Sandbox Detector
Building an Apple Sandbox Detector on macOS in C
INTRO
In the article about various binary protections on macOS, we learned how to identify sandboxing through app entitlements using codesign:
However, this method assumes everything works as expected on launch and is only a static check. In this post, we will learn how to ensure the app we launched runs in sandbox mode by knowing the Process ID (PID).
For this reason, we will touch the surface of the Sandbox userland APIs made available to us by libsystem_sandbox.dylib, though undocumented.
There will also be an example of using low-level BSD
sysctlto query the kernel to get the process information and how to build a C program from undocumented decompiled code. Enjoy reading!
Detecting Sandbox
We learned how to detect if App Sandbox is used from the app entitlement com.apple.security.app-sandbox in — Snake&Apple III — Checksec: