Snake&Apple IV — Dylibs
Automating Dylib Hijacking detection with Python.
INTRO
Welcome to another article in the series on macOS security internals!
In the Snake&Apple I — Mach-O, I briefly introduced Load Commands, which provides Dynamic Loader (dyld) information on Dynamic Libraries (dylibs) without further explanation. This article will go deep into the concept of libraries and explain the Dylib Hijacking vulnerability.
Toward the end, I will share my implementation of a Dylibtree tool and automatic Dylib Hijacking scanner, which example output is below:
Please note that some topics have been intentionally omitted and will be addressed in future articles. However, leave a comment if you have any questions or need clarification about anything written here while reading. I guarantee a response and will use your feedback for future articles.
The Snake&Apple IV. Dylibs repository contains all of the code used.