iOS進程啟動模型
分析工具:IDA 7.0
基本思路
在分析越獄工具shadow之前,所有越獄工具都是對進程進行注入掛鉤來實現。注入從作用范圍來看,分為兩類:
用戶態注入,通過動態庫
內核態注入,通過驅動
在蘋果系統開發驅動,需要蘋果授權,所以,越獄工具是沒辦法走這條路,只可能進行用戶態注入。
那么,分析它就需要對進程啟動時如何加載動態庫了解,這就涉及到iOS進程啟動模型。
本文的思路如下:
iOS進程啟動模型
依賴分析
鉤子點分析
iOS進程啟動模型
iOS也是Unix族的衍生類。在Unix族里,進程啟動模型的都大致如下:
加載執行文件:從絕對路徑或相對路徑或從環境變量指定搜索的路徑搜索出來
根據執行文件依賴(導入表)來加載動態庫文件:從絕對路徑或相對路徑或從環境變量和系統配置指定的搜索路徑搜索出來
完成所有符號匹配,啟動進程
進程處理輸入參數和相應配置文件
從上面來看,只有1,2兩步才可能進行注入。
在Unix族里,和執行文件加載相關的環境變量一般是**PATH** ,它一般是執行路徑的列表,如/bin, /usr/bin, 和/usr/local/bin等,這個環境變量一般可以設置。搜索順序是按照列表元素先后順序進行,一旦找到,立馬停止搜索。假設這個環境變量設置是這樣的
PATH=/bin:/usr/bin:/usr/local/bin
這些路徑都有一個ls執行文件,當執行ls時,只會執行/bin/ls。
如果越獄工具要在這一步注入,它必須構建一個沙箱,接管所有程序執行。這種方式,所有用戶態進程都可以變成它的子進程,這個沙箱可以任意更改子進程的環境變量,完成靜態注入,甚至可以通過ptrace之類的系統調用來進行動態注入。這種方式可以非常好地繞過各種越獄檢測工具的檢測。
在Unix族,和動態庫加載相關的環境變量和系統配置,就各有各的不同。
從上面可以看到iOS依次對下面這些環境變量包含的路徑列表按照先后順序遍歷,一旦找到相應動態庫,立馬停止該次遍歷,查找下一個:
DYLD_INSERT_LIBRARIES
DYLD_VERSIONED_FRAMEWORK_PATH
DYLD_FRAMEWORK_PATH
DYLD_LIBRARY_PATH
DYLD_FALLBACK_FRAMEWORK_PATH
DYLD_FALLBACK_LIBRARY_PATH
目前不少APP檢測iOS是否越獄,都是做下列動作:
訪問root才能夠訪問的目錄和文件,執行讀或寫
執行root才能夠執行的命令
訪問或更改root才能夠訪問的環境變量
調用root才能夠調用的系統調用
訪問root才能夠訪問的系統參數
根據上面進程啟動模型分析,越獄工具要具有反檢測的能力,必須要做這樣事情:
保護環境變量的訪問
禁止某些命令的執行
禁止某些路徑訪問
禁止某些系統參數訪問
掛鉤某些系統調用
依賴分析
根據上面的探究后,我們實際上看一下這個越獄工具是怎樣的。
把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解壓的目錄大致如下
PS D:Library> Get-ChildItem -Recurse 目錄: D:Library Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 MobileSubstrate d----- 2019/8/2 1:59 PreferenceBundles d----- 2019/8/2 1:59 PreferenceLoader 目錄: D:LibraryMobileSubstrate Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 DynamicLibraries 目錄: D:LibraryMobileSubstrateDynamicLibraries Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 728432 0Shadow.dylib -a---- 2019/8/2 1:59 87 0Shadow.plist 目錄: D:LibraryPreferenceBundles Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 ShadowPreferences.bundle 目錄: D:LibraryPreferenceBundlesShadowPreferences.bundle Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/7/14 1:29 en.lproj -a---l 2021/4/10 0:27 0 Base.lproj -a---- 2019/8/2 1:59 751 Icon-Small.png -a---- 2019/8/2 1:59 1610 Icon-Small@2x.png -a---- 2019/8/2 1:59 2693 Icon-Small@3x.png -a---- 2019/8/2 1:59 404 Info.plist -a---- 2019/8/2 1:59 3123 Root.plist -a---- 2019/7/29 4:37 265808 ShadowPreferences 目錄: D:LibraryPreferenceBundlesShadowPreferences.bundleen.lproj Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 3915 Root.strings 目錄: D:LibraryPreferenceLoader Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 Preferences 目錄: D:LibraryPreferenceLoaderPreferences Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 199 ShadowPreferences.plist
從大小來看,只有D:LibraryMobileSubstrateDynamicLibraries?Shadow.dylib值得分析,用IDA打開一看,看一下導入表
AddressOrdinalNameLibrary 0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei 0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026800_OBJC_CLASS_$_NSArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026808_OBJC_CLASS_$_NSDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026810_OBJC_CLASS_$_NSMutableArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026818_OBJC_CLASS_$_NSMutableDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026820_OBJC_CLASS_$_NSURL/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026828___CFConstantStringClassReference/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 00000000000267A0_NSCocoaErrorDomain/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267A8_NSLocalizedDescriptionKey/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267B0_NSLocalizedFailureReasonErrorKey/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267B8_NSLocalizedRecoverySuggestionErrorKey/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267C0_OBJC_CLASS_$_NSBundle/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267C8_OBJC_CLASS_$_NSCharacterSet/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267D0_OBJC_CLASS_$_NSError/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267D8_OBJC_CLASS_$_NSFileManager/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267E0_OBJC_CLASS_$_NSNumber/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267E8_OBJC_CLASS_$_NSProcessInfo/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267F0_OBJC_CLASS_$_NSString/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267F8_OBJC_CLASS_$_NSValue/System/Library/Frameworks/Foundation.framework/Foundation 0000000000026858_NSVersionOfLinkTimeLibrary/usr/lib/libSystem.B.dylib 0000000000026860_NSVersionOfRunTimeLibrary/usr/lib/libSystem.B.dylib 0000000000026868___stack_chk_guard/usr/lib/libSystem.B.dylib 0000000000026870__dyld_get_image_name/usr/lib/libSystem.B.dylib 0000000000026878__dyld_image_count/usr/lib/libSystem.B.dylib 0000000000026880_access/usr/lib/libSystem.B.dylib 0000000000026888_chdir/usr/lib/libSystem.B.dylib 0000000000026890_chroot/usr/lib/libSystem.B.dylib 0000000000026898_creat/usr/lib/libSystem.B.dylib 00000000000268A0_csops/usr/lib/libSystem.B.dylib 00000000000268A8_dladdr/usr/lib/libSystem.B.dylib 00000000000268B0_dlopen/usr/lib/libSystem.B.dylib 00000000000268B8_dlopen_preflight/usr/lib/libSystem.B.dylib 00000000000268C0_dlsym/usr/lib/libSystem.B.dylib 00000000000268C8_faccessat/usr/lib/libSystem.B.dylib 00000000000268D0_fchdir/usr/lib/libSystem.B.dylib 00000000000268D8_fopen/usr/lib/libSystem.B.dylib 00000000000268E0_fork/usr/lib/libSystem.B.dylib 00000000000268E8_freopen/usr/lib/libSystem.B.dylib 00000000000268F0_fstat/usr/lib/libSystem.B.dylib 00000000000268F8_fstatat/usr/lib/libSystem.B.dylib 0000000000026900_fstatfs/usr/lib/libSystem.B.dylib 0000000000026908_getegid/usr/lib/libSystem.B.dylib 0000000000026910_getenv/usr/lib/libSystem.B.dylib 0000000000026918_geteuid/usr/lib/libSystem.B.dylib 0000000000026920_getgid/usr/lib/libSystem.B.dylib 0000000000026928_getppid/usr/lib/libSystem.B.dylib 0000000000026930_getuid/usr/lib/libSystem.B.dylib 0000000000026938_link/usr/lib/libSystem.B.dylib 0000000000026940_lstat/usr/lib/libSystem.B.dylib 0000000000026948_open/usr/lib/libSystem.B.dylib 0000000000026950_openat/usr/lib/libSystem.B.dylib 0000000000026958_opendir/usr/lib/libSystem.B.dylib 0000000000026960_popen/usr/lib/libSystem.B.dylib 0000000000026968_posix_spawn/usr/lib/libSystem.B.dylib 0000000000026970_posix_spawnp/usr/lib/libSystem.B.dylib 0000000000026978_readdir/usr/lib/libSystem.B.dylib 0000000000026980_readlink/usr/lib/libSystem.B.dylib 0000000000026988_readlinkat/usr/lib/libSystem.B.dylib 0000000000026990_realpath$DARWIN_EXTSN/usr/lib/libSystem.B.dylib 0000000000026998_remove/usr/lib/libSystem.B.dylib 00000000000269A0_rename/usr/lib/libSystem.B.dylib 00000000000269A8_rmdir/usr/lib/libSystem.B.dylib 00000000000269B0_setegid/usr/lib/libSystem.B.dylib 00000000000269B8_seteuid/usr/lib/libSystem.B.dylib 00000000000269C0_setgid/usr/lib/libSystem.B.dylib 00000000000269C8_setregid/usr/lib/libSystem.B.dylib 00000000000269D0_setreuid/usr/lib/libSystem.B.dylib 00000000000269D8_setuid/usr/lib/libSystem.B.dylib 00000000000269E0_stat/usr/lib/libSystem.B.dylib 00000000000269E8_statfs/usr/lib/libSystem.B.dylib 00000000000269F0_symlink/usr/lib/libSystem.B.dylib 00000000000269F8_sysctl/usr/lib/libSystem.B.dylib 0000000000026A00_unlink/usr/lib/libSystem.B.dylib 0000000000026A08_unlinkat/usr/lib/libSystem.B.dylib 0000000000026A10_vfork/usr/lib/libSystem.B.dylib 0000000000026A18dyld_stub_binder/usr/lib/libSystem.B.dylib 0000000000026A20__Unwind_Resume/usr/lib/libSystem.B.dylib 0000000000026A28___error/usr/lib/libSystem.B.dylib 0000000000026A30___stack_chk_fail/usr/lib/libSystem.B.dylib 0000000000026A38__dyld_register_func_for_add_image/usr/lib/libSystem.B.dylib 0000000000026A40_dirfd/usr/lib/libSystem.B.dylib 0000000000026A48_dlclose/usr/lib/libSystem.B.dylib 0000000000026A50_fclose/usr/lib/libSystem.B.dylib 0000000000026A58_fcntl/usr/lib/libSystem.B.dylib 0000000000026A60_free/usr/lib/libSystem.B.dylib 0000000000026A68_getpid/usr/lib/libSystem.B.dylib 0000000000026A70_strcmp/usr/lib/libSystem.B.dylib 0000000000026A78_strlen/usr/lib/libSystem.B.dylib 0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib 0000000000026720_OBJC_CLASS_$_NSObject/usr/lib/libobjc.A.dylib 0000000000026728_OBJC_METACLASS_$_NSObject/usr/lib/libobjc.A.dylib 0000000000026730__objc_empty_cache/usr/lib/libobjc.A.dylib 0000000000026738_objc_copyClassNamesForImage/usr/lib/libobjc.A.dylib 0000000000026740_objc_copyImageNames/usr/lib/libobjc.A.dylib 0000000000026748_objc_autoreleaseReturnValue/usr/lib/libobjc.A.dylib 0000000000026750_objc_enumerationMutation/usr/lib/libobjc.A.dylib 0000000000026758_objc_getClass/usr/lib/libobjc.A.dylib 0000000000026760_objc_msgSend/usr/lib/libobjc.A.dylib 0000000000026768_objc_msgSendSuper2/usr/lib/libobjc.A.dylib 0000000000026770_objc_release/usr/lib/libobjc.A.dylib 0000000000026778_objc_retain/usr/lib/libobjc.A.dylib 0000000000026780_objc_retainAutorelease/usr/lib/libobjc.A.dylib 0000000000026788_objc_retainAutoreleasedReturnValue/usr/lib/libobjc.A.dylib 0000000000026790_objc_storeStrong/usr/lib/libobjc.A.dylib 0000000000026798_object_getClass/usr/lib/libobjc.A.dylib
可以看到,這個工具除了系統的框架外,只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate兩個框架
對這個導入項進行分析
0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei
_OBJC_CLASS_$_HBPreferences這個符號經過Name Mangling處理,實際上它是引入了HBPreferences這個類, 這個類是處理界面上配置。
只剩下這三個符號了
0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
同樣根據Name Mangling原則,這三個符號實際上是MSGetImageByName, MSHookFunction, MSHookMessageEx。
先分析一下MSGetImageByName,
從它的引用來看
DirectionTypeAddressText UppInitFunc_0+64CBL _MSGetImageByName
只有一處地方,就是InitFunc_0+64C。
在IDA操作,是從導入表選中這個符號,雙擊,進入這個符號所在代碼位置,在代碼位置選中這個符號,右鍵選中"Jump to xref to operand...",就可以得到所有引用了
看引用它的匯編
_text:000000000000C34C ADR X0, aUsrLibLibsubst_2 ; "/usr/lib/libsubstitute.dylib" __text:000000000000C350 NOP __text:000000000000C354 STP X19, X26, [SP,#0x210+var_210] __text:000000000000C358 STR X23, [SP,#0x210+var_200] __text:000000000000C35C BL _MSGetImageByName __text:000000000000C360 MOV X24, X0 __text:000000000000C364 NOP __text:000000000000C368 LDR X0, qword_26080 ; void * __text:000000000000C36C NOP __text:000000000000C370 LDR X20, =sel_setUseInjectCompatibilityMode_ ; "setUseInjectCompatibilityMode:" __text:000000000000C374 CBZ X24, loc_C3A0 __text:000000000000C378 MOV W2, #0 __text:000000000000C37C MOV X1, X20 ; char * __text:000000000000C380 BL _objc_msgSend __text:000000000000C384 B loc_C3AC
可見是加載/usr/lib/libsubstitute.dylib, 再把獲得的句柄判斷這個文件是否存在,再跳轉。
__text:000000000000C354STPX19,X26,[SP,#0x210+var_210] __text:000000000000C358STRX23,[SP,#0x210+var_200]
這幾兩行指令其實沒多少用處,只是編譯器為了代碼優化做的亂序執行。其實和這個接口引用無關。
從這個句柄的處理匯編
__text:000000000000C3A0 loc_C3A0 ; CODE XREF: InitFunc_0+664↑j __text:000000000000C3A0 MOV W2, #1 __text:000000000000C3A4 MOV X1, X20 ; char * __text:000000000000C3A8 BL _objc_msgSend __text:000000000000C3AC __text:000000000000C3AC loc_C3AC ; CODE XREF: InitFunc_0+674↑j __text:000000000000C3AC LDR X0, [SP,#0x210+var_1E0] ; void * __text:000000000000C3B0 MOV X1, X28 ; char * __text:000000000000C3B4 LDR X2, [SP,#0x210+var_1B8] __text:000000000000C3B8 BL _objc_msgSend __text:000000000000C3BC CBZ W0, loc_C6A0 __text:000000000000C3C0 NOP
無非就是和管理配置通信,可以忽略。
MSHookFunction是對API掛鉤,而MSHookMessageEx則對類的成員函數掛鉤。
鉤子點分析
先看MSHookFunction,獲取它所有的引用點,一共57處。
DirectionTypeAddressText UppInitFunc_0+6C8BL _MSHookFunction UppInitFunc_0+6E4BL _MSHookFunction UppInitFunc_0+700BL _MSHookFunction UppInitFunc_0+71CBL _MSHookFunction UppInitFunc_0+8DCBL _MSHookFunction UppInitFunc_0+8F8BL _MSHookFunction UppInitFunc_0+9C4BL _MSHookFunction UppInitFunc_0+9E0BL _MSHookFunction UppInitFunc_0+A9CBL _MSHookFunction UppInitFunc_0+1124BL _MSHookFunction UppInitFunc_0+1140BL _MSHookFunction UppInitFunc_0+115CBL _MSHookFunction UppInitFunc_0+1178BL _MSHookFunction UppInitFunc_0+1194BL _MSHookFunction UppInitFunc_0+11B0BL _MSHookFunction UppInitFunc_0+11CCBL _MSHookFunction UppInitFunc_0+11E8BL _MSHookFunction UppInitFunc_0+1204BL _MSHookFunction UppInitFunc_0+1220BL _MSHookFunction UppInitFunc_0+123CBL _MSHookFunction UppInitFunc_0+1258BL _MSHookFunction UppInitFunc_0+1274BL _MSHookFunction UppInitFunc_0+1290BL _MSHookFunction UppInitFunc_0+12ACBL _MSHookFunction UppInitFunc_0+12C8BL _MSHookFunction UppInitFunc_0+12E4BL _MSHookFunction UppInitFunc_0+1300BL _MSHookFunction UppInitFunc_0+131CBL _MSHookFunction UppInitFunc_0+1338BL _MSHookFunction UppInitFunc_0+1354BL _MSHookFunction UppInitFunc_0+1370BL _MSHookFunction UppInitFunc_0+138CBL _MSHookFunction UppInitFunc_0+13A8BL _MSHookFunction UppInitFunc_0+13C4BL _MSHookFunction UppInitFunc_0+196CBL _MSHookFunction UppInitFunc_0+1988BL _MSHookFunction UppInitFunc_0+1E84BL _MSHookFunction UppInitFunc_0+1EA0BL _MSHookFunction UppInitFunc_0+1EBCBL _MSHookFunction UppInitFunc_0+1ED8BL _MSHookFunction UppInitFunc_0+2168BL _MSHookFunction UppInitFunc_0+2184BL _MSHookFunction UppInitFunc_0+21A0BL _MSHookFunction UppInitFunc_0+21BCBL _MSHookFunction UppInitFunc_0+21D8BL _MSHookFunction UppInitFunc_0+21F4BL _MSHookFunction UppInitFunc_0+2210BL _MSHookFunction UppInitFunc_0+222CBL _MSHookFunction UppInitFunc_0+2248BL _MSHookFunction UppInitFunc_0+2264BL _MSHookFunction UppInitFunc_0+2280BL _MSHookFunction UppInitFunc_0+229CBL _MSHookFunction UppInitFunc_0+22B8BL _MSHookFunction UppInitFunc_0+22D4BL _MSHookFunction UppInitFunc_0+2354BL _MSHookFunction UppInitFunc_0+2370BL _MSHookFunction UppInitFunc_0+23A0BL _MSHookFunction
先看第一處
UppInitFunc_0+6C8BL_MSHookFunction
按照MSHookFunction的原型
voidMSHookFunction(void*symbol,void*hook,void**old);
是找到某個symbol對應的函數,把hook掛在上面,并用old保存原函數地址。
根據InitFunc的位置
__text:000000000000BD10 InitFunc_0
InitFunc_0+6C8就是000000000000C3D8:
__text:000000000000C3C4 LDR X0, =_fstat __text:000000000000C3C8 ADR X1, sub_E590 __text:000000000000C3CC NOP __text:000000000000C3D0 ADR X2, qword_260A8 __text:000000000000C3D4 NOP __text:000000000000C3D8 BL _MSHookFunction
可見,這處是用sub_E590對fstat進行掛鉤,并把fstat函數地址保存在qword_260A8。那么分析一下sub_E590
__text:000000000000E590 sub_E590 ; DATA XREF: InitFunc_0+6B8↑o __text:000000000000E590 __text:000000000000E590 var_440 = -0x440 __text:000000000000E590 var_438 = -0x438 __text:000000000000E590 var_38 = -0x38 __text:000000000000E590 var_30 = -0x30 __text:000000000000E590 var_20 = -0x20 __text:000000000000E590 var_10 = -0x10 __text:000000000000E590 var_s0 = 0 __text:000000000000E590 __text:000000000000E590 STP X28, X27, [SP,#-0x10+var_30]! __text:000000000000E594 STP X22, X21, [SP,#0x30+var_20] __text:000000000000E598 STP X20, X19, [SP,#0x30+var_10] __text:000000000000E59C STP X29, X30, [SP,#0x30+var_s0] __text:000000000000E5A0 ADD X29, SP, #0x30 __text:000000000000E5A4 SUB SP, SP, #0x410 __text:000000000000E5A8 MOV X19, X1 __text:000000000000E5AC MOV X20, X0 __text:000000000000E5B0 NOP __text:000000000000E5B4 LDR X8, =___stack_chk_guard __text:000000000000E5B8 LDR X8, [X8] __text:000000000000E5BC STUR X8, [X29,#var_38] __text:000000000000E5C0 ADD X8, SP, #0x440+var_438 __text:000000000000E5C4 STR X8, [SP,#0x440+var_440] __text:000000000000E5C8 MOV W1, #0x32 ; int __text:000000000000E5CC BL _fcntl __text:000000000000E5D0 CMN W0, #1 __text:000000000000E5D4 B.EQ loc_E6C0 __text:000000000000E5D8 NOP __text:000000000000E5DC LDR X0, =_OBJC_CLASS_$_NSFileManager ; void * __text:000000000000E5E0 NOP __text:000000000000E5E4 LDR X1, =sel_defaultManager ; "defaultManager" __text:000000000000E5E8 BL _objc_msgSend __text:000000000000E5EC MOV X29, X29 __text:000000000000E5F0 BL _objc_retainAutoreleasedReturnValue __text:000000000000E5F4 MOV X22, X0 __text:000000000000E5F8 ADD X0, SP, #0x440+var_438 ; char * __text:000000000000E5FC BL _strlen __text:000000000000E600 MOV X3, X0 __text:000000000000E604 NOP __text:000000000000E608 LDR X1, =sel_stringWithFileSystemRepresentation_length_ ; "stringWithFileSystemRepresentation:leng"... __text:000000000000E60C ADD X2, SP, #0x440+var_438 __text:000000000000E610 MOV X0, X22 ; void * __text:000000000000E614 BL _objc_msgSend __text:000000000000E618 MOV X29, X29 __text:000000000000E61C BL _objc_retainAutoreleasedReturnValue __text:000000000000E620 MOV X21, X0 __text:000000000000E624 MOV X0, X22 __text:000000000000E628 BL _objc_release __text:000000000000E62C NOP __text:000000000000E630 LDR X0, qword_26080 ; void * __text:000000000000E634 NOP __text:000000000000E638 LDR X1, =sel_isPathRestricted_ ; "isPathRestricted:" __text:000000000000E63C MOV X2, X21 __text:000000000000E640 BL _objc_msgSend __text:000000000000E644 CBZ W0, loc_E664 __text:000000000000E648 BL ___error __text:000000000000E64C MOV W8, #9 __text:000000000000E650 STR W8, [X0] __text:000000000000E654 MOV W20, #0xFFFFFFFF __text:000000000000E658 __text:000000000000E658 loc_E658 ; CODE XREF: sub_E590+124↓j __text:000000000000E658 MOV X0, X21 __text:000000000000E65C BL _objc_release __text:000000000000E660 B loc_E6D8 __text:000000000000E664 ; --------------------------------------------------------------------------- __text:000000000000E664 __text:000000000000E664 loc_E664 ; CODE XREF: sub_E590+B4↑j __text:000000000000E664 CBZ X19, loc_E6B8 __text:000000000000E668 NOP __text:000000000000E66C LDR X1, =sel_isEqualToString_ ; "isEqualToString:" __text:000000000000E670 ADR X2, cfstr_Bin ; "/bin" __text:000000000000E674 NOP __text:000000000000E678 MOV X0, X21 ; void * __text:000000000000E67C BL _objc_msgSend __text:000000000000E680 CBZ W0, loc_E6B8 __text:000000000000E684 NOP __text:000000000000E688 LDR X8, qword_260A8 __text:000000000000E68C MOV X0, X20 __text:000000000000E690 MOV X1, X19 __text:000000000000E694 BLR X8 __text:000000000000E698 CBNZ W0, loc_E6B8 __text:000000000000E69C LDR X8, [X19,#0x60] __text:000000000000E6A0 CMP X8, #0x80 __text:000000000000E6A4 B.LE loc_E6B8 __text:000000000000E6A8 MOV W20, #0 __text:000000000000E6AC MOV W8, #0x80 __text:000000000000E6B0 STR X8, [X19,#0x60] __text:000000000000E6B4 B loc_E658 __text:000000000000E6B8 ; --------------------------------------------------------------------------- __text:000000000000E6B8 __text:000000000000E6B8 loc_E6B8 ; CODE XREF: sub_E590:loc_E664↑j __text:000000000000E6B8 ; sub_E590+F0↑j ... __text:000000000000E6B8 MOV X0, X21 __text:000000000000E6BC BL _objc_release __text:000000000000E6C0 __text:000000000000E6C0 loc_E6C0 ; CODE XREF: sub_E590+44↑j __text:000000000000E6C0 NOP __text:000000000000E6C4 LDR X8, qword_260A8 __text:000000000000E6C8 MOV X0, X20 __text:000000000000E6CC MOV X1, X19 __text:000000000000E6D0 BLR X8 __text:000000000000E6D4 MOV X20, X0 __text:000000000000E6D8 __text:000000000000E6D8 loc_E6D8 ; CODE XREF: sub_E590+D0↑j __text:000000000000E6D8 LDUR X8, [X29,#var_38] __text:000000000000E6DC NOP __text:000000000000E6E0 LDR X9, =___stack_chk_guard __text:000000000000E6E4 LDR X9, [X9] __text:000000000000E6E8 CMP X9, X8 __text:000000000000E6EC B.NE loc_E70C __text:000000000000E6F0 MOV X0, X20 __text:000000000000E6F4 ADD SP, SP, #0x410 __text:000000000000E6F8 LDP X29, X30, [SP,#0x30+var_s0] __text:000000000000E6FC LDP X20, X19, [SP,#0x30+var_10] __text:000000000000E700 LDP X22, X21, [SP,#0x30+var_20] __text:000000000000E704 LDP X28, X27, [SP+0x30+var_30],#0x40 __text:000000000000E708 RET __text:000000000000E70C ; --------------------------------------------------------------------------- __text:000000000000E70C __text:000000000000E70C loc_E70C ; CODE XREF: sub_E590+15C↑j __text:000000000000E70C BL ___stack_chk_fail __text:000000000000E70C ; End of function sub_E590
看起來很復雜,其實這個函數是對任何調用fstat的路徑判斷是否是在指定限制目錄或/bin下,如果是就繞過,否則就繼續調用qword_260A8(fstat原地址)處理。
按照同樣思路分析,可以得到這個表格
| 原函數 | 鉤子函數作用 |
|---|---|
| fstat | 繞過指定限制目錄或/bin/下文件 |
| dlopen | 繞過指定限制鏡像 |
| open | 繞過指定限制目錄的文件 |
| openat | 繞過指定限制目錄的文件 |
| NSVersionOfRunTimeLibrary | 繞過指定限制鏡像 |
| NSVersionOfLinkTimeLibrary | 繞過指定限制鏡像 |
| opendir | 繞過指定限制目錄 |
| readdir | 繞過指定限制目錄 |
| csops | 對getpid結果處理 |
| access | 對指定限制目錄或前綴為/Library/MobileSubstrate繞過 |
| getenv | 對DYLD_INSERT_LIBRARIES,_MSSafeMode,_SafeMode繞過 |
| fopen | 繞過指定限制目錄的文件 |
| freopen | 繞過指定限制目錄的文件 |
| stat | 繞過指定限制目錄或/bin/下文件 |
| lstat |
繞過指定限制目錄或/bin/, /Applications, /usr/share, /usr/libexec, /usr/include, /Library/Ringtones, /Library/Wallpaper下文件 |
| fstatfs | 對指定限制目錄或前綴為/var, /private/var繞過 |
| statfs | 對指定限制目錄或前綴為/var, /private/var繞過 |
| posix_spawn | 繞過指定限制目錄的文件 |
| posix_spawnp | 繞過指定限制目錄的文件 |
| realpath | 繞過指定限制目錄的路徑 |
| symlink | 繞過指定限制目錄的路徑 |
| rename | 繞過指定限制目錄的路徑 |
| rename | 繞過指定限制目錄的路徑 |
| unlink | 繞過指定限制目錄的路徑 |
| unlinkat | 繞過指定限制目錄的路徑 |
| rmdir | 繞過指定限制目錄的目錄 |
| chdir | 繞過指定限制目錄的目錄 |
| fchdir | 繞過指定限制目錄的目錄 |
| link | 繞過指定限制目錄的路徑 |
| fstatat | 繞過指定限制目錄的路徑 |
| faccessat | 繞過指定限制目錄的路徑 |
| chroot | 繞過指定限制目錄的路徑 |
| sysctl | 從內核里獲取所有進程,對當前進程比對,并獲取當前進程是否被調試 |
| getppid | 對指定限制目錄的文件繞過 |
| readlink | 繞過指定限制目錄的路徑 |
| readlinkat | 繞過指定限制目錄的路徑 |
| _dyld_image_count | 繞過指定限制鏡像 |
| _dyld_get_image_name | 繞過指定限制鏡像 |
| dlopen_preflight | 繞過指定限制鏡像 |
| dladdr | 繞過指定限制鏡像 |
| creat | 繞過指定限制目錄的文件 |
| vfork | 直接返回-1,禁止創建進程 |
| fork | 直接返回-1,禁止創建進程 |
| popen | 直接返回0 |
| setgid,setuid,setegid,seteuid,setreuid,setregid | 直接返回-1 |
| getuid,getgid,geteuid,getegid | 返回0x1F5 |
| objc_copyImageNames | 獲取鏡像名稱和某個庫一樣,就返回0 |
| objc_copyClassNamesForImage | 繞過指定限制鏡像 |
| dlsym |
對符號前綴為MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos返回0,繞過 |
再看MSHookMessageEx,它的調用點有149處。它的原型如下
voidMSHookMessageEx(Class_class,SELmessage,IMPhook,IMP*old);
是找到某個類_class對應的成員函數message,把hook掛在上面,并用old保存原成員函數地址。
像MSHookFunction的方式分析,得到下表
| 類 | 鉤子函數作用 |
|---|---|
| SpringBoard | 返回和黑名單列表匹配的結果 |
|
NSData,UIApplication, NSFileManager,NSFileWrapper, NSFileVersion,NSFileHandle, NSURL,NSMutableArray, NSArray,NSMutableDictionary, NSDictionary,NSString, |
繞過指定限制目錄或指定限制URL的路徑 |
| NSBundle | 防止獲取SignerIdentity, 繞過指定限制目錄或指定限制URL的路徑 |
| NSProcessInfo,UIImage | 繞過指定限制目錄的路徑 |
| NSDirectoryEnumerator | 繞過特定類和限制目錄和限制URL |
| UIDevice | 掛鉤以下方法isJailbroken,isJailBreak,isJailBroken,均返回0 |
|
JailbreakDetectionVC, DTTJailbreakDetection, GBDeviceInfo,CPWRDeviceInfo, CPWRSessionInfo,KSSystemInfo, FCRSystemMetadata,OneSignalJailbreakDetection |
掛鉤isJailbroken,返回0 |
| ANSMetadata | 掛鉤computeIsJailbroken,isJailbroken,返回0 |
| AppsFlyerUtils | 掛鉤isJailBreakon,返回0 |
| CMARAppRestrictionsDelegate | 掛鉤isDeviceNonCompliant,返回0 |
| ADYSecurityCheck | 掛鉤isDeviceJailbroken,返回0 |
| UBReportMetadataDevice | 掛鉤is_rooted,返回0 |
| UtilitySystem,GemaltoConfiguration | 掛鉤isJailbreak,返回0 |
| EMDSKPPConfiguration | 掛鉤jailBroken,返回0 |
| EnrollParameters | 掛鉤jailbroken,返回0 |
| EMDskppConfigurationBuilder | 掛鉤jailbreakStatus,返回0 |
| v_VDMap |
掛鉤isJailBrokenDetectedByVOS,isDFPHookedDetecedByVOS, isCodeInjectionDetectedByVOS,isDebuggerCheckDetectedByVOS, isAppSignerCheckDetectedByVOS,v_checkAModified,返回0 |
| SDMUtils | 掛鉤isJailBroken,返回0 |
| DigiPassHandler | 掛鉤rootedDeviceTestResult,返回0 |
| AWMyDeviceGeneralInfo | 掛鉤isCompliant,返回1 |
其中限制目錄,URL或鏡像都是取這些目錄或以這些目錄為前綴
/ /.HFS /.Trashes /.ba /.file /.mb /Applications /Applications/AXUIViewService.app /Applications/AccountAuthenticationDialog.app /Applications/ActivityMessagesApp.app /Applications/AdPlatformsDiagnostics.app /Applications/AppStore.app /Applications/AskPermissionUI.app /Applications/BusinessExtensionsWrapper.app /Applications/CTCarrierSpaceAuth.app /Applications/Camera.app /Applications/CheckerBoard.app /Applications/CompassCalibrationViewService.app /Applications/ContinuityCamera.app /Applications/CoreAuthUI.app /Applications/DDActionsService.app /Applications/DNDBuddy.app /Applications/DataActivation.app /Applications/DemoApp.app /Applications/Diagnostics.app /Applications/DiagnosticsService.app /Applications/FTMInternal-4.app /Applications/Family.app /Applications/Feedback /Applications/FieldTest.app /Applications/FindMyiPhone.app /Applications/FunCameraShapes.app /Applications/FunCameraText.app /Applications/GameCenterUIService.app /Applications/HashtagImages.app /Applications/Health.app /Applications/HealthPrivacyService.app /Applications/HomeUIService.app /Applications/InCallService.app /Applications/Magnifier.app /Applications/MailCompositionService.app /Applications/MessagesViewService.app /Applications/MobilePhone.app /Applications/MobileSMS.app /Applications/MobileSafari.app /Applications/MobileSlideShow.app /Applications/MobileTimer.app /Applications/MusicUIService.app /Applications/Passbook.app /Applications/PassbookUIService.app /Applications/PhotosViewService.app /Applications/PreBoard.app /Applications/Preferences.app /Applications/Print /Applications/SIMSetupUIService.app /Applications/SLGoogleAuth.app /Applications/SLYahooAuth.app /Applications/SafariViewService.app /Applications/ScreenSharingViewService.app /Applications/ScreenshotServicesService.app /Applications/Setup.app /Applications/SharedWebCredentialViewService.app /Applications/SharingViewService.app /Applications/SiriViewService.app /Applications/SoftwareUpdateUIService.app /Applications/StoreDemoViewService.app /Applications/StoreKitUIService.app /Applications/TrustMe.app /Applications/Utilities /Applications/VideoSubscriberAccountViewService.app /Applications/WLAccessService.app /Applications/Web.app /Applications/WebApp1.app /Applications/WebContentAnalysisUI.app /Applications/WebSheet.app /Applications/iAdOptOut.app /Applications/iCloud.app /Developer /Library /Library/Application /Library/Application /Library/Application /Library/Audio /Library/Caches /Library/Caches/cy- /Library/Filesystems /Library/Frameworks /Library/Frameworks/Cephei.framework/Cephei /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate /Library/Internet /Library/Keychains /Library/LaunchAgents /Library/LaunchDaemons /Library/Logs /Library/Managed /Library/MobileDevice /Library/MobileSubstrate /Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib /Library/MusicUISupport /Library/PreferenceBundles /Library/Preferences /Library/Printers /Library/Ringtones /Library/SnowBoard /Library/Themes /Library/TweakInject /Library/Updates /Library/Wallpaper /System /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation /System/Library/Frameworks/Foundation.framework/Foundation /System/Library/PreferenceBundles/AppList.bundle /User/Library/Preferences /bin /bin/df /bin/ps /cores /dev /dev/dlci. /dev/kmem /dev/mem /dev/vn0 /dev/vn1 /etc /etc/asl /etc/asl.conf /etc/fstab /etc/group /etc/hosts /etc/hosts.equiv /etc/master.passwd /etc/networks /etc/notify.conf /etc/passwd /etc/ppp /etc/protocols /etc/racoon /etc/services /etc/ttys /lib /mnt /private /private/etc /private/system_data /private/var /private/var/containers/Bundle/Application /private/var/mobile/Containers/Bundle/Application /private/xarts /sbin /sbin/fsck /sbin/launchd /sbin/mount /sbin/pfctl /tmp /tmp/Substrate /tmp/amfid_payload.alive /tmp/amfidebilitate.out /tmp/com.apple /tmp/cydia.log /tmp/jailbreakd.pid /tmp/org.coolstar /tmp/slide.txt /tmp/substrate /tmp/syslog /usr /usr/bin /usr/bin/DumpBasebandCrash /usr/bin/PerfPowerServicesExtended /usr/bin/abmlite /usr/bin/brctl /usr/bin/footprint /usr/bin/hidutil /usr/bin/hpmdiagnose /usr/bin/kbdebug /usr/bin/powerlogHelperd /usr/bin/sysdiagnose /usr/bin/tailspin /usr/bin/taskinfo /usr/bin/vm_stat /usr/bin/zprint /usr/include /usr/lib /usr/lib/FDRSealingMap.plist /usr/lib/TweakInject /usr/lib/apt /usr/lib/bash /usr/lib/bbmasks /usr/lib/cycript /usr/lib/dyld /usr/lib/lib%@.dylib /usr/lib/libCRFSuite /usr/lib/libDHCPServer /usr/lib/libMatch /usr/lib/libSubstitrate /usr/lib/libSystem /usr/lib/libSystem.B.dylib /usr/lib/libarchive /usr/lib/libbsm /usr/lib/libbz2 /usr/lib/libc /usr/lib/libc++ /usr/lib/libc++.1.dylib /usr/lib/libcharset /usr/lib/libcurses /usr/lib/libdbm /usr/lib/libdl /usr/lib/libeasyperf /usr/lib/libedit /usr/lib/libexslt /usr/lib/libextension /usr/lib/libform /usr/lib/libiconv /usr/lib/libicucore /usr/lib/libinfo /usr/lib/libipsec /usr/lib/liblzma /usr/lib/libm /usr/lib/libmecab /usr/lib/libmis.dylib /usr/lib/libncurses /usr/lib/libobjc /usr/lib/libobjc.A.dylib /usr/lib/libpcap /usr/lib/libperfcheck /usr/lib/libpmsample /usr/lib/libpoll /usr/lib/libproc /usr/lib/libpthread /usr/lib/libresolv /usr/lib/librpcsvc /usr/lib/libsandbox /usr/lib/libsqlite3 /usr/lib/libstdc++ /usr/lib/libsubstitute /usr/lib/libsubstitute.dylib /usr/lib/libsubstrate /usr/lib/libtidy /usr/lib/libutil /usr/lib/libxml2 /usr/lib/libxslt /usr/lib/libz /usr/lib/log /usr/lib/substrate /usr/lib/system /usr/lib/tweaks /usr/lib/updaters /usr/lib/xpc /usr/libexec /usr/libexec/BackupAgent /usr/libexec/BackupAgent2 /usr/libexec/CrashHousekeeping /usr/libexec/DataDetectorsSourceAccess /usr/libexec/FSTaskScheduler /usr/libexec/FinishRestoreFromBackup /usr/libexec/IOAccelMemoryInfoCollector /usr/libexec/IOMFB_bics_daemon /usr/libexec/Library /usr/libexec/MobileGestaltHelper /usr/libexec/MobileStorageMounter /usr/libexec/NANDTaskScheduler /usr/libexec/OTATaskingAgent /usr/libexec/PowerUIAgent /usr/libexec/PreboardService /usr/libexec/ProxiedCrashCopier /usr/libexec/PurpleReverseProxy /usr/libexec/ReportMemoryException /usr/libexec/SafariCloudHistoryPushAgent /usr/libexec/SidecarRelay /usr/libexec/SyncAgent /usr/libexec/UserEventAgent /usr/libexec/addressbooksyncd /usr/libexec/adid /usr/libexec/adprivacyd /usr/libexec/adservicesd /usr/libexec/afcd /usr/libexec/airtunesd /usr/libexec/amfid /usr/libexec/asd /usr/libexec/assertiond /usr/libexec/atc /usr/libexec/atwakeup /usr/libexec/backboardd /usr/libexec/biometrickitd /usr/libexec/bootpd /usr/libexec/bulletindistributord /usr/libexec/captiveagent /usr/libexec/cc_fips_test /usr/libexec/checkpointd /usr/libexec/cloudpaird /usr/libexec/com.apple.automation.defaultslockdownserviced /usr/libexec/companion_proxy /usr/libexec/configd /usr/libexec/corecaptured /usr/libexec/coreduetd /usr/libexec/crash_mover /usr/libexec/dasd /usr/libexec/demod /usr/libexec/demod_helper /usr/libexec/dhcpd /usr/libexec/diagnosticd /usr/libexec/diagnosticextensionsd /usr/libexec/dmd /usr/libexec/dprivacyd /usr/libexec/dtrace /usr/libexec/duetexpertd /usr/libexec/eventkitsyncd /usr/libexec/fdrhelper /usr/libexec/findmydeviced /usr/libexec/finish_demo_restore /usr/libexec/fmfd /usr/libexec/fmflocatord /usr/libexec/fseventsd /usr/libexec/ftp-proxy /usr/libexec/gamecontrollerd /usr/libexec/gamed /usr/libexec/gpsd /usr/libexec/hangreporter /usr/libexec/hangtracerd /usr/libexec/heartbeatd /usr/libexec/hostapd /usr/libexec/idamd /usr/libexec/init_data_protection /usr/libexec/installd /usr/libexec/ioupsd /usr/libexec/keybagd /usr/libexec/languageassetd /usr/libexec/locationd /usr/libexec/lockdownd /usr/libexec/logd /usr/libexec/lsd /usr/libexec/lskdd /usr/libexec/lskdmsed /usr/libexec/magicswitchd /usr/libexec/mc_mobile_tunnel /usr/libexec/microstackshot /usr/libexec/misagent /usr/libexec/misd /usr/libexec/mmaintenanced /usr/libexec/mobile_assertion_agent /usr/libexec/mobile_diagnostics_relay /usr/libexec/mobile_house_arrest /usr/libexec/mobile_installation_proxy /usr/libexec/mobile_obliterator /usr/libexec/mobile_storage_proxy /usr/libexec/mobileactivationd /usr/libexec/mobileassetd /usr/libexec/mobilewatchdog /usr/libexec/mtmergeprops /usr/libexec/nanomediaremotelinkagent /usr/libexec/nanoregistryd /usr/libexec/nanoregistrylaunchd /usr/libexec/neagent /usr/libexec/nehelper /usr/libexec/nesessionmanager /usr/libexec/networkserviceproxy /usr/libexec/nfcd /usr/libexec/nfrestore_service /usr/libexec/nlcd /usr/libexec/notification_proxy /usr/libexec/nptocompaniond /usr/libexec/nsurlsessiond /usr/libexec/nsurlstoraged /usr/libexec/online-auth-agent /usr/libexec/oscard /usr/libexec/pcapd /usr/libexec/pcsstatus /usr/libexec/pfd /usr/libexec/pipelined /usr/libexec/pkd /usr/libexec/pkreporter /usr/libexec/ptpd /usr/libexec/rapportd /usr/libexec/replayd /usr/libexec/resourcegrabberd /usr/libexec/rolld /usr/libexec/routined /usr/libexec/rtbuddyd /usr/libexec/rtcreportingd /usr/libexec/safarifetcherd /usr/libexec/screenshotsyncd /usr/libexec/security-sysdiagnose /usr/libexec/securityd /usr/libexec/securityuploadd /usr/libexec/seld /usr/libexec/seputil /usr/libexec/sharingd /usr/libexec/signpost_reporter /usr/libexec/silhouette /usr/libexec/siriknowledged /usr/libexec/smcDiagnose /usr/libexec/splashboardd /usr/libexec/springboardservicesrelay /usr/libexec/streaming_zip_conduit /usr/libexec/swcd /usr/libexec/symptomsd /usr/libexec/symptomsd-helper /usr/libexec/sysdiagnose_helper /usr/libexec/sysstatuscheck /usr/libexec/tailspind /usr/libexec/timed /usr/libexec/tipsd /usr/libexec/topicsmap.db /usr/libexec/transitd /usr/libexec/trustd /usr/libexec/tursd /usr/libexec/tzd /usr/libexec/tzinit /usr/libexec/tzlinkd /usr/libexec/videosubscriptionsd /usr/libexec/wapic /usr/libexec/wcd /usr/libexec/webbookmarksd /usr/libexec/webinspectord /usr/libexec/wifiFirmwareLoader /usr/libexec/wifivelocityd /usr/libexec/xpcproxy /usr/libexec/xpcroleaccountd /usr/local /usr/local/bin /usr/local/lib /usr/local/standalone /usr/sbin /usr/sbin/BTAvrcp /usr/sbin/BTLEServer /usr/sbin/BTMap /usr/sbin/BTPbap /usr/sbin/BlueTool /usr/sbin/WiFiNetworkStoreModel.momd /usr/sbin/WirelessRadioManagerd /usr/sbin/absd /usr/sbin/addNetworkInterface /usr/sbin/applecamerad /usr/sbin/aslmanager /usr/sbin/bluetoothd /usr/sbin/cfprefsd /usr/sbin/ckksctl /usr/sbin/distnoted /usr/sbin/fairplayd.H2 /usr/sbin/filecoordinationd /usr/sbin/ioreg /usr/sbin/ipconfig /usr/sbin/mDNSResponder /usr/sbin/mDNSResponderHelper /usr/sbin/mediaserverd /usr/sbin/notifyd /usr/sbin/nvram /usr/sbin/pppd /usr/sbin/racoon /usr/sbin/rtadvd /usr/sbin/scutil /usr/sbin/spindump /usr/sbin/syslogd /usr/sbin/wifid /usr/sbin/wirelessproxd /usr/share /usr/share/CSI /usr/share/com.apple.languageassetd /usr/share/firmware /usr/share/icu /usr/share/langid /usr/share/locale /usr/share/mecabra /usr/share/misc /usr/share/progressui /usr/share/tokenizer /usr/share/zoneinfo /usr/share/zoneinfo.default /usr/standalone /var /var/.DocumentRevisions /var/.fseventsd /var/.overprovisioning_file /var/Keychains /var/Managed /var/MobileAsset /var/MobileDevice /var/MobileSoftwareUpdate /var/audit /var/backups /var/buddy /var/containers /var/containers/Bundle /var/containers/Bundle/Application /var/containers/Bundle/Framework /var/containers/Bundle/PluginKitPlugin /var/containers/Bundle/VPNPlugin /var/containers/Bundle/dylibs /var/containers/Bundle/tweaksupport /var/cores /var/db /var/db/stash /var/ea /var/empty /var/folders /var/hardware /var/installd /var/internal /var/keybags /var/lib /var/lib/dpkg/info /var/local /var/lock /var/log /var/log/asl /var/log/com.apple.xpc.launchd /var/log/corecaptured.log /var/log/ppp /var/log/ppp.log /var/log/racoon.log /var/log/sa /var/logs /var/mobile /var/mobile/Applications /var/mobile/Containers /var/mobile/Containers/Bundle/Application /var/mobile/Containers/Data /var/mobile/Containers/Data/Application /var/mobile/Containers/Data/InternalDaemon /var/mobile/Containers/Data/PluginKitPlugin /var/mobile/Containers/Data/TempDir /var/mobile/Containers/Data/VPNPlugin /var/mobile/Containers/Data/XPCService /var/mobile/Containers/Shared /var/mobile/Containers/Shared/AppGroup /var/mobile/Documents /var/mobile/Downloads /var/mobile/Library /var/mobile/Library/Caches /var/mobile/Library/Caches/.com.apple /var/mobile/Library/Caches/ACMigrationLock /var/mobile/Library/Caches/AccountMigrationInProgress /var/mobile/Library/Caches/AdMob /var/mobile/Library/Caches/BTAvrcp /var/mobile/Library/Caches/Checkpoint.plist /var/mobile/Library/Caches/CloudKit /var/mobile/Library/Caches/DateFormats.plist /var/mobile/Library/Caches/FamilyCircle /var/mobile/Library/Caches/GameKit /var/mobile/Library/Caches/GeoServices /var/mobile/Library/Caches/MappedImageCache /var/mobile/Library/Caches/OTACrashCopier /var/mobile/Library/Caches/PassKit /var/mobile/Library/Caches/Snapshots /var/mobile/Library/Caches/Snapshots/com.apple /var/mobile/Library/Caches/TelephonyUI /var/mobile/Library/Caches/Weather /var/mobile/Library/Caches/cache /var/mobile/Library/Caches/ckkeyrolld /var/mobile/Library/Caches/com.apple /var/mobile/Library/Caches/rtcreportingd /var/mobile/Library/Caches/sharedCaches /var/mobile/Library/ControlCenter /var/mobile/Library/ControlCenter/ModuleConfiguration.plist /var/mobile/Library/Cydia /var/mobile/Library/Logs/Cydia /var/mobile/Library/Preferences /var/mobile/Library/Preferences/.GlobalPreferences.plist /var/mobile/Library/Preferences/UITextInputContextIdentifiers.plist /var/mobile/Library/Preferences/Wallpaper.png /var/mobile/Library/Preferences/ckkeyrolld.plist /var/mobile/Library/Preferences/com.apple. /var/mobile/Library/Preferences/nfcd.plist /var/mobile/Library/SBSettings /var/mobile/Library/Sileo /var/mobile/Media /var/mobile/MobileSoftwareUpdate /var/msgs /var/networkd /var/preferences /var/root /var/run /var/run/asl_input /var/run/configd.pid /var/run/fudinit /var/run/lockbot /var/run/lockdown /var/run/lockdown.sock /var/run/lockdown_first_run /var/run/mDNSResponder /var/run/pppconfd /var/run/printd /var/run/syslog /var/run/syslog.pid /var/run/utmpx /var/run/vpncontrol.sock /var/spool /var/staged_system_apps /var/tmp /var/vm /var/wireless
除了上面目錄,還對這些路徑匹配繞過
list firmware-sbin.list gsc.firmware-sbin.list
同時對包含這些字段的路徑繞過
Substrate substrate substitute Substitrate TweakInject jailbreak cycript SBInject pspawn rocketbootstrap bfdecrypt
對URL包含這種模式繞過
cydia sileo
檢測
從上面來看,這個越獄工具從目錄和系統API上做了很多繞過措施,但還是有地方囊括不夠的。
對比在基本思路里的幾條,基本如下
保護環境變量的訪問 ---- 有部分
禁止某些命令的執行 --- 沒有
禁止某些路徑訪問 ---- 有
禁止某些系統參數訪問 -- 有部分
掛鉤某些系統調用 --- 有部分
那么檢測方案可以這樣:
沒有掛鉤mkdir,考慮使用mkdir在正常情況下禁止訪問的目錄下創建子目錄,如果OK,就說明是被越獄。
沒有掛鉤execve,可以考慮執行一個正常情況下禁止執行的程序,如果成功,說明被越獄。
沒有掛鉤ptrace,可以使用它進行自身調試,如果成功,說明被越獄
創建一個庫,里面定義一些函數是MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos為前綴的,如果調用dlsym返回失敗,說明被越獄
只對sysctl掛鉤了,但對sysctlbyname,sysctlnametomib沒有掛鉤,可以調用這兩個函數來獲取進程信息。同時sysctl也并不是所有情況都處理了,比如獲取硬件信息就沒有。這三個系統調用可以獲取一些高權限信息,說明被越獄
不引入其它檢測越獄的庫,但自己實現一個同名的類和方法,比如SDMUtils和方法isJailBroken,這個方法只返回一個結果,就是1。如果調用這個方法,返回值為0,那么說明被越獄
還有很多,不過,本人對iOS不熟悉,對它的系統調用也不熟悉,只能給出這些。
審核編輯:劉清
聲明:本文內容及配圖由入駐作者撰寫或者入駐合作網站授權轉載。文章觀點僅代表作者本人,不代表電子發燒友網立場。文章及其配圖僅供工程師學習之用,如有內容侵權或者其他違規問題,請聯系本站處理。
舉報投訴
-
MOV
+關注
關注
0文章
63瀏覽量
13659 -
iOS
+關注
關注
8文章
3395瀏覽量
150566 -
編譯器
+關注
關注
1文章
1623瀏覽量
49108 -
PHP
+關注
關注
0文章
452瀏覽量
26678
原文標題:iOS有反檢測能力的越獄工具shadow的分析和檢測
文章出處:【微信號:哆啦安全,微信公眾號:哆啦安全】歡迎添加關注!文章轉載請注明出處。
發布評論請先 登錄
相關推薦
進程模型的設計思路
進程模型的設計思路[ 問題 ]zhang_44:現在有兩個狀態 1,2。如果要在1 中得到一個流中斷,對得到的包進行判斷,如果該包是所要的,則進入狀態2。若發現該包不是所要的,保持在1 不變(不能
發表于 06-14 18:05
iOS快速搭建方法
是 iOS 的視圖 View ?文件, LaunchScreen.storyboard 是系統默認的啟動?面。我們從控件窗?拖動?個 Label 進?啟動 View, 并選中 Label 在屬性窗口設置為
發表于 09-17 09:05
OpenHarmony恢復啟動子系統init進程之啟動FD代持服務
FD代持是按需啟動的一個輔助擴展機制,按需啟動進程可以保持退出前的fd狀態句柄不丟失。按需啟動進程退出前可將fd發送給init代持,再次
發表于 09-14 09:11
Stage模型深入解讀
應用只能創建一個Render進程用于運行WebView的渲染引擎。這個Render進程也是由系統負責創建和銷毀。
3、線程模型
HarmonyOS的原生應用開發語言為ArkTS。在應用進程
發表于 03-15 10:32
OpenHarmony應用模型的構成要素分析
。
OpenHarmony應用模型的構成要素包括:應用組件、應用進程模型、應用線程模型、應用任務管理模型、應用配置文件五個部分。
1.應用
發表于 04-24 10:26
英創信息技術C#啟動和關閉外部進程的方法介紹
許多用戶在程序開發過程中需要使用C#啟動一個外部程序(進程),在使用完畢該外部程序后,又希望能將其關閉。我們特在此對C#啟動和關閉外部進程的方法進行一個簡單的介紹。 C#
如何雙啟動64位iOS設備
現如今,在已經有了合適的 Linux 內核可以啟動的條件下,相信我們很快就可以在 iOS 設備中看到 Linux 雙啟動支持。距離使用 iOS、Android 和 Ubuntu Tou
解析基于ARM64的init用戶進程究竟如何啟動?
[導讀] 前面的文章有提到linux啟動的第一個進程為init,那么該進程究竟是如何從內核啟動入口一步一步運行起來的,而該進程又有些什么作.
發表于 01-26 17:05
?2次下載
聯明電源啟動IPO進程
證監會近日披露了深圳市聯明電源股份有限公司(簡稱:聯明電源)首次公開發行股票并上市的輔導備案報告,標志著該公司正式啟動了IPO進程。據悉,聯明電源此次選擇的輔導機構為知名券商國泰君安證券。
鴻蒙開發:【進程模型】
應用中(同一Bundle名稱)的所有UIAbility、ServiceExtensionAbility和DataShareExtensionAbility均是運行在同一個獨立進程(主進程)中,如下圖中綠色部分的“Main Process”。
鴻蒙開發Ability Kit程序框架服務:FA模型啟動Stage模型UIAbility
本文介紹FA模型的三種應用組件如何啟動Stage模型的UIAbility組件。
工商網監
評論