For mobile users, only download apps from Google Play Store (the App Store is the iPhone’s only choice). Every time you download an app, check the ratings and reviews first. If it has a low rating and a low number of downloads, it is best to avoid that app. Do not download apps from third-party sources. By default, your Mac will send pings until you close the Network Utility window. You can set it to ping your selected address a specific number of times by doing the following: Check the 'Send only pings' box. Type the number of pings you want to use into the blank box. Check your Apple warranty status. Enter a serial number to review your eligibility for support and extended coverage.
I was recently reviewing the MITRE ATT&CK™ knowledge base and came across the page on process injection techniques for privilege escalation. For those that are not aware of what the MITRE ATT&CK™ knowledge base is, it’s a group of documents and definitions that cover common adversary tactics and techniques. The macOS and Linux sections for process injection were lumped together and not very detailed. In some cases it seemed like the information wasn’t even accurate for macOS. This article covers common process injection techniques that apply to macOS.
This is one of the most well known and common techniques for code injection on macOS. By setting the
DYLD_INSERT_LIBRARIES
environment variable to a dylib of their choice and then starting an application an attacker can get the dylib code running inside of the started process. In older versions of macOS this could be used to inject a dylib into an Apple platform application with higher privileges. This would allow the injected dylib to also gain those additional privileges. Since the addition of SIP in macOS 10.12 this technique can no longer be used on Apple platform binaries. As of macOS 10.14 third party developers can also opt in to a hardened runtime for their application. This can also prevent the injection of dylibs using this technique.Below are a few examples of how DYLD_INSERT_LIBRARIES works on macOS:
http://thomasfinch.me/blog/2015/07/24/Hooking-C-Functions-At-Runtime.html
https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
If you look up code injection techniques on Windows, thread injection is one of the most common. With APIs like
CreateRemoteThread
the entire process is fairly straight forward and doesn’t take much code. If you try searching for the same thing on macOS you’ll find a lot less resources. Luckily, Jonathan Levin, author of the great MacOS and iOS Internals collection of books has a great example on his website.This example makes use of the Mach
thread_create_running
API. Since macOS has a dual personality, with low level Mach APIs as well as BSD APIs, there exists two sets of APIs for working with threads. One is the Mach APIs and the other is the pthread
APIs. Unfortunately some internal parts of macOS expect every thread to have been properly created from the BSD APIs and to have all Mach thread structures as well as pthread
structures set up properly. In order to handle this, the inject.c example above, attempts to first call _pthread_set_self
in the injected code in order to get the thread to a working state. Bittorrent mac app store.This approach works well up to macOS 10.14 where some of the
pthread
internal code changed. I wanted to get a working version of this example on 10.14 and up so I decided to look into some of the pthread
code. Prior to macOS 10.14, the _pthread_set_self
code did the following:This code allows us to pass
NULL
into the _pthread_set_self
call and in turn it will set up some of the internal pthread
structures based on the main thread of the application. This is ideal in the injection case because we’re starting from a bare Mach thread with no pthread
structures set up and no reference to any other thread. On macOS 10.14 and higher this code has changed and you can no longer pass NULL
into _pthread_set_self
The internal implementation was split into a dyld specific one not accessible in the user space
libpthread
library and the other internal one which expects a valid thread to be passed in. In fact _pthread_set_self_internal
will crash if null is passed in because it expects the argument to be there.I decided to continue reviewing the
pthread
source code to look for another function that could help bootstrap a bare Mach thread into a properly set up pthread
. I ended up coming across the pthread_create_from_mach_thread
function. This function has existed since macOS 10.12 so it should work on 10.12 and up. It calls into the internal _pthread_create
implementation passing in true
to the from_mach_thread
Mac app can t be opened unidentified developer. argument. I could only find one binary on my system that actually used this API: RemoteInjectionAgent
within the Xcode DVTInstrumentsFoundation.framework
.The idea is to inject a bare Mach thread as a bootstrap thread and then use the
pthread_create_from_mach_thread
to create a second fully configured, legitimate pthread
. Here’s the modified injectedCode
from Jonathan Levin’s example.You can download a full updated working example of this code from the link below:
There’s a couple notes on this technique. First it depends on being able to call
task_for_pid
to get the Mach task port of the victim process. You can only do this as root and just like dylib injection you can not use task_for_pid
on Apple platform binaries due to SIP on macOS 10.12 and higher. So while it’s still an interesting technique it’s not as useful for privilege escalation. This technique has been used in the past in iOS exploits in cases where another exploit has allowed a task port to be leaked over to an attacker process.Another possible techinque on macOS is thread hijacking. Instead of creating a thread in a remote process we instead retrieve an existing thread and coerce it into running what we want. Apple has continued to lock down
task_for_pid
as well as any Mach API that takes a task port in order to try to prevent the abuse of leaked task ports. Due to this, thread hijacking has becomes a more interesting technique. Brandon Azad has an amazing write up around this technique and I’m not going to attempt to cover it in great detail here. I highly recommend you go and read the following:I looked into this technique briefly and attempted to hijack a thread, run code and then put the thread back to its original state. It appears that what we can save with
thread_get_state
doesn’t really save all of the state and the thread often crashes. It’s good enough for other uses though if you’re just trying to execute code in the context of a privileged app but not good enough if you’re trying to take control of another process without notice. You can see my code example here:If you’re interested in this technique I highly recommend reading over the code to Brandon Azad’s threadexec library. It goes into great detail around this technique and goes along with his article above. Unfortunately it seems like he came to a similar conclusion as me in that trying to save and restore the thread state does not work that reliably.
If you read the ATT&CK page you might have been led to believe that on Linux and macOS the
ptrace
APIs could be used for code injection. That’s not actually the case on macOS. While the ptrace
syscall does exist on macOS it is not fully implemented. For instance none of the PTRACE_PEEKTEXT
, PTRACE_POKETEXT
, PTRACE_GETREGS
, PTRACE_SETREGS
calls exist.I think there could also exist other techniques that haven’t been explored yet. With
libdispatch
being one of the core libraries enabling applications to do work in parallel it seems like that might be an area that hasn’t fully been explored yet. My thought is that it might be possible to inject code into a remote process that is in the format of a valid dispatch block and then get that block submitted to a work queue. Alternatively it might be possible to locate a block queued up but not currently running and hijack the code that the block points too. I haven’t yet had time to dig into this more but I think it’s definitely an interesting area of research.Hopefully you can see that there are a wide variety of different techniques for code injection on macOS. My hope is that with more articles like this the knowledge will continue to spread. In my next article I plan on covering different ways that some of these techniques can be detected.
There are several ways to help identify your Mac. The simplest is About This Mac, available by choosing About This Mac from the Apple menu in the upper-left corner of your screen. The other is the System Information app. Learn how to use these tools to identify your Mac.
If you don't have your Mac or it doesn't start up, use one of these solutions instead:
- Find the serial number printed on the underside of your Mac, near the regulatory markings. On previous Mac Pro models, the serial number is printed on the computer's back panel, below the video ports. It's also on the original packaging, next to a barcode label. You can then enter that serial number on the Check Coverage page to find your model.
- The original packaging might also show an Apple part number, such as MLH12xx/A ('xx' is a variable that differs by country or region). You can match the Apple part number to one in the list below to find your model.
List of Mac Pro models
Mac How To Check If App Injectors
Amazon video app macos. Mac Pro models are organized by the year they were introduced, starting with the most recent. Click the model name for detailed technical specifications.
Mac Pro models introduced in 2013 and later can run the latest version of macOS. For models introduced before 2013, the latest compatible operating system is noted.
2019
Mac How To Check If App Injector
Mac Pro (2019)
Model Identifier: MacPro7,1
Tech Specs: Mac Pro (2019)
Model Identifier: MacPro7,1
Tech Specs: Mac Pro (2019)
Mac Pro (Rack, 2019)
Model Identifier: MacPro7,1
Tech Specs: Mac Pro (Rack, 2019)
Model Identifier: MacPro7,1
Tech Specs: Mac Pro (Rack, 2019)
2013
Mac Pro (Late 2013)
Model Identifier: MacPro6,1
Part Numbers: ME253xx/A, MD878xx/A
Tech Specs: Mac Pro (Late 2013)
Model Identifier: MacPro6,1
Part Numbers: ME253xx/A, MD878xx/A
Tech Specs: Mac Pro (Late 2013)
2012
Mac Pro (Mid 2012)
Model Identifier: MacPro5,1
Part Numbers: MD770xx/A, MD771xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro (Mid 2012)
Model Identifier: MacPro5,1
Part Numbers: MD770xx/A, MD771xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro (Mid 2012)
Mac Pro Server (Mid 2012)
Model Identifier: MacPro5,1
Part Number: MD772xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro Server (Mid 2012)
Model Identifier: MacPro5,1
Part Number: MD772xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro Server (Mid 2012)
* To install macOS Mojave on Mac Pro models from 2012, a Metal-capable graphics card is required.
Mac How To Check If App Injection
2010
Mac Pro (Mid 2010)
Model Identifier: MacPro5,1
Part Numbers: MC250xx/A, MC560xx/A, MC561xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro (Mid 2010)
Model Identifier: MacPro5,1
Part Numbers: MC250xx/A, MC560xx/A, MC561xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro (Mid 2010)
Mac Pro Server (Mid 2010)
Model Identifier: MacPro5,1
Part Number: MC915xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro Server (Mid 2010)
Model Identifier: MacPro5,1
Part Number: MC915xx/A
Newest compatible operating system: macOS Mojave 10.14.6.*
Tech Specs: Mac Pro Server (Mid 2010)
* To install macOS Mojave on Mac Pro models from 2010, a Metal-capable graphics card is required.
2009
Mac Pro (Early 2009)
Model Identifier: MacPro4,1
Part Numbers: MB871xx/A, MB535xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: Mac Pro (Early 2009)
Model Identifier: MacPro4,1
Part Numbers: MB871xx/A, MB535xx/A
Newest compatible operating system: OS X El Capitan 10.11.6
Tech Specs: Mac Pro (Early 2009)