LC_MAIN劫持

从OS X 10.8开始，mach-O二进制文件引入了一个名为LC_MAIN的新头文件，该头文件指向二进制文件的执行入口。以前，有两个标头可实现相同的效果：LC_THREAD和LC_UNIXTHREAD。二进制文件的入口点可以被劫持，从而使初始执行流到恶意添加项（另一个部分或代码入口），然后返回到初始入口点，以使受害者不知道有什么不同。通过以这种方式修改二进制文件，可以绕过应用程序白名单，因为文件名或应用程序路径仍然相同。

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD. The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different . By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

标签

ID编号： T1149

策略： 绕过防御

平台： macOS

所需权限： user，administrator

数据源： Binary file metadata, Malware reverse engineering, Process monitoring

绕过防御： 应用程序白名单，进程白名单，按文件名或路径进行白名单

缓解措施

减轻	描述
代码签名 (M1045)	对所有应用程序上的签名代码强制使用有效的数字签名，并且仅使用来自受信任方签名的信任应用程序。

Mitigation	Description
Code Signing ( M1045)	Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

检测

确定二进制文件的原始入口点很困难，但是校验和和签名验证是非常可能的。修改LC_MAIN入口点或添加其他LC_MAIN入口点会使文件签名无效，并且可以检测到。收集正在运行的进程信息，并与已知的应用程序进行比较以查找可疑行为。

Determining the original entry point for a binary is difficult, but checksum and signature verification is very possible. Modifying the LC_MAIN entry point or adding in an additional LC_MAIN entry point invalidates the signature for the file and can be detected. Collect running process information and compare against known applications to look for suspicious behavior.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn