/

Process Injection Detection

Protection Module: ProcessInjection

Available For

PlatformVersionStatus
iOS12.0+✓ Full Support
iPadOS12.0+✓ Full Support
tvOS12.0+✓ Supported

How It Works

The Process Injection Detection module monitors your application for signs of code injection and dynamic instrumentation attacks. It detects attempts to inject malicious code or hooking frameworks:

Detection Techniques

  • DYLD_INSERT_LIBRARIES Detection: Checks the DYLD_INSERT_LIBRARIES environment variable that instrumentation frameworks (Frida, Substrate) use to inject libraries into processes.
  • Loaded Dylib Enumeration: Enumerates all dynamically loaded libraries using _dyld_image_count() and _dyld_get_image_name() to identify injected dylibs.
  • Known Injector Detection: Identifies known injection frameworks by their dylib names: Frida, Substrate, Cycript, libcycript, FridaGadget, and similar malicious libraries.
  • System Library Path Validation: Verifies that all loaded libraries come from legitimate system paths (/usr/lib/, /System/) to detect out-of-path injection.

Detection Confidence: 0.95 for known injectors (95% - highly reliable)

Default Interval: 60 seconds

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "ProcessInjection",
      "action": "close",
      "intervalMs": 60000
    }
  ]
}

Code-Based Configuration

Swift

Swift
import ByteHideMonitor

BHMMonitor.configure { config in
    config.enableProtection(.processInjection, action: .close, intervalMs: 60000)
}

Objective-C

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeProcessInjection
                      action:BHMActionTypeClose
                  intervalMs:60000];
}];

Available Actions

ActionBehaviorRecommended For
CloseTerminate application immediatelyProduction apps with critical IP
LogRecord incident and continueDevelopment, analytics
EraseSecurely delete data then terminateFinancial, healthcare apps
CustomExecute custom handlerEnterprise integrations
NoneDetect only, no actionTesting configurations

See Actions for detailed action documentation.

When to Use

  • Enterprise Apps: Prevent business logic modification and IP theft
  • Financial Applications: Stop transaction manipulation through code injection
  • Gaming Apps: Detect and prevent gameplay manipulation and cheating
  • Healthcare Apps: Ensure app logic integrity for patient safety
  • Streaming Services: Prevent DRM bypass through code injection
  • API Security: Protect authentication and data transmission logic
  • Development: Use Log action to track injection attempts

Code Examples

Swift Basic Configuration

Swift
import ByteHideMonitor

// In your AppDelegate or app initialization
BHMMonitor.configure { config in
    config.enableProtection(.processInjection, action: .close, intervalMs: 60000)
}

Swift with Custom Action

Swift
import ByteHideMonitor

BHMMonitor.configure { config in
    // Register custom handler for injection detection
    config.registerCustomAction("injection-handler") { context in
        let threatType = context.threatType
        let description = context.threatDescription
        let metadata = context.metadata

        // Extract injection details
        if let evidence = context.detectionResult?.evidence {
            let injectedLibraries = evidence["injected_libraries"] as? [String] ?? []
            let environmentVars = evidence["environment_variables"] as? [String] ?? []

            // Report to security backend
            SecurityAPI.reportInjectionAttempt(
                libraries: injectedLibraries,
                environment: environmentVars,
                metadata: metadata
            )
        }

        // Log to analytics
        Analytics.log(event: "injection_detected", parameters: [
            "threat_type": threatType,
            "description": description,
            "timestamp": ISO8601DateFormatter().string(from: Date())
        ])

        // Optional: Flush important data before termination
        DatabaseManager.flush()
    }

    config.enableProtection(.processInjection, customAction: "injection-handler", intervalMs: 60000)
}

Objective-C Basic Configuration

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeProcessInjection
                      action:BHMActionTypeClose
                  intervalMs:60000];
}];

Objective-C with Custom Action

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config registerCustomAction:@"injection-handler" handler:^(BHMThreatContext *context) {
        NSString *threatType = context.threatType;
        NSString *description = context.threatDescription;
        NSDictionary *metadata = context.metadata;

        // Extract injection evidence
        if (context.detectionResult && context.detectionResult.evidence) {
            NSArray *injectedLibs = context.detectionResult.evidence[@"injected_libraries"];
            NSArray *envVars = context.detectionResult.evidence[@"environment_variables"];

            [SecurityAPI reportInjectionAttemptWithLibraries:injectedLibs
                                                environment:envVars
                                                   metadata:metadata];
        }

        // Log to analytics
        [Analytics logEvent:@"injection_detected"
                parameters:@{
                    @"threat_type": threatType,
                    @"description": description
                }];

        // Flush database
        [DatabaseManager flush];
    }];

    [config enableProtection:BHMProtectionModuleTypeProcessInjection
                customAction:@"injection-handler"
                  intervalMs:60000];
}];

Platform Compatibility

FeatureiOS 12-13iOS 14-15iOS 16+
Environment Variable Check
Dylib Enumeration
Known Injector Detection
System Path Validation
Continuous Monitoring
Frida Detection
Substrate Detection✓ Limited

Performance Impact

  • CPU Usage: ~0.2-0.4% per check cycle
  • Memory Overhead: <800 KB (dylib enumeration)
  • Battery Impact: Low with 60-second intervals
  • First Detection: <20ms
  • I/O Impact: Minimal (memory-based enumeration)

Threat Detection Details

JSON
{
  "threat": {
    "moduleType": "ProcessInjection",
    "threatType": "InjectionDetected",
    "threatDescription": "Frida dynamic instrumentation framework detected - unauthorized code injection",
    "detectionResult": {
      "isThreat": true,
      "category": "CodeInjection",
      "threatDescription": "Known injection framework detected",
      "confidence": 0.95,
      "evidence": {
        "environment_variables": [
          "DYLD_INSERT_LIBRARIES=/usr/lib/libfrida.dylib"
        ],
        "injected_libraries": [
          "/usr/lib/libfrida.dylib",
          "/usr/lib/libcycript.dylib"
        ],
        "known_injectors": [
          "libfrida",
          "libcycript"
        ],
        "invalid_paths": [
          "/usr/lib/libfrida.dylib"
        ]
      },
      "timestamp": "2026-03-03T10:30:45.123Z"
    },
    "metadata": {
      "detection_method": "dylib_enumeration",
      "injector_count": 2,
      "check_duration_ms": 8,
      "interval_ms": 60000
    }
  }
}

Next Steps

Previous
Memory Dump Detection
Next
Library Injection Detection