搜索歷史

清空
搜索熱詞
      0
      • 聊天消息
      • 系統(tǒng)消息
      • 評論與回復(fù)
      VIP于 到期 續(xù)費(fèi)
      登錄后你可以
      • 下載海量資料
      • 學(xué)習(xí)在線課程
      • 觀看技術(shù)視頻
      • 寫文章/發(fā)帖/加入社區(qū)
      會員中心
      創(chuàng)作中心
      發(fā)布
      創(chuàng)作活動

      完善資料讓更多小伙伴認(rèn)識你,還能領(lǐng)取20積分哦,立即完善>

      3天內(nèi)不再提示

      iOS進(jìn)程啟動模型

      哆啦安全 ? 來源:奶牛安全 ? 2023-02-23 09:21 ? 次閱讀

      分析工具:IDA 7.0

      基本思路

      在分析越獄工具shadow之前,所有越獄工具都是對進(jìn)程進(jìn)行注入掛鉤來實(shí)現(xiàn)。注入從作用范圍來看,分為兩類:

      用戶態(tài)注入,通過動態(tài)庫

      內(nèi)核態(tài)注入,通過驅(qū)動

      在蘋果系統(tǒng)開發(fā)驅(qū)動,需要蘋果授權(quán),所以,越獄工具是沒辦法走這條路,只可能進(jìn)行用戶態(tài)注入。

      那么,分析它就需要對進(jìn)程啟動時如何加載動態(tài)庫了解,這就涉及到iOS進(jìn)程啟動模型。

      本文的思路如下:

      iOS進(jìn)程啟動模型

      依賴分析

      鉤子點(diǎn)分析

      檢測

      iOS進(jìn)程啟動模型

      iOS也是Unix族的衍生類。在Unix族里,進(jìn)程啟動模型的都大致如下:

      加載執(zhí)行文件:從絕對路徑或相對路徑或從環(huán)境變量指定搜索的路徑搜索出來

      根據(jù)執(zhí)行文件依賴(導(dǎo)入表)來加載動態(tài)庫文件:從絕對路徑或相對路徑或從環(huán)境變量和系統(tǒng)配置指定的搜索路徑搜索出來

      完成所有符號匹配,啟動進(jìn)程

      進(jìn)程處理輸入參數(shù)和相應(yīng)配置文件

      從上面來看,只有1,2兩步才可能進(jìn)行注入。

      在Unix族里,和執(zhí)行文件加載相關(guān)的環(huán)境變量一般是**PATH** ,它一般是執(zhí)行路徑的列表,如/bin, /usr/bin, 和/usr/local/bin等,這個環(huán)境變量一般可以設(shè)置。搜索順序是按照列表元素先后順序進(jìn)行,一旦找到,立馬停止搜索。假設(shè)這個環(huán)境變量設(shè)置是這樣的

      PATH=/bin:/usr/bin:/usr/local/bin

      這些路徑都有一個ls執(zhí)行文件,當(dāng)執(zhí)行l(wèi)s時,只會執(zhí)行/bin/ls。

      如果越獄工具要在這一步注入,它必須構(gòu)建一個沙箱,接管所有程序執(zhí)行。這種方式,所有用戶態(tài)進(jìn)程都可以變成它的子進(jìn)程,這個沙箱可以任意更改子進(jìn)程的環(huán)境變量,完成靜態(tài)注入,甚至可以通過ptrace之類的系統(tǒng)調(diào)用來進(jìn)行動態(tài)注入。這種方式可以非常好地繞過各種越獄檢測工具的檢測。

      在Unix族,和動態(tài)庫加載相關(guān)的環(huán)境變量和系統(tǒng)配置,就各有各的不同。

      從上面可以看到iOS依次對下面這些環(huán)境變量包含的路徑列表按照先后順序遍歷,一旦找到相應(yīng)動態(tài)庫,立馬停止該次遍歷,查找下一個:

      DYLD_INSERT_LIBRARIES

      DYLD_VERSIONED_FRAMEWORK_PATH

      DYLD_FRAMEWORK_PATH

      DYLD_LIBRARY_PATH

      DYLD_FALLBACK_FRAMEWORK_PATH

      DYLD_FALLBACK_LIBRARY_PATH

      目前不少APP檢測iOS是否越獄,都是做下列動作:

      訪問root才能夠訪問的目錄和文件,執(zhí)行讀或?qū)?/p>

      執(zhí)行root才能夠執(zhí)行的命令

      訪問或更改root才能夠訪問的環(huán)境變量

      調(diào)用root才能夠調(diào)用的系統(tǒng)調(diào)用

      訪問root才能夠訪問的系統(tǒng)參數(shù)

      根據(jù)上面進(jìn)程啟動模型分析,越獄工具要具有反檢測的能力,必須要做這樣事情:

      保護(hù)環(huán)境變量的訪問

      禁止某些命令的執(zhí)行

      禁止某些路徑訪問

      禁止某些系統(tǒng)參數(shù)訪問

      掛鉤某些系統(tǒng)調(diào)用

      依賴分析

      根據(jù)上面的探究后,我們實(shí)際上看一下這個越獄工具是怎樣的。

      把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解壓的目錄大致如下

      PS D:Library> Get-ChildItem -Recurse


    目錄: D:Library


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                MobileSubstrate                                                                                                       
d-----         2019/8/2      1:59                PreferenceBundles                                                                                                     
d-----         2019/8/2      1:59                PreferenceLoader                                                                                                      


    目錄: D:LibraryMobileSubstrate


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                DynamicLibraries                                                                                                      


    目錄: D:LibraryMobileSubstrateDynamicLibraries


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59         728432 0Shadow.dylib                                                                                                         
-a----         2019/8/2      1:59             87 0Shadow.plist                                                                                                         


    目錄: D:LibraryPreferenceBundles


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                ShadowPreferences.bundle                                                                                              


    目錄: D:LibraryPreferenceBundlesShadowPreferences.bundle


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----        2019/7/14      1:29                en.lproj                                                                                                              
-a---l        2021/4/10      0:27              0 Base.lproj                                                                                                            
-a----         2019/8/2      1:59            751 Icon-Small.png                                                                                                        
-a----         2019/8/2      1:59           1610 Icon-Small@2x.png                                                                                                     
-a----         2019/8/2      1:59           2693 Icon-Small@3x.png                                                                                                     
-a----         2019/8/2      1:59            404 Info.plist                                                                                                            
-a----         2019/8/2      1:59           3123 Root.plist                                                                                                            
-a----        2019/7/29      4:37         265808 ShadowPreferences                                                                                                     


    目錄: D:LibraryPreferenceBundlesShadowPreferences.bundleen.lproj


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59           3915 Root.strings                                                                                                          


    目錄: D:LibraryPreferenceLoader


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                Preferences                                                                                                           


    目錄: D:LibraryPreferenceLoaderPreferences


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59            199 ShadowPreferences.plist

      從大小來看,只有D:LibraryMobileSubstrateDynamicLibraries?Shadow.dylib值得分析,用IDA打開一看,看一下導(dǎo)入表

      AddressOrdinalNameLibrary
0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei
0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026800_OBJC_CLASS_$_NSArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026808_OBJC_CLASS_$_NSDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026810_OBJC_CLASS_$_NSMutableArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026818_OBJC_CLASS_$_NSMutableDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026820_OBJC_CLASS_$_NSURL/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026828___CFConstantStringClassReference/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
00000000000267A0_NSCocoaErrorDomain/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267A8_NSLocalizedDescriptionKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B0_NSLocalizedFailureReasonErrorKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B8_NSLocalizedRecoverySuggestionErrorKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C0_OBJC_CLASS_$_NSBundle/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C8_OBJC_CLASS_$_NSCharacterSet/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D0_OBJC_CLASS_$_NSError/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D8_OBJC_CLASS_$_NSFileManager/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E0_OBJC_CLASS_$_NSNumber/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E8_OBJC_CLASS_$_NSProcessInfo/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F0_OBJC_CLASS_$_NSString/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F8_OBJC_CLASS_$_NSValue/System/Library/Frameworks/Foundation.framework/Foundation
0000000000026858_NSVersionOfLinkTimeLibrary/usr/lib/libSystem.B.dylib
0000000000026860_NSVersionOfRunTimeLibrary/usr/lib/libSystem.B.dylib
0000000000026868___stack_chk_guard/usr/lib/libSystem.B.dylib
0000000000026870__dyld_get_image_name/usr/lib/libSystem.B.dylib
0000000000026878__dyld_image_count/usr/lib/libSystem.B.dylib
0000000000026880_access/usr/lib/libSystem.B.dylib
0000000000026888_chdir/usr/lib/libSystem.B.dylib
0000000000026890_chroot/usr/lib/libSystem.B.dylib
0000000000026898_creat/usr/lib/libSystem.B.dylib
00000000000268A0_csops/usr/lib/libSystem.B.dylib
00000000000268A8_dladdr/usr/lib/libSystem.B.dylib
00000000000268B0_dlopen/usr/lib/libSystem.B.dylib
00000000000268B8_dlopen_preflight/usr/lib/libSystem.B.dylib
00000000000268C0_dlsym/usr/lib/libSystem.B.dylib
00000000000268C8_faccessat/usr/lib/libSystem.B.dylib
00000000000268D0_fchdir/usr/lib/libSystem.B.dylib
00000000000268D8_fopen/usr/lib/libSystem.B.dylib
00000000000268E0_fork/usr/lib/libSystem.B.dylib
00000000000268E8_freopen/usr/lib/libSystem.B.dylib
00000000000268F0_fstat/usr/lib/libSystem.B.dylib
00000000000268F8_fstatat/usr/lib/libSystem.B.dylib
0000000000026900_fstatfs/usr/lib/libSystem.B.dylib
0000000000026908_getegid/usr/lib/libSystem.B.dylib
0000000000026910_getenv/usr/lib/libSystem.B.dylib
0000000000026918_geteuid/usr/lib/libSystem.B.dylib
0000000000026920_getgid/usr/lib/libSystem.B.dylib
0000000000026928_getppid/usr/lib/libSystem.B.dylib
0000000000026930_getuid/usr/lib/libSystem.B.dylib
0000000000026938_link/usr/lib/libSystem.B.dylib
0000000000026940_lstat/usr/lib/libSystem.B.dylib
0000000000026948_open/usr/lib/libSystem.B.dylib
0000000000026950_openat/usr/lib/libSystem.B.dylib
0000000000026958_opendir/usr/lib/libSystem.B.dylib
0000000000026960_popen/usr/lib/libSystem.B.dylib
0000000000026968_posix_spawn/usr/lib/libSystem.B.dylib
0000000000026970_posix_spawnp/usr/lib/libSystem.B.dylib
0000000000026978_readdir/usr/lib/libSystem.B.dylib
0000000000026980_readlink/usr/lib/libSystem.B.dylib
0000000000026988_readlinkat/usr/lib/libSystem.B.dylib
0000000000026990_realpath$DARWIN_EXTSN/usr/lib/libSystem.B.dylib
0000000000026998_remove/usr/lib/libSystem.B.dylib
00000000000269A0_rename/usr/lib/libSystem.B.dylib
00000000000269A8_rmdir/usr/lib/libSystem.B.dylib
00000000000269B0_setegid/usr/lib/libSystem.B.dylib
00000000000269B8_seteuid/usr/lib/libSystem.B.dylib
00000000000269C0_setgid/usr/lib/libSystem.B.dylib
00000000000269C8_setregid/usr/lib/libSystem.B.dylib
00000000000269D0_setreuid/usr/lib/libSystem.B.dylib
00000000000269D8_setuid/usr/lib/libSystem.B.dylib
00000000000269E0_stat/usr/lib/libSystem.B.dylib
00000000000269E8_statfs/usr/lib/libSystem.B.dylib
00000000000269F0_symlink/usr/lib/libSystem.B.dylib
00000000000269F8_sysctl/usr/lib/libSystem.B.dylib
0000000000026A00_unlink/usr/lib/libSystem.B.dylib
0000000000026A08_unlinkat/usr/lib/libSystem.B.dylib
0000000000026A10_vfork/usr/lib/libSystem.B.dylib
0000000000026A18dyld_stub_binder/usr/lib/libSystem.B.dylib
0000000000026A20__Unwind_Resume/usr/lib/libSystem.B.dylib
0000000000026A28___error/usr/lib/libSystem.B.dylib
0000000000026A30___stack_chk_fail/usr/lib/libSystem.B.dylib
0000000000026A38__dyld_register_func_for_add_image/usr/lib/libSystem.B.dylib
0000000000026A40_dirfd/usr/lib/libSystem.B.dylib
0000000000026A48_dlclose/usr/lib/libSystem.B.dylib
0000000000026A50_fclose/usr/lib/libSystem.B.dylib
0000000000026A58_fcntl/usr/lib/libSystem.B.dylib
0000000000026A60_free/usr/lib/libSystem.B.dylib
0000000000026A68_getpid/usr/lib/libSystem.B.dylib
0000000000026A70_strcmp/usr/lib/libSystem.B.dylib
0000000000026A78_strlen/usr/lib/libSystem.B.dylib
0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib
0000000000026720_OBJC_CLASS_$_NSObject/usr/lib/libobjc.A.dylib
0000000000026728_OBJC_METACLASS_$_NSObject/usr/lib/libobjc.A.dylib
0000000000026730__objc_empty_cache/usr/lib/libobjc.A.dylib
0000000000026738_objc_copyClassNamesForImage/usr/lib/libobjc.A.dylib
0000000000026740_objc_copyImageNames/usr/lib/libobjc.A.dylib
0000000000026748_objc_autoreleaseReturnValue/usr/lib/libobjc.A.dylib
0000000000026750_objc_enumerationMutation/usr/lib/libobjc.A.dylib
0000000000026758_objc_getClass/usr/lib/libobjc.A.dylib
0000000000026760_objc_msgSend/usr/lib/libobjc.A.dylib
0000000000026768_objc_msgSendSuper2/usr/lib/libobjc.A.dylib
0000000000026770_objc_release/usr/lib/libobjc.A.dylib
0000000000026778_objc_retain/usr/lib/libobjc.A.dylib
0000000000026780_objc_retainAutorelease/usr/lib/libobjc.A.dylib
0000000000026788_objc_retainAutoreleasedReturnValue/usr/lib/libobjc.A.dylib
0000000000026790_objc_storeStrong/usr/lib/libobjc.A.dylib
0000000000026798_object_getClass/usr/lib/libobjc.A.dylib

      可以看到,這個工具除了系統(tǒng)的框架外,只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate兩個框架

      對這個導(dǎo)入項進(jìn)行分析

      0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei

      _OBJC_CLASS_$_HBPreferences這個符號經(jīng)過Name Mangling處理,實(shí)際上它是引入了HBPreferences這個類, 這個類是處理界面上配置。

      只剩下這三個符號了

      0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

      同樣根據(jù)Name Mangling原則,這三個符號實(shí)際上是MSGetImageByName, MSHookFunction, MSHookMessageEx。

      先分析一下MSGetImageByName,

      從它的引用來看

      DirectionTypeAddressText
UppInitFunc_0+64CBL              _MSGetImageByName

      只有一處地方,就是InitFunc_0+64C。

      在IDA操作,是從導(dǎo)入表選中這個符號,雙擊,進(jìn)入這個符號所在代碼位置,在代碼位置選中這個符號,右鍵選中"Jump to xref to operand...",就可以得到所有引用了

      看引用它的匯編

      _text:000000000000C34C                 ADR             X0, aUsrLibLibsubst_2 ; "/usr/lib/libsubstitute.dylib"
__text:000000000000C350                 NOP
__text:000000000000C354                 STP             X19, X26, [SP,#0x210+var_210]
__text:000000000000C358                 STR             X23, [SP,#0x210+var_200]
__text:000000000000C35C                 BL              _MSGetImageByName
__text:000000000000C360                 MOV             X24, X0
__text:000000000000C364                 NOP
__text:000000000000C368                 LDR             X0, qword_26080 ; void *
__text:000000000000C36C                 NOP
__text:000000000000C370                 LDR             X20, =sel_setUseInjectCompatibilityMode_ ; "setUseInjectCompatibilityMode:"
__text:000000000000C374                 CBZ             X24, loc_C3A0
__text:000000000000C378                 MOV             W2, #0
__text:000000000000C37C                 MOV             X1, X20 ; char *
__text:000000000000C380                 BL              _objc_msgSend
__text:000000000000C384                 B               loc_C3AC

      可見是加載/usr/lib/libsubstitute.dylib, 再把獲得的句柄判斷這個文件是否存在,再跳轉(zhuǎn)。

      __text:000000000000C354STPX19,X26,[SP,#0x210+var_210]
__text:000000000000C358STRX23,[SP,#0x210+var_200]

      這幾兩行指令其實(shí)沒多少用處,只是編譯器為了代碼優(yōu)化做的亂序執(zhí)行。其實(shí)和這個接口引用無關(guān)。

      從這個句柄的處理匯編

      __text:000000000000C3A0 loc_C3A0                                ; CODE XREF: InitFunc_0+664↑j
__text:000000000000C3A0                 MOV             W2, #1
__text:000000000000C3A4                 MOV             X1, X20 ; char *
__text:000000000000C3A8                 BL              _objc_msgSend
__text:000000000000C3AC
__text:000000000000C3AC loc_C3AC                                ; CODE XREF: InitFunc_0+674↑j
__text:000000000000C3AC                 LDR             X0, [SP,#0x210+var_1E0] ; void *
__text:000000000000C3B0                 MOV             X1, X28 ; char *
__text:000000000000C3B4                 LDR             X2, [SP,#0x210+var_1B8]
__text:000000000000C3B8                 BL              _objc_msgSend
__text:000000000000C3BC                 CBZ             W0, loc_C6A0
__text:000000000000C3C0                 NOP

      無非就是和管理配置通信,可以忽略。

      MSHookFunction是對API掛鉤,而MSHookMessageEx則對類的成員函數(shù)掛鉤。

      鉤子點(diǎn)分析

      先看MSHookFunction,獲取它所有的引用點(diǎn),一共57處。

      DirectionTypeAddressText
UppInitFunc_0+6C8BL              _MSHookFunction
UppInitFunc_0+6E4BL              _MSHookFunction
UppInitFunc_0+700BL              _MSHookFunction
UppInitFunc_0+71CBL              _MSHookFunction
UppInitFunc_0+8DCBL              _MSHookFunction
UppInitFunc_0+8F8BL              _MSHookFunction
UppInitFunc_0+9C4BL              _MSHookFunction
UppInitFunc_0+9E0BL              _MSHookFunction
UppInitFunc_0+A9CBL              _MSHookFunction
UppInitFunc_0+1124BL              _MSHookFunction
UppInitFunc_0+1140BL              _MSHookFunction
UppInitFunc_0+115CBL              _MSHookFunction
UppInitFunc_0+1178BL              _MSHookFunction
UppInitFunc_0+1194BL              _MSHookFunction
UppInitFunc_0+11B0BL              _MSHookFunction
UppInitFunc_0+11CCBL              _MSHookFunction
UppInitFunc_0+11E8BL              _MSHookFunction
UppInitFunc_0+1204BL              _MSHookFunction
UppInitFunc_0+1220BL              _MSHookFunction
UppInitFunc_0+123CBL              _MSHookFunction
UppInitFunc_0+1258BL              _MSHookFunction
UppInitFunc_0+1274BL              _MSHookFunction
UppInitFunc_0+1290BL              _MSHookFunction
UppInitFunc_0+12ACBL              _MSHookFunction
UppInitFunc_0+12C8BL              _MSHookFunction
UppInitFunc_0+12E4BL              _MSHookFunction
UppInitFunc_0+1300BL              _MSHookFunction
UppInitFunc_0+131CBL              _MSHookFunction
UppInitFunc_0+1338BL              _MSHookFunction
UppInitFunc_0+1354BL              _MSHookFunction
UppInitFunc_0+1370BL              _MSHookFunction
UppInitFunc_0+138CBL              _MSHookFunction
UppInitFunc_0+13A8BL              _MSHookFunction
UppInitFunc_0+13C4BL              _MSHookFunction
UppInitFunc_0+196CBL              _MSHookFunction
UppInitFunc_0+1988BL              _MSHookFunction
UppInitFunc_0+1E84BL              _MSHookFunction
UppInitFunc_0+1EA0BL              _MSHookFunction
UppInitFunc_0+1EBCBL              _MSHookFunction
UppInitFunc_0+1ED8BL              _MSHookFunction
UppInitFunc_0+2168BL              _MSHookFunction
UppInitFunc_0+2184BL              _MSHookFunction
UppInitFunc_0+21A0BL              _MSHookFunction
UppInitFunc_0+21BCBL              _MSHookFunction
UppInitFunc_0+21D8BL              _MSHookFunction
UppInitFunc_0+21F4BL              _MSHookFunction
UppInitFunc_0+2210BL              _MSHookFunction
UppInitFunc_0+222CBL              _MSHookFunction
UppInitFunc_0+2248BL              _MSHookFunction
UppInitFunc_0+2264BL              _MSHookFunction
UppInitFunc_0+2280BL              _MSHookFunction
UppInitFunc_0+229CBL              _MSHookFunction
UppInitFunc_0+22B8BL              _MSHookFunction
UppInitFunc_0+22D4BL              _MSHookFunction
UppInitFunc_0+2354BL              _MSHookFunction
UppInitFunc_0+2370BL              _MSHookFunction
UppInitFunc_0+23A0BL              _MSHookFunction

      先看第一處

      UppInitFunc_0+6C8BL_MSHookFunction

      按照MSHookFunction的原型

      voidMSHookFunction(void*symbol,void*hook,void**old);

      是找到某個symbol對應(yīng)的函數(shù),把hook掛在上面,并用old保存原函數(shù)地址。

      根據(jù)InitFunc的位置

      __text:000000000000BD10 InitFunc_0

      InitFunc_0+6C8就是000000000000C3D8:

      __text:000000000000C3C4                 LDR             X0, =_fstat
__text:000000000000C3C8                 ADR             X1, sub_E590
__text:000000000000C3CC                 NOP
__text:000000000000C3D0                 ADR             X2, qword_260A8
__text:000000000000C3D4                 NOP
__text:000000000000C3D8                 BL              _MSHookFunction

      可見,這處是用sub_E590對fstat進(jìn)行掛鉤,并把fstat函數(shù)地址保存在qword_260A8。那么分析一下sub_E590

      __text:000000000000E590 sub_E590                                ; DATA XREF: InitFunc_0+6B8↑o
__text:000000000000E590
__text:000000000000E590 var_440         = -0x440
__text:000000000000E590 var_438         = -0x438
__text:000000000000E590 var_38          = -0x38
__text:000000000000E590 var_30          = -0x30
__text:000000000000E590 var_20          = -0x20
__text:000000000000E590 var_10          = -0x10
__text:000000000000E590 var_s0          =  0
__text:000000000000E590
__text:000000000000E590                 STP             X28, X27, [SP,#-0x10+var_30]!
__text:000000000000E594                 STP             X22, X21, [SP,#0x30+var_20]
__text:000000000000E598                 STP             X20, X19, [SP,#0x30+var_10]
__text:000000000000E59C                 STP             X29, X30, [SP,#0x30+var_s0]
__text:000000000000E5A0                 ADD             X29, SP, #0x30
__text:000000000000E5A4                 SUB             SP, SP, #0x410
__text:000000000000E5A8                 MOV             X19, X1
__text:000000000000E5AC                 MOV             X20, X0
__text:000000000000E5B0                 NOP
__text:000000000000E5B4                 LDR             X8, =___stack_chk_guard
__text:000000000000E5B8                 LDR             X8, [X8]
__text:000000000000E5BC                 STUR            X8, [X29,#var_38]
__text:000000000000E5C0                 ADD             X8, SP, #0x440+var_438
__text:000000000000E5C4                 STR             X8, [SP,#0x440+var_440]
__text:000000000000E5C8                 MOV             W1, #0x32 ; int
__text:000000000000E5CC                 BL              _fcntl
__text:000000000000E5D0                 CMN             W0, #1
__text:000000000000E5D4                 B.EQ            loc_E6C0
__text:000000000000E5D8                 NOP
__text:000000000000E5DC                 LDR             X0, =_OBJC_CLASS_$_NSFileManager ; void *
__text:000000000000E5E0                 NOP
__text:000000000000E5E4                 LDR             X1, =sel_defaultManager ; "defaultManager"
__text:000000000000E5E8                 BL              _objc_msgSend
__text:000000000000E5EC                 MOV             X29, X29
__text:000000000000E5F0                 BL              _objc_retainAutoreleasedReturnValue
__text:000000000000E5F4                 MOV             X22, X0
__text:000000000000E5F8                 ADD             X0, SP, #0x440+var_438 ; char *
__text:000000000000E5FC                 BL              _strlen
__text:000000000000E600                 MOV             X3, X0
__text:000000000000E604                 NOP
__text:000000000000E608                 LDR             X1, =sel_stringWithFileSystemRepresentation_length_ ; "stringWithFileSystemRepresentation:leng"...
__text:000000000000E60C                 ADD             X2, SP, #0x440+var_438
__text:000000000000E610                 MOV             X0, X22 ; void *
__text:000000000000E614                 BL              _objc_msgSend
__text:000000000000E618                 MOV             X29, X29
__text:000000000000E61C                 BL              _objc_retainAutoreleasedReturnValue
__text:000000000000E620                 MOV             X21, X0
__text:000000000000E624                 MOV             X0, X22
__text:000000000000E628                 BL              _objc_release
__text:000000000000E62C                 NOP
__text:000000000000E630                 LDR             X0, qword_26080 ; void *
__text:000000000000E634                 NOP
__text:000000000000E638                 LDR             X1, =sel_isPathRestricted_ ; "isPathRestricted:"
__text:000000000000E63C                 MOV             X2, X21
__text:000000000000E640                 BL              _objc_msgSend
__text:000000000000E644                 CBZ             W0, loc_E664
__text:000000000000E648                 BL              ___error
__text:000000000000E64C                 MOV             W8, #9
__text:000000000000E650                 STR             W8, [X0]
__text:000000000000E654                 MOV             W20, #0xFFFFFFFF
__text:000000000000E658
__text:000000000000E658 loc_E658                                ; CODE XREF: sub_E590+124↓j
__text:000000000000E658                 MOV             X0, X21
__text:000000000000E65C                 BL              _objc_release
__text:000000000000E660                 B               loc_E6D8
__text:000000000000E664 ; ---------------------------------------------------------------------------
__text:000000000000E664
__text:000000000000E664 loc_E664                                ; CODE XREF: sub_E590+B4↑j
__text:000000000000E664                 CBZ             X19, loc_E6B8
__text:000000000000E668                 NOP
__text:000000000000E66C                 LDR             X1, =sel_isEqualToString_ ; "isEqualToString:"
__text:000000000000E670                 ADR             X2, cfstr_Bin ; "/bin"
__text:000000000000E674                 NOP
__text:000000000000E678                 MOV             X0, X21 ; void *
__text:000000000000E67C                 BL              _objc_msgSend
__text:000000000000E680                 CBZ             W0, loc_E6B8
__text:000000000000E684                 NOP
__text:000000000000E688                 LDR             X8, qword_260A8
__text:000000000000E68C                 MOV             X0, X20
__text:000000000000E690                 MOV             X1, X19
__text:000000000000E694                 BLR             X8
__text:000000000000E698                 CBNZ            W0, loc_E6B8
__text:000000000000E69C                 LDR             X8, [X19,#0x60]
__text:000000000000E6A0                 CMP             X8, #0x80
__text:000000000000E6A4                 B.LE            loc_E6B8
__text:000000000000E6A8                 MOV             W20, #0
__text:000000000000E6AC                 MOV             W8, #0x80
__text:000000000000E6B0                 STR             X8, [X19,#0x60]
__text:000000000000E6B4                 B               loc_E658
__text:000000000000E6B8 ; ---------------------------------------------------------------------------
__text:000000000000E6B8
__text:000000000000E6B8 loc_E6B8                                ; CODE XREF: sub_E590:loc_E664↑j
__text:000000000000E6B8                                         ; sub_E590+F0↑j ...
__text:000000000000E6B8                 MOV             X0, X21
__text:000000000000E6BC                 BL              _objc_release
__text:000000000000E6C0
__text:000000000000E6C0 loc_E6C0                                ; CODE XREF: sub_E590+44↑j
__text:000000000000E6C0                 NOP
__text:000000000000E6C4                 LDR             X8, qword_260A8
__text:000000000000E6C8                 MOV             X0, X20
__text:000000000000E6CC                 MOV             X1, X19
__text:000000000000E6D0                 BLR             X8
__text:000000000000E6D4                 MOV             X20, X0
__text:000000000000E6D8
__text:000000000000E6D8 loc_E6D8                                ; CODE XREF: sub_E590+D0↑j
__text:000000000000E6D8                 LDUR            X8, [X29,#var_38]
__text:000000000000E6DC                 NOP
__text:000000000000E6E0                 LDR             X9, =___stack_chk_guard
__text:000000000000E6E4                 LDR             X9, [X9]
__text:000000000000E6E8                 CMP             X9, X8
__text:000000000000E6EC                 B.NE            loc_E70C
__text:000000000000E6F0                 MOV             X0, X20
__text:000000000000E6F4                 ADD             SP, SP, #0x410
__text:000000000000E6F8                 LDP             X29, X30, [SP,#0x30+var_s0]
__text:000000000000E6FC                 LDP             X20, X19, [SP,#0x30+var_10]
__text:000000000000E700                 LDP             X22, X21, [SP,#0x30+var_20]
__text:000000000000E704                 LDP             X28, X27, [SP+0x30+var_30],#0x40
__text:000000000000E708                 RET
__text:000000000000E70C ; ---------------------------------------------------------------------------
__text:000000000000E70C
__text:000000000000E70C loc_E70C                                ; CODE XREF: sub_E590+15C↑j
__text:000000000000E70C                 BL              ___stack_chk_fail
__text:000000000000E70C ; End of function sub_E590

      看起來很復(fù)雜,其實(shí)這個函數(shù)是對任何調(diào)用fstat的路徑判斷是否是在指定限制目錄或/bin下,如果是就繞過,否則就繼續(xù)調(diào)用qword_260A8(fstat原地址)處理。

      按照同樣思路分析,可以得到這個表格

      原函數(shù) 鉤子函數(shù)作用
      fstat 繞過指定限制目錄或/bin/下文件
      dlopen 繞過指定限制鏡像
      open 繞過指定限制目錄的文件
      openat 繞過指定限制目錄的文件
      NSVersionOfRunTimeLibrary 繞過指定限制鏡像
      NSVersionOfLinkTimeLibrary 繞過指定限制鏡像
      opendir 繞過指定限制目錄
      readdir 繞過指定限制目錄
      csops 對getpid結(jié)果處理
      access 指定限制目錄或前綴為/Library/MobileSubstrate繞過
      getenv 對DYLD_INSERT_LIBRARIES,_MSSafeMode,_SafeMode繞過
      fopen 繞過指定限制目錄的文件
      freopen 繞過指定限制目錄的文件
      stat 繞過指定限制目錄或/bin/下文件
      lstat 繞過指定限制目錄或/bin/,
      /Applications,
      /usr/share,
      /usr/libexec,
      /usr/include,
      /Library/Ringtones,
      /Library/Wallpaper下文件
      fstatfs 指定限制目錄或前綴為/var, /private/var繞過
      statfs 指定限制目錄或前綴為/var, /private/var繞過
      posix_spawn 繞過指定限制目錄的文件
      posix_spawnp 繞過指定限制目錄的文件
      realpath 繞過指定限制目錄的路徑
      symlink 繞過指定限制目錄的路徑
      rename 繞過指定限制目錄的路徑
      rename 繞過指定限制目錄的路徑
      unlink 繞過指定限制目錄的路徑
      unlinkat 繞過指定限制目錄的路徑
      rmdir 繞過指定限制目錄的目錄
      chdir 繞過指定限制目錄的目錄
      fchdir 繞過指定限制目錄的目錄
      link 繞過指定限制目錄的路徑
      fstatat 繞過指定限制目錄的路徑
      faccessat 繞過指定限制目錄的路徑
      chroot 繞過指定限制目錄的路徑
      sysctl 從內(nèi)核里獲取所有進(jìn)程,對當(dāng)前進(jìn)程比對,并獲取當(dāng)前進(jìn)程是否被調(diào)試
      getppid 指定限制目錄的文件繞過
      readlink 繞過指定限制目錄的路徑
      readlinkat 繞過指定限制目錄的路徑
      _dyld_image_count 繞過指定限制鏡像
      _dyld_get_image_name 繞過指定限制鏡像
      dlopen_preflight 繞過指定限制鏡像
      dladdr 繞過指定限制鏡像
      creat 繞過指定限制目錄的文件
      vfork 直接返回-1,禁止創(chuàng)建進(jìn)程
      fork 直接返回-1,禁止創(chuàng)建進(jìn)程
      popen 直接返回0
      setgid,setuid,setegid,seteuid,setreuid,setregid 直接返回-1
      getuid,getgid,geteuid,getegid 返回0x1F5
      objc_copyImageNames 獲取鏡像名稱和某個庫一樣,就返回0
      objc_copyClassNamesForImage 繞過指定限制鏡像
      dlsym 對符號前綴為MS,Sub,PS,LM,rocketbootstrap,
      substitute_,_logos返回0,繞過

      再看MSHookMessageEx,它的調(diào)用點(diǎn)有149處。它的原型如下

      voidMSHookMessageEx(Class_class,SELmessage,IMPhook,IMP*old);

      是找到某個類_class對應(yīng)的成員函數(shù)message,把hook掛在上面,并用old保存原成員函數(shù)地址。

      像MSHookFunction的方式分析,得到下表

      鉤子函數(shù)作用
      SpringBoard 返回和黑名單列表匹配的結(jié)果
      NSData,UIApplication,
      NSFileManager,NSFileWrapper,
      NSFileVersion,NSFileHandle,
      NSURL,NSMutableArray,
      NSArray,NSMutableDictionary,
      NSDictionary,NSString,      		 繞過指定限制目錄指定限制URL的路徑
      NSBundle 防止獲取SignerIdentity, 繞過指定限制目錄指定限制URL的路徑
      NSProcessInfo,UIImage 繞過指定限制目錄的路徑
      NSDirectoryEnumerator 繞過特定類限制目錄限制URL
      UIDevice 掛鉤以下方法isJailbroken,isJailBreak,isJailBroken,均返回0
      JailbreakDetectionVC, DTTJailbreakDetection,
      GBDeviceInfo,CPWRDeviceInfo,
      CPWRSessionInfo,KSSystemInfo,
      FCRSystemMetadata,OneSignalJailbreakDetection      		 掛鉤isJailbroken,返回0
      ANSMetadata 掛鉤computeIsJailbroken,isJailbroken,返回0
      AppsFlyerUtils 掛鉤isJailBreakon,返回0
      CMARAppRestrictionsDelegate 掛鉤isDeviceNonCompliant,返回0
      ADYSecurityCheck 掛鉤isDeviceJailbroken,返回0
      UBReportMetadataDevice 掛鉤is_rooted,返回0
      UtilitySystem,GemaltoConfiguration 掛鉤isJailbreak,返回0
      EMDSKPPConfiguration 掛鉤jailBroken,返回0
      EnrollParameters 掛鉤jailbroken,返回0
      EMDskppConfigurationBuilder 掛鉤jailbreakStatus,返回0
      v_VDMap 掛鉤isJailBrokenDetectedByVOS,isDFPHookedDetecedByVOS,
      isCodeInjectionDetectedByVOS,isDebuggerCheckDetectedByVOS,
      isAppSignerCheckDetectedByVOS,v_checkAModified,返回0
      SDMUtils 掛鉤isJailBroken,返回0
      DigiPassHandler 掛鉤rootedDeviceTestResult,返回0
      AWMyDeviceGeneralInfo 掛鉤isCompliant,返回1

      其中限制目錄,URL或鏡像都是取這些目錄或以這些目錄為前綴

      /
/.HFS
/.Trashes
/.ba
/.file
/.mb
/Applications
/Applications/AXUIViewService.app
/Applications/AccountAuthenticationDialog.app
/Applications/ActivityMessagesApp.app
/Applications/AdPlatformsDiagnostics.app
/Applications/AppStore.app
/Applications/AskPermissionUI.app
/Applications/BusinessExtensionsWrapper.app
/Applications/CTCarrierSpaceAuth.app
/Applications/Camera.app
/Applications/CheckerBoard.app
/Applications/CompassCalibrationViewService.app
/Applications/ContinuityCamera.app
/Applications/CoreAuthUI.app
/Applications/DDActionsService.app
/Applications/DNDBuddy.app
/Applications/DataActivation.app
/Applications/DemoApp.app
/Applications/Diagnostics.app
/Applications/DiagnosticsService.app
/Applications/FTMInternal-4.app
/Applications/Family.app
/Applications/Feedback
/Applications/FieldTest.app
/Applications/FindMyiPhone.app
/Applications/FunCameraShapes.app
/Applications/FunCameraText.app
/Applications/GameCenterUIService.app
/Applications/HashtagImages.app
/Applications/Health.app
/Applications/HealthPrivacyService.app
/Applications/HomeUIService.app
/Applications/InCallService.app
/Applications/Magnifier.app
/Applications/MailCompositionService.app
/Applications/MessagesViewService.app
/Applications/MobilePhone.app
/Applications/MobileSMS.app
/Applications/MobileSafari.app
/Applications/MobileSlideShow.app
/Applications/MobileTimer.app
/Applications/MusicUIService.app
/Applications/Passbook.app
/Applications/PassbookUIService.app
/Applications/PhotosViewService.app
/Applications/PreBoard.app
/Applications/Preferences.app
/Applications/Print
/Applications/SIMSetupUIService.app
/Applications/SLGoogleAuth.app
/Applications/SLYahooAuth.app
/Applications/SafariViewService.app
/Applications/ScreenSharingViewService.app
/Applications/ScreenshotServicesService.app
/Applications/Setup.app
/Applications/SharedWebCredentialViewService.app
/Applications/SharingViewService.app
/Applications/SiriViewService.app
/Applications/SoftwareUpdateUIService.app
/Applications/StoreDemoViewService.app
/Applications/StoreKitUIService.app
/Applications/TrustMe.app
/Applications/Utilities
/Applications/VideoSubscriberAccountViewService.app
/Applications/WLAccessService.app
/Applications/Web.app
/Applications/WebApp1.app
/Applications/WebContentAnalysisUI.app
/Applications/WebSheet.app
/Applications/iAdOptOut.app
/Applications/iCloud.app
/Developer
/Library
/Library/Application
/Library/Application
/Library/Application
/Library/Audio
/Library/Caches
/Library/Caches/cy-
/Library/Filesystems
/Library/Frameworks
/Library/Frameworks/Cephei.framework/Cephei
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
/Library/Internet
/Library/Keychains
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Logs
/Library/Managed
/Library/MobileDevice
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib
/Library/MusicUISupport
/Library/PreferenceBundles
/Library/Preferences
/Library/Printers
/Library/Ringtones
/Library/SnowBoard
/Library/Themes
/Library/TweakInject
/Library/Updates
/Library/Wallpaper
/System
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
/System/Library/Frameworks/Foundation.framework/Foundation
/System/Library/PreferenceBundles/AppList.bundle
/User/Library/Preferences
/bin
/bin/df
/bin/ps
/cores
/dev
/dev/dlci.
/dev/kmem
/dev/mem
/dev/vn0
/dev/vn1
/etc
/etc/asl
/etc/asl.conf
/etc/fstab
/etc/group
/etc/hosts
/etc/hosts.equiv
/etc/master.passwd
/etc/networks
/etc/notify.conf
/etc/passwd
/etc/ppp
/etc/protocols
/etc/racoon
/etc/services
/etc/ttys
/lib
/mnt
/private
/private/etc
/private/system_data
/private/var
/private/var/containers/Bundle/Application
/private/var/mobile/Containers/Bundle/Application
/private/xarts
/sbin
/sbin/fsck
/sbin/launchd
/sbin/mount
/sbin/pfctl
/tmp
/tmp/Substrate
/tmp/amfid_payload.alive
/tmp/amfidebilitate.out
/tmp/com.apple
/tmp/cydia.log
/tmp/jailbreakd.pid
/tmp/org.coolstar
/tmp/slide.txt
/tmp/substrate
/tmp/syslog
/usr
/usr/bin
/usr/bin/DumpBasebandCrash
/usr/bin/PerfPowerServicesExtended
/usr/bin/abmlite
/usr/bin/brctl
/usr/bin/footprint
/usr/bin/hidutil
/usr/bin/hpmdiagnose
/usr/bin/kbdebug
/usr/bin/powerlogHelperd
/usr/bin/sysdiagnose
/usr/bin/tailspin
/usr/bin/taskinfo
/usr/bin/vm_stat
/usr/bin/zprint
/usr/include
/usr/lib
/usr/lib/FDRSealingMap.plist
/usr/lib/TweakInject
/usr/lib/apt
/usr/lib/bash
/usr/lib/bbmasks
/usr/lib/cycript
/usr/lib/dyld
/usr/lib/lib%@.dylib
/usr/lib/libCRFSuite
/usr/lib/libDHCPServer
/usr/lib/libMatch
/usr/lib/libSubstitrate
/usr/lib/libSystem
/usr/lib/libSystem.B.dylib
/usr/lib/libarchive
/usr/lib/libbsm
/usr/lib/libbz2
/usr/lib/libc
/usr/lib/libc++
/usr/lib/libc++.1.dylib
/usr/lib/libcharset
/usr/lib/libcurses
/usr/lib/libdbm
/usr/lib/libdl
/usr/lib/libeasyperf
/usr/lib/libedit
/usr/lib/libexslt
/usr/lib/libextension
/usr/lib/libform
/usr/lib/libiconv
/usr/lib/libicucore
/usr/lib/libinfo
/usr/lib/libipsec
/usr/lib/liblzma
/usr/lib/libm
/usr/lib/libmecab
/usr/lib/libmis.dylib
/usr/lib/libncurses
/usr/lib/libobjc
/usr/lib/libobjc.A.dylib
/usr/lib/libpcap
/usr/lib/libperfcheck
/usr/lib/libpmsample
/usr/lib/libpoll
/usr/lib/libproc
/usr/lib/libpthread
/usr/lib/libresolv
/usr/lib/librpcsvc
/usr/lib/libsandbox
/usr/lib/libsqlite3
/usr/lib/libstdc++
/usr/lib/libsubstitute
/usr/lib/libsubstitute.dylib
/usr/lib/libsubstrate
/usr/lib/libtidy
/usr/lib/libutil
/usr/lib/libxml2
/usr/lib/libxslt
/usr/lib/libz
/usr/lib/log
/usr/lib/substrate
/usr/lib/system
/usr/lib/tweaks
/usr/lib/updaters
/usr/lib/xpc
/usr/libexec
/usr/libexec/BackupAgent
/usr/libexec/BackupAgent2
/usr/libexec/CrashHousekeeping
/usr/libexec/DataDetectorsSourceAccess
/usr/libexec/FSTaskScheduler
/usr/libexec/FinishRestoreFromBackup
/usr/libexec/IOAccelMemoryInfoCollector
/usr/libexec/IOMFB_bics_daemon
/usr/libexec/Library
/usr/libexec/MobileGestaltHelper
/usr/libexec/MobileStorageMounter
/usr/libexec/NANDTaskScheduler
/usr/libexec/OTATaskingAgent
/usr/libexec/PowerUIAgent
/usr/libexec/PreboardService
/usr/libexec/ProxiedCrashCopier
/usr/libexec/PurpleReverseProxy
/usr/libexec/ReportMemoryException
/usr/libexec/SafariCloudHistoryPushAgent
/usr/libexec/SidecarRelay
/usr/libexec/SyncAgent
/usr/libexec/UserEventAgent
/usr/libexec/addressbooksyncd
/usr/libexec/adid
/usr/libexec/adprivacyd
/usr/libexec/adservicesd
/usr/libexec/afcd
/usr/libexec/airtunesd
/usr/libexec/amfid
/usr/libexec/asd
/usr/libexec/assertiond
/usr/libexec/atc
/usr/libexec/atwakeup
/usr/libexec/backboardd
/usr/libexec/biometrickitd
/usr/libexec/bootpd
/usr/libexec/bulletindistributord
/usr/libexec/captiveagent
/usr/libexec/cc_fips_test
/usr/libexec/checkpointd
/usr/libexec/cloudpaird
/usr/libexec/com.apple.automation.defaultslockdownserviced
/usr/libexec/companion_proxy
/usr/libexec/configd
/usr/libexec/corecaptured
/usr/libexec/coreduetd
/usr/libexec/crash_mover
/usr/libexec/dasd
/usr/libexec/demod
/usr/libexec/demod_helper
/usr/libexec/dhcpd
/usr/libexec/diagnosticd
/usr/libexec/diagnosticextensionsd
/usr/libexec/dmd
/usr/libexec/dprivacyd
/usr/libexec/dtrace
/usr/libexec/duetexpertd
/usr/libexec/eventkitsyncd
/usr/libexec/fdrhelper
/usr/libexec/findmydeviced
/usr/libexec/finish_demo_restore
/usr/libexec/fmfd
/usr/libexec/fmflocatord
/usr/libexec/fseventsd
/usr/libexec/ftp-proxy
/usr/libexec/gamecontrollerd
/usr/libexec/gamed
/usr/libexec/gpsd
/usr/libexec/hangreporter
/usr/libexec/hangtracerd
/usr/libexec/heartbeatd
/usr/libexec/hostapd
/usr/libexec/idamd
/usr/libexec/init_data_protection
/usr/libexec/installd
/usr/libexec/ioupsd
/usr/libexec/keybagd
/usr/libexec/languageassetd
/usr/libexec/locationd
/usr/libexec/lockdownd
/usr/libexec/logd
/usr/libexec/lsd
/usr/libexec/lskdd
/usr/libexec/lskdmsed
/usr/libexec/magicswitchd
/usr/libexec/mc_mobile_tunnel
/usr/libexec/microstackshot
/usr/libexec/misagent
/usr/libexec/misd
/usr/libexec/mmaintenanced
/usr/libexec/mobile_assertion_agent
/usr/libexec/mobile_diagnostics_relay
/usr/libexec/mobile_house_arrest
/usr/libexec/mobile_installation_proxy
/usr/libexec/mobile_obliterator
/usr/libexec/mobile_storage_proxy
/usr/libexec/mobileactivationd
/usr/libexec/mobileassetd
/usr/libexec/mobilewatchdog
/usr/libexec/mtmergeprops
/usr/libexec/nanomediaremotelinkagent
/usr/libexec/nanoregistryd
/usr/libexec/nanoregistrylaunchd
/usr/libexec/neagent
/usr/libexec/nehelper
/usr/libexec/nesessionmanager
/usr/libexec/networkserviceproxy
/usr/libexec/nfcd
/usr/libexec/nfrestore_service
/usr/libexec/nlcd
/usr/libexec/notification_proxy
/usr/libexec/nptocompaniond
/usr/libexec/nsurlsessiond
/usr/libexec/nsurlstoraged
/usr/libexec/online-auth-agent
/usr/libexec/oscard
/usr/libexec/pcapd
/usr/libexec/pcsstatus
/usr/libexec/pfd
/usr/libexec/pipelined
/usr/libexec/pkd
/usr/libexec/pkreporter
/usr/libexec/ptpd
/usr/libexec/rapportd
/usr/libexec/replayd
/usr/libexec/resourcegrabberd
/usr/libexec/rolld
/usr/libexec/routined
/usr/libexec/rtbuddyd
/usr/libexec/rtcreportingd
/usr/libexec/safarifetcherd
/usr/libexec/screenshotsyncd
/usr/libexec/security-sysdiagnose
/usr/libexec/securityd
/usr/libexec/securityuploadd
/usr/libexec/seld
/usr/libexec/seputil
/usr/libexec/sharingd
/usr/libexec/signpost_reporter
/usr/libexec/silhouette
/usr/libexec/siriknowledged
/usr/libexec/smcDiagnose
/usr/libexec/splashboardd
/usr/libexec/springboardservicesrelay
/usr/libexec/streaming_zip_conduit
/usr/libexec/swcd
/usr/libexec/symptomsd
/usr/libexec/symptomsd-helper
/usr/libexec/sysdiagnose_helper
/usr/libexec/sysstatuscheck
/usr/libexec/tailspind
/usr/libexec/timed
/usr/libexec/tipsd
/usr/libexec/topicsmap.db
/usr/libexec/transitd
/usr/libexec/trustd
/usr/libexec/tursd
/usr/libexec/tzd
/usr/libexec/tzinit
/usr/libexec/tzlinkd
/usr/libexec/videosubscriptionsd
/usr/libexec/wapic
/usr/libexec/wcd
/usr/libexec/webbookmarksd
/usr/libexec/webinspectord
/usr/libexec/wifiFirmwareLoader
/usr/libexec/wifivelocityd
/usr/libexec/xpcproxy
/usr/libexec/xpcroleaccountd
/usr/local
/usr/local/bin
/usr/local/lib
/usr/local/standalone
/usr/sbin
/usr/sbin/BTAvrcp
/usr/sbin/BTLEServer
/usr/sbin/BTMap
/usr/sbin/BTPbap
/usr/sbin/BlueTool
/usr/sbin/WiFiNetworkStoreModel.momd
/usr/sbin/WirelessRadioManagerd
/usr/sbin/absd
/usr/sbin/addNetworkInterface
/usr/sbin/applecamerad
/usr/sbin/aslmanager
/usr/sbin/bluetoothd
/usr/sbin/cfprefsd
/usr/sbin/ckksctl
/usr/sbin/distnoted
/usr/sbin/fairplayd.H2
/usr/sbin/filecoordinationd
/usr/sbin/ioreg
/usr/sbin/ipconfig
/usr/sbin/mDNSResponder
/usr/sbin/mDNSResponderHelper
/usr/sbin/mediaserverd
/usr/sbin/notifyd
/usr/sbin/nvram
/usr/sbin/pppd
/usr/sbin/racoon
/usr/sbin/rtadvd
/usr/sbin/scutil
/usr/sbin/spindump
/usr/sbin/syslogd
/usr/sbin/wifid
/usr/sbin/wirelessproxd
/usr/share
/usr/share/CSI
/usr/share/com.apple.languageassetd
/usr/share/firmware
/usr/share/icu
/usr/share/langid
/usr/share/locale
/usr/share/mecabra
/usr/share/misc
/usr/share/progressui
/usr/share/tokenizer
/usr/share/zoneinfo
/usr/share/zoneinfo.default
/usr/standalone
/var
/var/.DocumentRevisions
/var/.fseventsd
/var/.overprovisioning_file
/var/Keychains
/var/Managed
/var/MobileAsset
/var/MobileDevice
/var/MobileSoftwareUpdate
/var/audit
/var/backups
/var/buddy
/var/containers
/var/containers/Bundle
/var/containers/Bundle/Application
/var/containers/Bundle/Framework
/var/containers/Bundle/PluginKitPlugin
/var/containers/Bundle/VPNPlugin
/var/containers/Bundle/dylibs
/var/containers/Bundle/tweaksupport
/var/cores
/var/db
/var/db/stash
/var/ea
/var/empty
/var/folders
/var/hardware
/var/installd
/var/internal
/var/keybags
/var/lib
/var/lib/dpkg/info
/var/local
/var/lock
/var/log
/var/log/asl
/var/log/com.apple.xpc.launchd
/var/log/corecaptured.log
/var/log/ppp
/var/log/ppp.log
/var/log/racoon.log
/var/log/sa
/var/logs
/var/mobile
/var/mobile/Applications
/var/mobile/Containers
/var/mobile/Containers/Bundle/Application
/var/mobile/Containers/Data
/var/mobile/Containers/Data/Application
/var/mobile/Containers/Data/InternalDaemon
/var/mobile/Containers/Data/PluginKitPlugin
/var/mobile/Containers/Data/TempDir
/var/mobile/Containers/Data/VPNPlugin
/var/mobile/Containers/Data/XPCService
/var/mobile/Containers/Shared
/var/mobile/Containers/Shared/AppGroup
/var/mobile/Documents
/var/mobile/Downloads
/var/mobile/Library
/var/mobile/Library/Caches
/var/mobile/Library/Caches/.com.apple
/var/mobile/Library/Caches/ACMigrationLock
/var/mobile/Library/Caches/AccountMigrationInProgress
/var/mobile/Library/Caches/AdMob
/var/mobile/Library/Caches/BTAvrcp
/var/mobile/Library/Caches/Checkpoint.plist
/var/mobile/Library/Caches/CloudKit
/var/mobile/Library/Caches/DateFormats.plist
/var/mobile/Library/Caches/FamilyCircle
/var/mobile/Library/Caches/GameKit
/var/mobile/Library/Caches/GeoServices
/var/mobile/Library/Caches/MappedImageCache
/var/mobile/Library/Caches/OTACrashCopier
/var/mobile/Library/Caches/PassKit
/var/mobile/Library/Caches/Snapshots
/var/mobile/Library/Caches/Snapshots/com.apple
/var/mobile/Library/Caches/TelephonyUI
/var/mobile/Library/Caches/Weather
/var/mobile/Library/Caches/cache
/var/mobile/Library/Caches/ckkeyrolld
/var/mobile/Library/Caches/com.apple
/var/mobile/Library/Caches/rtcreportingd
/var/mobile/Library/Caches/sharedCaches
/var/mobile/Library/ControlCenter
/var/mobile/Library/ControlCenter/ModuleConfiguration.plist
/var/mobile/Library/Cydia
/var/mobile/Library/Logs/Cydia
/var/mobile/Library/Preferences
/var/mobile/Library/Preferences/.GlobalPreferences.plist
/var/mobile/Library/Preferences/UITextInputContextIdentifiers.plist
/var/mobile/Library/Preferences/Wallpaper.png
/var/mobile/Library/Preferences/ckkeyrolld.plist
/var/mobile/Library/Preferences/com.apple.
/var/mobile/Library/Preferences/nfcd.plist
/var/mobile/Library/SBSettings
/var/mobile/Library/Sileo
/var/mobile/Media
/var/mobile/MobileSoftwareUpdate
/var/msgs
/var/networkd
/var/preferences
/var/root
/var/run
/var/run/asl_input
/var/run/configd.pid
/var/run/fudinit
/var/run/lockbot
/var/run/lockdown
/var/run/lockdown.sock
/var/run/lockdown_first_run
/var/run/mDNSResponder
/var/run/pppconfd
/var/run/printd
/var/run/syslog
/var/run/syslog.pid
/var/run/utmpx
/var/run/vpncontrol.sock
/var/spool
/var/staged_system_apps
/var/tmp
/var/vm
/var/wireless

      除了上面目錄,還對這些路徑匹配繞過

      list
firmware-sbin.list
gsc.firmware-sbin.list

      同時對包含這些字段的路徑繞過

      Substrate
substrate
substitute
Substitrate
TweakInject
jailbreak
cycript
SBInject
pspawn
rocketbootstrap
bfdecrypt

      對URL包含這種模式繞過

      cydia
sileo

      檢測

      從上面來看,這個越獄工具從目錄和系統(tǒng)API上做了很多繞過措施,但還是有地方囊括不夠的。

      對比在基本思路里的幾條,基本如下

      保護(hù)環(huán)境變量的訪問 ---- 有部分

      禁止某些命令的執(zhí)行 --- 沒有

      禁止某些路徑訪問 ---- 有

      禁止某些系統(tǒng)參數(shù)訪問 -- 有部分

      掛鉤某些系統(tǒng)調(diào)用 --- 有部分

      那么檢測方案可以這樣:

      沒有掛鉤mkdir,考慮使用mkdir在正常情況下禁止訪問的目錄下創(chuàng)建子目錄,如果OK,就說明是被越獄。

      沒有掛鉤execve,可以考慮執(zhí)行一個正常情況下禁止執(zhí)行的程序,如果成功,說明被越獄。

      沒有掛鉤ptrace,可以使用它進(jìn)行自身調(diào)試,如果成功,說明被越獄

      創(chuàng)建一個庫,里面定義一些函數(shù)是MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos為前綴的,如果調(diào)用dlsym返回失敗,說明被越獄

      只對sysctl掛鉤了,但對sysctlbyname,sysctlnametomib沒有掛鉤,可以調(diào)用這兩個函數(shù)來獲取進(jìn)程信息。同時sysctl也并不是所有情況都處理了,比如獲取硬件信息就沒有。這三個系統(tǒng)調(diào)用可以獲取一些高權(quán)限信息,說明被越獄

      不引入其它檢測越獄的庫,但自己實(shí)現(xiàn)一個同名的類和方法,比如SDMUtils和方法isJailBroken,這個方法只返回一個結(jié)果,就是1。如果調(diào)用這個方法,返回值為0,那么說明被越獄

      還有很多,不過,本人對iOS不熟悉,對它的系統(tǒng)調(diào)用也不熟悉,只能給出這些。







      審核編輯:劉清

      聲明:本文內(nèi)容及配圖由入駐作者撰寫或者入駐合作網(wǎng)站授權(quán)轉(zhuǎn)載。文章觀點(diǎn)僅代表作者本人,不代表電子發(fā)燒友網(wǎng)立場。文章及其配圖僅供工程師學(xué)習(xí)之用,如有內(nèi)容侵權(quán)或者其他違規(guī)問題,請聯(lián)系本站處理。 舉報投訴
      • MOV
        MOV
        +關(guān)注

        關(guān)注

        0

        文章

        63

        瀏覽量

        13683
      • iOS
        iOS
        +關(guān)注

        關(guān)注

        8

        文章

        3397

        瀏覽量

        150853
      • 編譯器
        +關(guān)注

        關(guān)注

        1

        文章

        1640

        瀏覽量

        49219
      • PHP
        PHP
        +關(guān)注

        關(guān)注

        0

        文章

        454

        瀏覽量

        26730

      原文標(biāo)題:iOS有反檢測能力的越獄工具shadow的分析和檢測

      文章出處:【微信號:哆啦安全,微信公眾號:哆啦安全】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。

      收藏 人收藏

        評論

        相關(guān)推薦

        進(jìn)程執(zhí)法官

        ,并能對進(jìn)程進(jìn)行各種操作。 3、提供進(jìn)程的豐富資料??梢圆榭?b class='flag-5'>進(jìn)程的基本信息、版本信息、進(jìn)程關(guān)聯(lián)服務(wù)、可能的啟動項、線程、
        發(fā)表于 09-04 23:12

        進(jìn)程模型的設(shè)計思路

        進(jìn)程模型的設(shè)計思路[ 問題 ]zhang_44:現(xiàn)在有兩個狀態(tài) 1,2。如果要在1 中得到一個流中斷,對得到的包進(jìn)行判斷,如果該包是所要的,則進(jìn)入狀態(tài)2。若發(fā)現(xiàn)該包不是所要的,保持在1 不變(不能
        發(fā)表于 06-14 18:05

        通過Jenkins提供的啟動參數(shù)禁用殺死子進(jìn)程的方法

        【Jenkins】execute shell啟動進(jìn)程在結(jié)束的時候被殺死
        發(fā)表于 05-10 16:18

        iOS快速搭建方法

        iOS 的視圖 View ?文件, LaunchScreen.storyboard 是系統(tǒng)默認(rèn)的啟動?面。我們從控件窗?拖動?個 Label 進(jìn)?啟動 View, 并選中 Label 在屬性窗口設(shè)置為
        發(fā)表于 09-17 09:05

        android--系統(tǒng)啟動--init進(jìn)程啟動過程如何

        android--系統(tǒng)啟動--init進(jìn)程啟動過程
        發(fā)表于 05-29 10:35

        OpenHarmony恢復(fù)啟動子系統(tǒng)init進(jìn)程啟動FD代持服務(wù)

        FD代持是按需啟動的一個輔助擴(kuò)展機(jī)制,按需啟動進(jìn)程可以保持退出前的fd狀態(tài)句柄不丟失。按需啟動進(jìn)程退出前可將fd發(fā)送給init代持,再次
        發(fā)表于 09-14 09:11

        OpenHarmony恢復(fù)啟動子系統(tǒng)init進(jìn)程之服務(wù)管理與發(fā)布

        :bootchart是一個用于linux啟動過程性能分析的開源工具軟件,在系統(tǒng)中自動收集CPU占用率、磁盤吞吐率、進(jìn)程等信息,并以圖形方式顯示分析結(jié)果,可用作指導(dǎo)優(yōu)化系統(tǒng)啟動過程用戶態(tài)可通過begetctl
        發(fā)表于 09-19 14:17

        Stage模型深入解讀

        應(yīng)用只能創(chuàng)建一個Render進(jìn)程用于運(yùn)行WebView的渲染引擎。這個Render進(jìn)程也是由系統(tǒng)負(fù)責(zé)創(chuàng)建和銷毀。 3、線程模型 HarmonyOS的原生應(yīng)用開發(fā)語言為ArkTS。在應(yīng)用進(jìn)程
        發(fā)表于 03-15 10:32

        OpenHarmony應(yīng)用模型的構(gòu)成要素分析

        。 OpenHarmony應(yīng)用模型的構(gòu)成要素包括:應(yīng)用組件、應(yīng)用進(jìn)程模型、應(yīng)用線程模型、應(yīng)用任務(wù)管理模型、應(yīng)用配置文件五個部分。 1.應(yīng)用
        發(fā)表于 04-24 10:26

        英創(chuàng)信息技術(shù)C#啟動和關(guān)閉外部進(jìn)程的方法介紹

        許多用戶在程序開發(fā)過程中需要使用C#啟動一個外部程序(進(jìn)程),在使用完畢該外部程序后,又希望能將其關(guān)閉。我們特在此對C#啟動和關(guān)閉外部進(jìn)程的方法進(jìn)行一個簡單的介紹。 C#
        的頭像 發(fā)表于 01-14 14:36 ?1264次閱讀

        如何雙啟動64位iOS設(shè)備

        現(xiàn)如今,在已經(jīng)有了合適的 Linux 內(nèi)核可以啟動的條件下,相信我們很快就可以在 iOS 設(shè)備中看到 Linux 雙啟動支持。距離使用 iOS、Android 和 Ubuntu Tou
        的頭像 發(fā)表于 05-20 09:24 ?2560次閱讀

        解析基于ARM64的init用戶進(jìn)程究竟如何啟動?

        [導(dǎo)讀] 前面的文章有提到linux啟動的第一個進(jìn)程為init,那么該進(jìn)程究竟是如何從內(nèi)核啟動入口一步一步運(yùn)行起來的,而該進(jìn)程又有些什么作.
        發(fā)表于 01-26 17:05 ?2次下載
        解析基于ARM64的init用戶<b class='flag-5'>進(jìn)程</b>究竟如何<b class='flag-5'>啟動</b>?

        進(jìn)程模型轉(zhuǎn)換成線程模型的優(yōu)缺點(diǎn)

        面向進(jìn)程模型是一種數(shù)據(jù)庫系統(tǒng)的架構(gòu)模型,核心思想是將不同的數(shù)據(jù)庫服務(wù)分配給不同的進(jìn)程,每個進(jìn)程獨(dú)立運(yùn)行,相互之間通過
        的頭像 發(fā)表于 06-25 10:12 ?478次閱讀

        聯(lián)明電源啟動IPO進(jìn)程

        證監(jiān)會近日披露了深圳市聯(lián)明電源股份有限公司(簡稱:聯(lián)明電源)首次公開發(fā)行股票并上市的輔導(dǎo)備案報告,標(biāo)志著該公司正式啟動了IPO進(jìn)程。據(jù)悉,聯(lián)明電源此次選擇的輔導(dǎo)機(jī)構(gòu)為知名券商國泰君安證券。
        的頭像 發(fā)表于 03-12 13:55 ?1252次閱讀

        鴻蒙開發(fā):【進(jìn)程模型

        應(yīng)用中(同一Bundle名稱)的所有UIAbility、ServiceExtensionAbility和DataShareExtensionAbility均是運(yùn)行在同一個獨(dú)立進(jìn)程(主進(jìn)程)中,如下圖中綠色部分的“Main Process”。
        的頭像 發(fā)表于 06-13 09:53 ?312次閱讀
        鴻蒙開發(fā):【<b class='flag-5'>進(jìn)程</b><b class='flag-5'>模型</b>】