Mac OS : is there any way to sniff system open call without kernel

Question

I've to open a file from any location in Mac OS and I want to do some operation before it opens in any relative application. Is there any way to sniff the system open call and hold it for while and do some operation.

For an example, I'm opening test.doc file, which will open in msword application or can choose any other application by right click and open with. I want to hold for a while and want to perform some operation before launching this ms word application or any relative application(system open call) on my text.doc file.

Is there any way in programming language for Mac OS (C/C++/ObjectiveC/Swift) without going to kernel.

Any help will be highly appreciated.

Answer 1

Even with a kernel extension, hooking syscalls is no longer viable due to various protections in the kernel, such as KASLR. With Mojave, code injection will no longer be viable due to SIP. The only supported method to do what's being asked is to use the Kernel Authorisation (KAuth) framework.

Answer 2

As far as I'm aware totally intercepting/hooking the syscall can only be done in a kext.

If it's for a specific application, and this application supports dynamically loaded plugins, you could write a plugin that hooks the syscall.

You can in principle inject code into the process and hook the open() syscall for that process even if the application does not support plugins. (e.g. using mach_inject) The downside of this is that if e.g. the user double-clicks a file in the Finder, and this launches the application and immediately opens the file, there is only a very small window of time in which you could inject the code. I don't think there's a way you can do this reliably with only user space code.