Dylib Hijack Scanner (DHS)

A simple, practical utility designed for macOS to scan your computer and identify which applications are vulnerable to dynamic library (dylib) hijacking attacks, or have already been hijacked. The attack techniques targeted by this tool were detailed in a presentation titled "DLL Hijacking on OS X? Of course!" at the CanSecW security conference.

Supported Systems: macOS 11 or later
Current Version: 1.6.0 (View changelog)
File Verification: ZIP archive SHA-1: 08A2AF3D781CE16E485C93B26A17A95CC6DA080E

---

Core Features & Highlights

• Comprehensive Scanning & Detection: Automatically scans and identifies applications that are vulnerable to hijacking and those that are already hijacked.
• Customizable Preferences:
  • Full Scan: When enabled, performs a full system scan across the entire filesystem.
  • Weak Import Detection: When enabled, detects attackers exploiting the “weak linking” mechanism for hijacking.
  • Save Results: Saves all scan results in JSON format to dhsFindings.txt in the application’s directory, facilitating analysis and archiving.
• Bias Toward Reporting Potential Risks: DHS is designed with the principle of “better safe than sorry” — prioritizing detection of potential malicious hijacking, which may result in some legitimate dylibs being flagged as suspicious.
• Clean, Intuitive Interface: Simple to use with a one-click scan initiation.

Usage Guide

1. Download & Extract:
   • Download the ZIP archive containing the application from the official website.
   • Depending on your browser settings, you may need to manually double-click the ZIP file to extract DHS.app.
2. Launch & Scan:
   • Double-click DHS.app to launch the application.
   • Click the Start Scan button to begin scanning.
3. Interpret Results:
   • Vulnerable Applications: It is common to find many applications in this category. This does NOT mean your computer has been compromised. It simply indicates that, if your system were already compromised, attackers could potentially exploit these applications to maintain stealthy malicious activity.
   • Hijacked Applications: If any applications appear in this category, you should pay attention. This could be a false positive or a real hijacking. It is recommended to contact the developer or consult the FAQ for further investigation.
4. Preferences:
   • Click the gear icon in the bottom-left corner of the interface to open the preferences panel and enable the desired options above.

Advantages

• Proactive Security Defense: Helps users and security researchers proactively identify potential dylib hijacking vulnerabilities and actual attacks, enhancing awareness of system security risks.
• Expert-Backed: Built upon Objective-See’s in-depth research into macOS security, targeting attack vectors at the core OS mechanism level.
• Transparent & Open Source: Fully open source, allowing the security community to review the code, verify its effectiveness and reliability, and contribute to improvements.
• Free & Practical: As a free tool, it provides a powerful foundational security detection capability for both casual users and professionals.

---

Frequently Asked Questions (FAQ)

Q: DHS found some vulnerable applications. Should I be worried?
A: Not necessarily. “Vulnerable” means that if an attacker has already gained access to your machine, they might exploit these applications (e.g., those launched automatically by the OS) to stealthily inject malicious dylibs for persistence. The key point is that exploiting this vulnerability requires the attacker to already have initial access to your system.

Q: Are there patches available for these vulnerable applications?
A: Since dylib hijacking exploits legitimate features of the macOS core operating system, there are no patches available for individual applications. In the future, Apple may introduce new system-level security features (such as requiring all libraries to be signed), which could help mitigate such attacks.

Q: DHS found a hijacked application. What should I do?

Important Note: For any items flagged in the scan results — especially those labeled “Hijacked Applications” — exercise caution and perform additional verification. Understanding DHS’s “bias toward false positives” principle will help you more accurately assess the actual risk.