I enjoyed the content, but parts have a certain ChatGPT je ne sais quoi to them that I find very distracting. The bias toward wordy phrases (“to mitigate performance concerns”), the five-paragraph-essay stock transitions (“In conclusion”), the variable use of “Mac OS X” and “macOS”… it’s distinctive. The post was clearly at least outlined by a human - was it too hard to write the prose by hand?
(Also, some things were just wrong. Like, “the transmission of system information immediately after connection establishment” is a clear sign of malware? No, every single telemetry / error reporting tool does that.)
As someone with a good understanding of the technologies involved I came away rather confused by the article. There are a few things that are obviously incorrect, and others that don't make much sense. Some of them could be perhaps be explained if the author is doing their work on an outdated version of macOS, but I'd expect that to have been mentioned explicitly in the introduction to the article.
Entitlements aren't stored in Info.plist. They're embedded in a binary's code signature.
It demonstrates code injection via Mach APIs starting with `task_for_pid` when `task_for_pid` is only usable by root or by a process signed with specific entitlements.
VeraCrypt does use the hardened runtime and so the `DYLD_INSERT_LIBRARIES` example cannot work with it.
It gives an example of using `emond` for persistence, but that was removed from macOS several releases ago.
(Also, some things were just wrong. Like, “the transmission of system information immediately after connection establishment” is a clear sign of malware? No, every single telemetry / error reporting tool does that.)