A hands-on walkthrough of macOS process code injection using Mach APIs. Covers attaching to a running process via task_for_pid(), suspending/resuming it, reading and writing process memory with vm_read_overwrite() and vm_write(), allocating executable memory with vm_allocate(), and patching functions at runtime using a trampoline technique on both x86_64 and ARM64. The -fpatchable-function-entry compiler flag is used to prepend NOP sleds to functions, making room for the 16-byte ARM64 trampoline. Full source code is provided on GitHub.
Sort: