![]() I could only find one binary on my system that actually used this API: RemoteInjectionAgent within the Xcode amework. It calls into the internal _pthread_create implementation passing in true to the from_mach_thread argument. ![]() This function has existed since macOS 10.12 so it should work on 10.12 and up. I ended up coming across the pthread_create_from_mach_thread function. I decided to continue reviewing the pthread source code to look for another function that could help bootstrap a bare Mach thread into a properly set up pthread. In fact _pthread_set_self_internal will crash if null is passed in because it expects the argument to be there. The internal implementation was split into a dyld specific one not accessible in the user space libpthread library and the other internal one which expects a valid thread to be passed in. PTHREAD_NOINLINE void _pthread_set_self ( pthread_t p ) ![]() Prior to macOS 10.14, the _pthread_set_self code did the following: I wanted to get a working version of this example on 10.14 and up so I decided to look into some of the pthread code. This approach works well up to macOS 10.14 where some of the pthread internal code changed. In order to handle this, the inject.c example above, attempts to first call _pthread_set_self in the injected code in order to get the thread to a working state. ![]() Unfortunately some internal parts of macOS expect every thread to have been properly created from the BSD APIs and to have all Mach thread structures as well as pthread structures set up properly. One is the Mach APIs and the other is the pthread APIs. Since macOS has a dual personality, with low level Mach APIs as well as BSD APIs, there exists two sets of APIs for working with threads. This example makes use of the Mach thread_create_running API. Luckily, Jonathan Levin, author of the great MacOS and iOS Internals collection of books has a great example on his website. If you try searching for the same thing on macOS you’ll find a lot less resources. With APIs like CreateRemoteThread the entire process is fairly straight forward and doesn’t take much code. If you look up code injection techniques on Windows, thread injection is one of the most common. This can also prevent the injection of dylibs using this technique.īelow are a few examples of how DYLD_INSERT_LIBRARIES works on macOS: As of macOS 10.14 third party developers can also opt in to a hardened runtime for their application. Since the addition of SIP in macOS 10.12 this technique can no longer be used on Apple platform binaries. This would allow the injected dylib to also gain those additional privileges. In older versions of macOS this could be used to inject a dylib into an Apple platform application with higher privileges. By setting the DYLD_INSERT_LIBRARIES environment variable to a dylib of their choice and then starting an application an attacker can get the dylib code running inside of the started process. This is one of the most well known and common techniques for code injection on macOS. This article covers common process injection techniques that apply to macOS. In some cases it seemed like the information wasn’t even accurate for macOS. The macOS and Linux sections for process injection were lumped together and not very detailed. For those that are not aware of what the MITRE ATT&CK™ knowledge base is, it’s a group of documents and definitions that cover common adversary tactics and techniques. ![]() I was recently reviewing the MITRE ATT&CK™ knowledge base and came across the page on process injection techniques for privilege escalation. ![]()
0 Comments
Leave a Reply. |