--- title: "Prevent In-Memory Code Execution | Security Cookbook" description: "Block dyld from loading code via NSCreateObjectFileImageFromMemory temp files, raising the bar for in-memory execution and reflective loaders." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/prevent-in-memory-execution" --- [Back](https://northpole.security/cookbook) ### Idea Executing new code out of memory instead of on disk has been part of a stealthy attacker's playbook for decades. A few years ago, Apple changed the macOS dynamic loader (dyld) to disable in-memory code loading and always write a temporary file to disk instead. These files match the pattern NSCreateObjectFileImageFromMemory-\*, and we can use Workshop and Santa's FAA rules again to prevent this attack while allowing legitimate applications that require it. ### Solutions File AccessBlock In-Memory Code Loading Prevent creation of in-memory dyld temp files Paths - • /private/var/folders/\*/NSCreateObjectFileImageFromMemory-\* Policy BLOCKLIST Custom Message In-memory code execution is not allowed ### Mitre Attack Tactics [Stealth](https://attack.mitre.org/tactics/TA0005/) Techniques [T1620: Reflective Code Loading](https://attack.mitre.org/techniques/T1620/) ### Tags code-injectiondyld ### Deployment Notes This is not a silver bullet, however. There are still some ways to circumvent this file creation and load payloads in memory by writing your own reflective loader or recompiling old versions of dyld. We still think this has value as blocking the basic technique raises the complexity of an attack and only an extremely small number of applications use this technique legitimately. ### False Positive Guidance Very few legitimate applications use in-memory code loading. If you encounter false positives, add exceptions for specific applications by their signing ID. ### Resources [BlackHat 2009: Let Your Mach-O FlyTake a look](https://blackhat.com/presentations/bh-dc-09/Iozzo/BlackHat-DC-09-Iozzo-let-your-mach0-fly-whitepaper.pdf)[YouTube: Recompiling dyldTake a look](https://www.youtube.com/watch?v=2Tvo8YpVaek) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)