalculatorOverrides.m\r\nand manually injecting it into Calculator.app by running in the Terminal:\r\nDYLD_INSERT_LIBRARIES=/PATH_TO/CalculatorOverrides.dylib /Applications/Calculator.app/Contents/MacOS/Calculator\r\nBut to make it simpler to use, let’s write a launcher. The launcher will be a background-only application\r\n(LSUIElement set to YES) that will execute the previously mentioned command line and then quit itself. Here is\r\nthe code of the launcher:\r\n#import \"AppDelegate.h\"\r\n \r\n@implementation AppDelegate\r\n \r\n- (void)dealloc\r\n{\r\n [super dealloc];\r\n}\r\n \r\n-(void)bringToFrontApplicationWithBundleIdentifier:(NSString*)inBundleIdentifier\r\n{\r\n // Try to bring the application to front\r\n NSArray* appsArray = [NSRunningApplication runningApplicationsWithBundleIdentifier:inBundleIdentifier];\r\n if([appsArray count] \u003e 0)\r\n {\r\n [[appsArray objectAtIndex:0] activateWithOptions:NSApplicationActivateIgnoringOtherApps];\r\n }\r\n \r\n // Quit ourself\r\n [[NSApplication sharedApplication] terminate:self];\r\n}\r\n \r\n-(void)launchApplicationWithPath:(NSString*)inPath andBundleIdentifier:(NSString*)inBundleIdentifier\r\n{\r\n if(inPath != nil)\r\nhttps://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/\r\nPage 4 of 5\n\n{\r\n // Run Calculator.app and inject our dynamic library\r\n NSString *dyldLibrary = [[NSBundle bundleForClass:[self class]] pathForResource:@\"CalculatorOverrides\" o\r\n NSString *launcherString = [NSString stringWithFormat:@\"DYLD_INSERT_LIBRARIES=\\\"%@\\\" \\\"%@\\\" \u0026\", dyldLibr\r\n system([launcherString UTF8String]);\r\n \r\n // Bring it to front after a delay\r\n [self performSelector:@selector(bringToFrontApplicationWithBundleIdentifier:) withObject:inBundleIdentif\r\n }\r\n}\r\n \r\n- (void)applicationDidFinishLaunching:(NSNotification *)aNotification\r\n{\r\n NSString *calculatorPath = @\"/Applications/Calculator.app/Contents/MacOS/Calculator\";\r\n if([[NSFileManager defaultManager] fileExistsAtPath:calculatorPath])\r\n [self launchApplicationWithPath:calculatorPath andBundleIdentifier:@\"com.apple.calculator\"];\r\n}\r\n \r\n@end\r\nDownload: You can download here the compiled Calculator Launcher. If you launch it, it will launch the\r\nCalculator.app and inject the code to display an alert when you display the About Box of Calculator.app. If you are\r\ninterested by the source code, the full sources are available here.\r\nSource: https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/\r\nhttps://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/"
	],
	"report_names": [
		"1218-simple-code-injection-using-dyld_insert_libraries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f95fdf7f2592ebd8ed22c4965a56c9ae6d4297e1.pdf",
		"text": "https://archive.orkl.eu/f95fdf7f2592ebd8ed22c4965a56c9ae6d4297e1.txt",
		"img": "https://archive.orkl.eu/f95fdf7f2592ebd8ed22c4965a56c9ae6d4297e1.jpg"
	}
}