If I am debugging a Mach-O binary using lldb, what data structures in memory can I examine to determine if any methods have been swizzled? Any steps I can follow?
Also, is there a way to determine programmatically if any methods have been swizzled?
Since you mention lldb you can set symbolic breakpoints on:
b method_exchangeImplementation
b method_setImplementation
b class_replaceMethod
When you hit a breakpoint for:
method_exchangeImplementations(Method _Nonnull m1, Method _Nonnull m2)
you can inspect the m1 m2 args selector names like this:
po (SEL)method_getName($arg1)
po (SEL)method_getName($arg2)
For method_setImplementation(Method _Nonnull m, IMP _Nonnull imp):
po (SEL)method_getName($arg1)
For class_replaceMethod(Class cls, SEL name, IMP imp, const char *types)
po $arg1
po (SEL)method_getName($arg2)
Those Method will likely be yielded through previous calls to:
class_getInstanceMethod(Class _Nullable cls, SEL _Nonnull name)
class_getClassMethod(Class _Nullable cls, SEL _Nonnull name)
so after:
b class_getInstanceMethod
b class_getClassMethod
and hitting respective breakpoints, to inspect class:
po $arg1
to inspect selector:
po (SEL)method_getName($arg2)
The best place to setup those symbolic breakpoints would be here:
__attribute__((constructor))
static void premain() {
int i = 0;
i++; // put xcode breakpoint here and when hit prep your lldb symbolic bps
}