: Monitoring access to low-level kernel calls like task_for_pid() exposes unauthorized processes attempting to manipulate running memory segments. Process Injection, Technique T1055 - MITRE ATT&CK®
If an attacker identifies an empty path or a directory they have write access to that appears early in the LC_RPATH list, they can drop a malicious dylib using the exact filename the application expects. When the binary launches, it reads the attacker's file instead of the genuine library. 3. Runtime Mach Task Injection
These instructions are encoded within load commands such as: dylib injection
: The injector calls task_for_pid() to get a Mach task port for the target running application.
This will create a my_dylib.dylib file in the current directory. : Monitoring access to low-level kernel calls like
Detecting dylib injection requires looking at both static files and live system telemetry. 1. Static and Binary Analysis
Furthermore, the ubiquity of code signing acts as a powerful deterrent. Since the advent of macOS 10.15 (Catalina), running unsigned or improperly signed code has become difficult. Hardened Runtime, an extension of code signing, specifically prevents the loading of libraries that are not signed by the same developer team as the main executable or lack a valid cryptographic ticket. If an application attempts to load a foreign library, the operating system kills the process. Detecting dylib injection requires looking at both static
When this variable contains a path to a dylib, dyld forces that library to load into the memory space of any spawned process before its main entry point executes.
void my_dylib_function() printf("Hello from my dylib!\n");