Skip to content
/ detect_libdz Public

Tool to detect detect_libdz.dylib malicious library on MacOS systems

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

scottohair/detect_libdz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 
detect_libdz.py
detect_libdz.py
 
 

Repository files navigation

libdz.dylib Detection and Analysis Script

Overview

This script is designed to detect the presence of libdz.dylib on macOS systems. It utilizes various system monitoring tools to identify if the library is loaded or accessed by any process. Upon detection, the script performs analysis on the library using codesign and otool, and copies it to the current working directory for further examination.

Features

  • Concurrent Monitoring: Uses multithreading to monitor for libdz.dylib using multiple methods simultaneously.
  • Detection Methods:
    • lsof: Checks for the library among open files.
    • fs_usage: Monitors file system usage for access to the library.
    • dtrace: Observes system calls related to file opening.
    • ps aux: Inspects running processes for references to the library.
  • Sampling Process: Samples the launchd process to potentially trigger the loading of the library.
  • Automated Analysis:
    • codesign: Analyzes the code signature of the library.
    • otool: Inspects the library's dependencies.
  • File Management: Copies the detected library to the current directory for further analysis.

Prerequisites

  • Operating System: macOS (Darwin)
  • Python Version: Python 3.x
  • Permissions: Must be run with root privileges.

Installation

  1. Clone the Repository git clone https://github.com/yourusername/libdz-detection-script.git cd libdz-detection-script

  2. Install Required Dependencies The script uses standard Python libraries (subprocess, re, time, threading, os, shutil, logging, sys, platform, typing). No additional packages are required.

Usage

  1. Run the Script with Root Permissions sudo python3 detect_libdz.py

  2. Monitoring and Detection

    • The script will continuously monitor for libdz.dylib.
    • It utilizes multiple threads to perform various detection methods simultaneously.
    • Upon detection, it will perform analysis and copy the library to the current directory.

  3. Logs and Output

    • The script provides informative logs about its progress and any detections.
    • Logs are printed to the console with timestamps and severity levels.

Script Details

Main Functions

  • trigger_sample()

    • Samples the launchd process (PID 1) for 5 seconds to potentially trigger the loading of libdz.dylib.

  • check_libdz_lsof()

    • Uses lsof to check for libdz.dylib among open files.

  • check_libdz_fs_usage()

    • Monitors file system usage using fs_usage to detect access to libdz.dylib.

  • check_libdz_dtrace()

    • Observes system calls related to file opening using dtrace.

  • check_libdz_activity_monitor()

    • Checks the process list using ps aux for any references to libdz.dylib.

  • search_libdz()

    • Searches the entire file system for libdz.dylib.

  • copy_libdz_to_current_dir(file_path)

    • Copies the detected libdz.dylib to the current working directory.

  • analyze_libdz_with_codesign(file_path)

    • Analyzes the library using codesign to inspect its code signature.

  • analyze_libdz_with_otool(file_path)

    • Uses otool to inspect the library's dependencies.

  • post_detection_analysis(file_path)

    • Performs post-detection analysis by calling the analysis and copy functions.

Thread Management

  • Utilizes the threading module to run detection functions concurrently.
  • A shared stop_event is used to signal all threads to stop upon detection.

Cleanup

  • Ensures that all resources are properly cleaned up when the script exits.
  • Handles keyboard interrupts gracefully.

Security Considerations

  • Caution: libdz.dylib may be malicious. Handle it with care.
  • Permissions: Running the script with root privileges can be risky. Ensure you trust the source and understand the script's functionality.
  • File Handling: The script copies and analyzes the library but does not execute it.

Limitations

  • The script is designed specifically for macOS systems.
  • Requires root permissions due to the use of system-level monitoring tools.

Troubleshooting

  • Script Must Be Run as Root If you receive an error stating that the script must be run as root, ensure you use sudo when executing the script.

  • Dependency Issues If you encounter issues with missing commands like lsof, fs_usage, or dtrace, ensure that you are running the script on macOS and that these tools are available.

  • Permission Denied Errors Ensure that you have the necessary permissions to run system monitoring tools and access system files.

Contributing

Contributions are welcome! If you have suggestions for improvements or find any issues, please open an issue or submit a pull request.

License

This project is licensed under the MIT License.

Disclaimer

This script is provided for educational and security research purposes only. The author is not responsible for any misuse or damage caused by this script. Use it at your own risk.

Contact

For any questions or concerns, please contact the repository owner through the project's GitHub page.

Note: Replace https://github.com/yourusername/libdz-detection-script.git with the actual repository URL if applicable.

About

Tool to detect detect_libdz.dylib malicious library on MacOS systems

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages