Viewing MacOS system libraries in Ghidra
I recently cracked open a copy of *OS Internals Volume 1 and wanted to follow along with some of the system library examples show in the book. I’m a huge fan of Ghidra for my reverse engineering, so I fired it up, created a new project, and navigated to /usr/lib to find… no libSystem.B.dyld present. “How annoying” I thought to myself, “they must have moved the system libraries since the book came out”. The book was published in 2019, and MacOS has a storied history of moving things around, so this felt like the most reasonable explanation. Striving to be the self-sufficient reverse engineer, I ran the following otool command to find the system library:
[4] This term is slightly off. Historically this was actually a cache that the system would build from its working set of libraries and frameworks. On macOS 11 this is no longer a cache because the original files are no longer present on the system. Rather, this shared cache is authored by Apple and distributed in toto via the software update mechanism.
New in macOS Big Sur 11 beta, the system ships with a built-in dynamic linker cache of all system-provided libraries. As part of this change, copies of dynamic libraries are no longer present on the filesystem. Code that attempts to check for dynamic library presence by looking for a file at a path or enumerating a directory will fail. Instead, check for library presence by attempting to dlopen() the path, which will correctly check for the library in the cache.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25431700/STK201_SAM_ALTMAN_CVIRGINIA_A.jpg)
