When a user launches an application, the kernel loads the executable into memory and points it to the dynamic linker, known as dyld . It is the job of dyld to parse the Mach-O load commands, resolve dependencies, map all needed dynamic libraries into the process's memory space, and perform symbol binding so functions can execute cleanly. Because dyld heavily relies on environment variables and path configurations to discover these libraries, it exposes a broad attack surface for code injection. Core Mechanisms of Dylib Injection
```bash
DYLIB injection is a powerful technique for macOS development, allowing you to modify or extend the behavior of running processes. By following the steps outlined in this post, you can create and inject a dylib into a running process on macOS. dylib injection
When this variable contains a path to a dylib, dyld forces that library to load into the memory space of any spawned process before its main entry point executes.
clang -shared -o url_logger.dylib -fPIC url_logger.c -framework WebKit DYLD_INSERT_LIBRARIES=url_logger.dylib Safari When a user launches an application, the kernel
DYLD_INSERT_LIBRARIES=/path/to/malicious.dylib /Applications/TargetApp.app/Contents/MacOS/TargetApp Use code with caution.
LC_RPATH : Defines runtime search paths where the application will seek out relative dynamic libraries. The Dynamic Linker (dyld) Core Mechanisms of Dylib Injection ```bash DYLIB injection
: The operating system will refuse to load any dynamic library unless it is signed by either Apple or the exact same Team ID as the host binary. This cleanly breaks basic dylib hijacking and environment variable injection attacks, as a malicious dylib signed by an outside entity will cause the process to instantly crash at launch.