How to inject code into an arm64e process in macOS?

Question

I've written a utility that modifies system behavior by injecting compiled code (in the form of a dylib) into the Dock using the old mach_inject method. However, mach_inject hasn't been updated in several years now and doesn't work on Apple Silicon macs.

Is there another method I can use to inject and execute code from a dylib into arm64e processes? mach_inject creates a thread in the target process and executes the payload in that thread, so I'd need it to do something similar.

I've been pointed to frida as a possible alternative but it seems to be catered towards interacting with a target process through a javascript runtime, rather than injecting already compiled code into a process. I haven't been able to figure out if it can do what I need.

Answer 1

Frida has a component called Frida-core which includes a C API for injecting code into processes. An example demonstrating its use can be found here: frida-core-example-unix.c.

It can be used to inject dylibs using javascript like the following:

var RTLD_NOW = 0x02;
var _dlopen = new NativeFunction(Module.findExportByName(null, "dlopen"), 'pointer', ['pointer', 'int']);
var path = Memory.allocUtf8String("/path/to/dylib");
_dlopen(path, RTLD_NOW);

Unfortunately it is a very heavy weight library and causes the resultant binaries to be around 50 MB in size, 100 MB for a universal binary, but so far it's the only one I've found that works!