DylibHijack- Dylib Hijack Scanner

DLL Hijacking a technique that is widely used by malware writers, this to infect users , launch certain applications or make a privilege escalation. some of the tools that you can use to detect DLL hijacking on windows are:

  1. CrowdInspect
  2. Process Hacker
  3. Sysinternal

Mac OS X user may consider a new tool that was introduced during CanSecW 2015. This tool is called Dylib Hijack Scanner. DylibHijack- Dylib Hijack Scanner is simple python based tool that will scan your system searching for applications that are either susceptible to dylib hijacking or have been hijacked.

The tool consist of 2 scripts the first will allow to scan for vulnerable binaries, this will scan the list of running processes or the entire file-system for applications that either contain weak import (LC_LOAD_WEAK_DYLIB) or multiple run-path search paths.

You can export the finding to report or run the scan against any application you have on your Mac OS X. the interesting is that during testing this tool the author discovered some critical hijacking vulnerabilities for some popular applications like Apple iCloud photos, Xcode, iMovie plugin, Microsoft word, powerpoint, Excel , upload center, Google drive, GpG and even Dropbox.

All these zero day vulnerabilities will allow a malicious user to hijack the application and perform the attack while many security products will fail to protect users. you can download the tool over this link: https://github.com/synack/DylibHijack