To understand injection, one must first understand the loader. On macOS, the dynamic linker is dyld . When a process launches, dyld is responsible for loading the executable and its dependent shared libraries into memory. In a standard workflow, an application declares its dependencies in its binary header, and the linker resolves them automatically. Injection, however, forces the loading of a library that the application did not explicitly request.
#include <stdio.h>
If an attacker identifies an empty path or a directory they have write access to that appears early in the LC_RPATH list, they can drop a malicious dylib using the exact filename the application expects. When the binary launches, it reads the attacker's file instead of the genuine library. 3. Runtime Mach Task Injection dylib injection