New Hooking-Based Remote Code Execution in Mac-OS

The code injection attack surface in MacOS and methods to achieve injected code execution.

Malware authors are always looking for new ways to hide their presence and evade detection. A common dynamic evasion mechanism is code injection. Code injection can be implemented in various techniques, depending on the OS and the processes involved. The basic notion behind code-injection is that running malicious code through an unsuspected or even legitimate process on the system is more likely to successfully evade security solutions.

When malicious code injection takes place, malware writes part of its code in a remote process’s memory, which in turn executes the injected malicious code, which was not part of its original execution flow.

In this whitepaper you will gain:

  • A clear understanding of the code injection attack surface in macOS and developing methods to achieve injected code execution.
  • Get an outline of existing known code injection techniques in macOS
  • Practical knowledge on techniques to hook functions on a remote process
  • Demonstration of how a custom-built Mach-O loader developed by Deep Instinct, performs reflective Mach-O loading.


By submitting this form, you are confirming you have read and agree to our Privacy and Cookies Policies