iOS进程启动模型
分析工具:ida 7.0
基本思路
在分析越狱工具shadow之前,所有越狱工具都是对进程进行注入挂钩来实现。注入从作用范围来看,分为两类:
用户态注入,通过动态库
内核态注入,通过驱动
在苹果系统开发驱动,需要苹果授权,所以,越狱工具是没办法走这条路,只可能进行用户态注入。
那么,分析它就需要对进程启动时如何加载动态库了解,这就涉及到ios进程启动模型。
本文的思路如下:
ios进程启动模型
依赖分析
钩子点分析
检测
ios进程启动模型
ios也是unix族的衍生类。在unix族里,进程启动模型的都大致如下:
加载执行文件:从绝对路径或相对路径或从环境变量指定搜索的路径搜索出来
根据执行文件依赖(导入表)来加载动态库文件:从绝对路径或相对路径或从环境变量和系统配置指定的搜索路径搜索出来
完成所有符号匹配,启动进程
进程处理输入参数和相应配置文件
从上面来看,只有1,2两步才可能进行注入。
在unix族里,和执行文件加载相关的环境变量一般是**path** ,它一般是执行路径的列表,如/bin, /usr/bin, 和/usr/local/bin等,这个环境变量一般可以设置。搜索顺序是按照列表元素先后顺序进行,一旦找到,立马停止搜索。假设这个环境变量设置是这样的
path=/bin:/usr/bin:/usr/local/bin
这些路径都有一个ls执行文件,当执行ls时,只会执行/bin/ls。
如果越狱工具要在这一步注入,它必须构建一个沙箱,接管所有程序执行。这种方式,所有用户态进程都可以变成它的子进程,这个沙箱可以任意更改子进程的环境变量,完成静态注入,甚至可以通过ptrace之类的系统调用来进行动态注入。这种方式可以非常好地绕过各种越狱检测工具的检测。
在unix族,和动态库加载相关的环境变量和系统配置,就各有各的不同。
从上面可以看到ios依次对下面这些环境变量包含的路径列表按照先后顺序遍历,一旦找到相应动态库,立马停止该次遍历,查找下一个:
dyld_insert_libraries
dyld_versioned_framework_path
dyld_framework_path
dyld_library_path
dyld_fallback_framework_path
dyld_fallback_library_path
目前不少app检测ios是否越狱,都是做下列动作:
访问root才能够访问的目录和文件,执行读或写
执行root才能够执行的命令
访问或更改root才能够访问的环境变量
调用root才能够调用的系统调用
访问root才能够访问的系统参数
根据上面进程启动模型分析,越狱工具要具有反检测的能力,必须要做这样事情:
保护环境变量的访问
禁止某些命令的执行
禁止某些路径访问
禁止某些系统参数访问
挂钩某些系统调用
依赖分析
根据上面的探究后,我们实际上看一下这个越狱工具是怎样的。
把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解压的目录大致如下
ps d:library> get-childitem -recurse 目录: d:librarymode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 mobilesubstrate d----- 2019/8/2 1:59 preferencebundles d----- 2019/8/2 1:59 preferenceloader 目录: d:librarymobilesubstratemode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 dynamiclibraries 目录: d:librarymobilesubstratedynamiclibrariesmode lastwritetime length name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 728432 0shadow.dylib -a---- 2019/8/2 1:59 87 0shadow.plist 目录: d:librarypreferencebundlesmode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 shadowpreferences.bundle 目录: d:librarypreferencebundlesshadowpreferences.bundlemode lastwritetime length name ---- ------------- ------ ---- d----- 2019/7/14 1:29 en.lproj -a---l 2021/4/10 0:27 0 base.lproj -a---- 2019/8/2 1:59 751 icon-small.png -a---- 2019/8/2 1:59 1610 icon-small@2x.png -a---- 2019/8/2 1:59 2693 icon-small@3x.png -a---- 2019/8/2 1:59 404 info.plist -a---- 2019/8/2 1:59 3123 root.plist -a---- 2019/7/29 4:37 265808 shadowpreferences 目录: d:librarypreferencebundlesshadowpreferences.bundleen.lprojmode lastwritetime length name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 3915 root.strings 目录: d:librarypreferenceloadermode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 preferences 目录: d:librarypreferenceloaderpreferencesmode lastwritetime length name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 199 shadowpreferences.plist
从大小来看,只有d:librarymobilesubstratedynamiclibraries�shadow.dylib值得分析,用ida打开一看,看一下导入表
addressordinalnamelibrary0000000000026830_objc_class_$_hbpreferences/library/frameworks/cephei.framework/cephei0000000000026838_msgetimagebyname/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026840_mshookfunction/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026848_mshookmessageex/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026800_objc_class_$_nsarray/system/library/frameworks/corefoundation.framework/corefoundation0000000000026808_objc_class_$_nsdictionary/system/library/frameworks/corefoundation.framework/corefoundation0000000000026810_objc_class_$_nsmutablearray/system/library/frameworks/corefoundation.framework/corefoundation0000000000026818_objc_class_$_nsmutabledictionary/system/library/frameworks/corefoundation.framework/corefoundation0000000000026820_objc_class_$_nsurl/system/library/frameworks/corefoundation.framework/corefoundation0000000000026828___cfconstantstringclassreference/system/library/frameworks/corefoundation.framework/corefoundation00000000000267a0_nscocoaerrordomain/system/library/frameworks/foundation.framework/foundation00000000000267a8_nslocalizeddescriptionkey/system/library/frameworks/foundation.framework/foundation00000000000267b0_nslocalizedfailurereasonerrorkey/system/library/frameworks/foundation.framework/foundation00000000000267b8_nslocalizedrecoverysuggestionerrorkey/system/library/frameworks/foundation.framework/foundation00000000000267c0_objc_class_$_nsbundle/system/library/frameworks/foundation.framework/foundation00000000000267c8_objc_class_$_nscharacterset/system/library/frameworks/foundation.framework/foundation00000000000267d0_objc_class_$_nserror/system/library/frameworks/foundation.framework/foundation00000000000267d8_objc_class_$_nsfilemanager/system/library/frameworks/foundation.framework/foundation00000000000267e0_objc_class_$_nsnumber/system/library/frameworks/foundation.framework/foundation00000000000267e8_objc_class_$_nsprocessinfo/system/library/frameworks/foundation.framework/foundation00000000000267f0_objc_class_$_nsstring/system/library/frameworks/foundation.framework/foundation00000000000267f8_objc_class_$_nsvalue/system/library/frameworks/foundation.framework/foundation0000000000026858_nsversionoflinktimelibrary/usr/lib/libsystem.b.dylib0000000000026860_nsversionofruntimelibrary/usr/lib/libsystem.b.dylib0000000000026868___stack_chk_guard/usr/lib/libsystem.b.dylib0000000000026870__dyld_get_image_name/usr/lib/libsystem.b.dylib0000000000026878__dyld_image_count/usr/lib/libsystem.b.dylib0000000000026880_access/usr/lib/libsystem.b.dylib0000000000026888_chdir/usr/lib/libsystem.b.dylib0000000000026890_chroot/usr/lib/libsystem.b.dylib0000000000026898_creat/usr/lib/libsystem.b.dylib00000000000268a0_csops/usr/lib/libsystem.b.dylib00000000000268a8_dladdr/usr/lib/libsystem.b.dylib00000000000268b0_dlopen/usr/lib/libsystem.b.dylib00000000000268b8_dlopen_preflight/usr/lib/libsystem.b.dylib00000000000268c0_dlsym/usr/lib/libsystem.b.dylib00000000000268c8_faccessat/usr/lib/libsystem.b.dylib00000000000268d0_fchdir/usr/lib/libsystem.b.dylib00000000000268d8_fopen/usr/lib/libsystem.b.dylib00000000000268e0_fork/usr/lib/libsystem.b.dylib00000000000268e8_freopen/usr/lib/libsystem.b.dylib00000000000268f0_fstat/usr/lib/libsystem.b.dylib00000000000268f8_fstatat/usr/lib/libsystem.b.dylib0000000000026900_fstatfs/usr/lib/libsystem.b.dylib0000000000026908_getegid/usr/lib/libsystem.b.dylib0000000000026910_getenv/usr/lib/libsystem.b.dylib0000000000026918_geteuid/usr/lib/libsystem.b.dylib0000000000026920_getgid/usr/lib/libsystem.b.dylib0000000000026928_getppid/usr/lib/libsystem.b.dylib0000000000026930_getuid/usr/lib/libsystem.b.dylib0000000000026938_link/usr/lib/libsystem.b.dylib0000000000026940_lstat/usr/lib/libsystem.b.dylib0000000000026948_open/usr/lib/libsystem.b.dylib0000000000026950_openat/usr/lib/libsystem.b.dylib0000000000026958_opendir/usr/lib/libsystem.b.dylib0000000000026960_popen/usr/lib/libsystem.b.dylib0000000000026968_posix_spawn/usr/lib/libsystem.b.dylib0000000000026970_posix_spawnp/usr/lib/libsystem.b.dylib0000000000026978_readdir/usr/lib/libsystem.b.dylib0000000000026980_readlink/usr/lib/libsystem.b.dylib0000000000026988_readlinkat/usr/lib/libsystem.b.dylib0000000000026990_realpath$darwin_extsn/usr/lib/libsystem.b.dylib0000000000026998_remove/usr/lib/libsystem.b.dylib00000000000269a0_rename/usr/lib/libsystem.b.dylib00000000000269a8_rmdir/usr/lib/libsystem.b.dylib00000000000269b0_setegid/usr/lib/libsystem.b.dylib00000000000269b8_seteuid/usr/lib/libsystem.b.dylib00000000000269c0_setgid/usr/lib/libsystem.b.dylib00000000000269c8_setregid/usr/lib/libsystem.b.dylib00000000000269d0_setreuid/usr/lib/libsystem.b.dylib00000000000269d8_setuid/usr/lib/libsystem.b.dylib00000000000269e0_stat/usr/lib/libsystem.b.dylib00000000000269e8_statfs/usr/lib/libsystem.b.dylib00000000000269f0_symlink/usr/lib/libsystem.b.dylib00000000000269f8_sysctl/usr/lib/libsystem.b.dylib0000000000026a00_unlink/usr/lib/libsystem.b.dylib0000000000026a08_unlinkat/usr/lib/libsystem.b.dylib0000000000026a10_vfork/usr/lib/libsystem.b.dylib0000000000026a18dyld_stub_binder/usr/lib/libsystem.b.dylib0000000000026a20__unwind_resume/usr/lib/libsystem.b.dylib0000000000026a28___error/usr/lib/libsystem.b.dylib0000000000026a30___stack_chk_fail/usr/lib/libsystem.b.dylib0000000000026a38__dyld_register_func_for_add_image/usr/lib/libsystem.b.dylib0000000000026a40_dirfd/usr/lib/libsystem.b.dylib0000000000026a48_dlclose/usr/lib/libsystem.b.dylib0000000000026a50_fclose/usr/lib/libsystem.b.dylib0000000000026a58_fcntl/usr/lib/libsystem.b.dylib0000000000026a60_free/usr/lib/libsystem.b.dylib0000000000026a68_getpid/usr/lib/libsystem.b.dylib0000000000026a70_strcmp/usr/lib/libsystem.b.dylib0000000000026a78_strlen/usr/lib/libsystem.b.dylib0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib0000000000026720_objc_class_$_nsobject/usr/lib/libobjc.a.dylib0000000000026728_objc_metaclass_$_nsobject/usr/lib/libobjc.a.dylib0000000000026730__objc_empty_cache/usr/lib/libobjc.a.dylib0000000000026738_objc_copyclassnamesforimage/usr/lib/libobjc.a.dylib0000000000026740_objc_copyimagenames/usr/lib/libobjc.a.dylib0000000000026748_objc_autoreleasereturnvalue/usr/lib/libobjc.a.dylib0000000000026750_objc_enumerationmutation/usr/lib/libobjc.a.dylib0000000000026758_objc_getclass/usr/lib/libobjc.a.dylib0000000000026760_objc_msgsend/usr/lib/libobjc.a.dylib0000000000026768_objc_msgsendsuper2/usr/lib/libobjc.a.dylib0000000000026770_objc_release/usr/lib/libobjc.a.dylib0000000000026778_objc_retain/usr/lib/libobjc.a.dylib0000000000026780_objc_retainautorelease/usr/lib/libobjc.a.dylib0000000000026788_objc_retainautoreleasedreturnvalue/usr/lib/libobjc.a.dylib0000000000026790_objc_storestrong/usr/lib/libobjc.a.dylib0000000000026798_object_getclass/usr/lib/libobjc.a.dylib
可以看到,这个工具除了系统的框架外,只引用了/library/frameworks/cephei.framework/cephei, /library/frameworks/cydiasubstrate.framework/cydiasubstrate两个框架
对这个导入项进行分析
0000000000026830_objc_class_$_hbpreferences/library/frameworks/cephei.framework/cephei
_objc_class_$_hbpreferences这个符号经过name mangling处理,实际上它是引入了hbpreferences这个类, 这个类是处理界面上配置。
只剩下这三个符号了
0000000000026838_msgetimagebyname/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026840_mshookfunction/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026848_mshookmessageex/library/frameworks/cydiasubstrate.framework/cydiasubstrate
同样根据name mangling原则,这三个符号实际上是msgetimagebyname, mshookfunction, mshookmessageex。
先分析一下msgetimagebyname,
从它的引用来看
directiontypeaddresstextuppinitfunc_0+64cbl _msgetimagebyname
只有一处地方,就是initfunc_0+64c。
在ida操作,是从导入表选中这个符号,双击,进入这个符号所在代码位置,在代码位置选中这个符号,右键选中jump to xref to operand...,就可以得到所有引用了
看引用它的汇编
_text:000000000000c34c adr x0, ausrliblibsubst_2 ; /usr/lib/libsubstitute.dylib__text:000000000000c350 nop__text:000000000000c354 stp x19, x26, [sp,#0x210+var_210]__text:000000000000c358 str x23, [sp,#0x210+var_200]__text:000000000000c35c bl _msgetimagebyname__text:000000000000c360 mov x24, x0__text:000000000000c364 nop__text:000000000000c368 ldr x0, qword_26080 ; void *__text:000000000000c36c nop__text:000000000000c370 ldr x20, =sel_setuseinjectcompatibilitymode_ ; setuseinjectcompatibilitymode:__text:000000000000c374 cbz x24, loc_c3a0__text:000000000000c378 mov w2, #0__text:000000000000c37c mov x1, x20 ; char *__text:000000000000c380 bl _objc_msgsend__text:000000000000c384 b loc_c3ac
可见是加载/usr/lib/libsubstitute.dylib, 再把获得的句柄判断这个文件是否存在,再跳转。
__text:000000000000c354 stp x19, x26, [sp,#0x210+var_210]__text:000000000000c358 str x23, [sp,#0x210+var_200]
这几两行指令其实没多少用处,只是编译器为了代码优化做的乱序执行。其实和这个接口引用无关。
从这个句柄的处理汇编
__text:000000000000c3a0 loc_c3a0 ; code xref: initfunc_0+664↑j__text:000000000000c3a0 mov w2, #1__text:000000000000c3a4 mov x1, x20 ; char *__text:000000000000c3a8 bl _objc_msgsend__text:000000000000c3ac__text:000000000000c3ac loc_c3ac ; code xref: initfunc_0+674↑j__text:000000000000c3ac ldr x0, [sp,#0x210+var_1e0] ; void *__text:000000000000c3b0 mov x1, x28 ; char *__text:000000000000c3b4 ldr x2, [sp,#0x210+var_1b8]__text:000000000000c3b8 bl _objc_msgsend__text:000000000000c3bc cbz w0, loc_c6a0__text:000000000000c3c0 nop
无非就是和管理配置通信,可以忽略。
mshookfunction是对api挂钩,而mshookmessageex则对类的成员函数挂钩。
钩子点分析
先看mshookfunction,获取它所有的引用点,一共57处。
directiontypeaddresstextuppinitfunc_0+6c8bl _mshookfunctionuppinitfunc_0+6e4bl _mshookfunctionuppinitfunc_0+700bl _mshookfunctionuppinitfunc_0+71cbl _mshookfunctionuppinitfunc_0+8dcbl _mshookfunctionuppinitfunc_0+8f8bl _mshookfunctionuppinitfunc_0+9c4bl _mshookfunctionuppinitfunc_0+9e0bl _mshookfunctionuppinitfunc_0+a9cbl _mshookfunctionuppinitfunc_0+1124bl _mshookfunctionuppinitfunc_0+1140bl _mshookfunctionuppinitfunc_0+115cbl _mshookfunctionuppinitfunc_0+1178bl _mshookfunctionuppinitfunc_0+1194bl _mshookfunctionuppinitfunc_0+11b0bl _mshookfunctionuppinitfunc_0+11ccbl _mshookfunctionuppinitfunc_0+11e8bl _mshookfunctionuppinitfunc_0+1204bl _mshookfunctionuppinitfunc_0+1220bl _mshookfunctionuppinitfunc_0+123cbl _mshookfunctionuppinitfunc_0+1258bl _mshookfunctionuppinitfunc_0+1274bl _mshookfunctionuppinitfunc_0+1290bl _mshookfunctionuppinitfunc_0+12acbl _mshookfunctionuppinitfunc_0+12c8bl _mshookfunctionuppinitfunc_0+12e4bl _mshookfunctionuppinitfunc_0+1300bl _mshookfunctionuppinitfunc_0+131cbl _mshookfunctionuppinitfunc_0+1338bl _mshookfunctionuppinitfunc_0+1354bl _mshookfunctionuppinitfunc_0+1370bl _mshookfunctionuppinitfunc_0+138cbl _mshookfunctionuppinitfunc_0+13a8bl _mshookfunctionuppinitfunc_0+13c4bl _mshookfunctionuppinitfunc_0+196cbl _mshookfunctionuppinitfunc_0+1988bl _mshookfunctionuppinitfunc_0+1e84bl _mshookfunctionuppinitfunc_0+1ea0bl _mshookfunctionuppinitfunc_0+1ebcbl _mshookfunctionuppinitfunc_0+1ed8bl _mshookfunctionuppinitfunc_0+2168bl _mshookfunctionuppinitfunc_0+2184bl _mshookfunctionuppinitfunc_0+21a0bl _mshookfunctionuppinitfunc_0+21bcbl _mshookfunctionuppinitfunc_0+21d8bl _mshookfunctionuppinitfunc_0+21f4bl _mshookfunctionuppinitfunc_0+2210bl _mshookfunctionuppinitfunc_0+222cbl _mshookfunctionuppinitfunc_0+2248bl _mshookfunctionuppinitfunc_0+2264bl _mshookfunctionuppinitfunc_0+2280bl _mshookfunctionuppinitfunc_0+229cbl _mshookfunctionuppinitfunc_0+22b8bl _mshookfunctionuppinitfunc_0+22d4bl _mshookfunctionuppinitfunc_0+2354bl _mshookfunctionuppinitfunc_0+2370bl _mshookfunctionuppinitfunc_0+23a0bl _mshookfunction
先看第一处
up p initfunc_0+6c8 bl _mshookfunction
按照mshookfunction的原型
void mshookfunction(void *symbol, void *hook, void **old);
是找到某个symbol对应的函数,把hook挂在上面,并用old保存原函数地址。
根据initfunc的位置
__text:000000000000bd10 initfunc_0
initfunc_0+6c8就是000000000000c3d8:
__text:000000000000c3c4 ldr x0, =_fstat__text:000000000000c3c8 adr x1, sub_e590__text:000000000000c3cc nop__text:000000000000c3d0 adr x2, qword_260a8__text:000000000000c3d4 nop__text:000000000000c3d8 bl _mshookfunction
可见,这处是用sub_e590对fstat进行挂钩,并把fstat函数地址保存在qword_260a8。那么分析一下sub_e590
__text:000000000000e590 sub_e590 ; data xref: initfunc_0+6b8↑o__text:000000000000e590__text:000000000000e590 var_440 = -0x440__text:000000000000e590 var_438 = -0x438__text:000000000000e590 var_38 = -0x38__text:000000000000e590 var_30 = -0x30__text:000000000000e590 var_20 = -0x20__text:000000000000e590 var_10 = -0x10__text:000000000000e590 var_s0 = 0__text:000000000000e590__text:000000000000e590 stp x28, x27, [sp,#-0x10+var_30]!__text:000000000000e594 stp x22, x21, [sp,#0x30+var_20]__text:000000000000e598 stp x20, x19, [sp,#0x30+var_10]__text:000000000000e59c stp x29, x30, [sp,#0x30+var_s0]__text:000000000000e5a0 add x29, sp, #0x30__text:000000000000e5a4 sub sp, sp, #0x410__text:000000000000e5a8 mov x19, x1__text:000000000000e5ac mov x20, x0__text:000000000000e5b0 nop__text:000000000000e5b4 ldr x8, =___stack_chk_guard__text:000000000000e5b8 ldr x8, [x8]__text:000000000000e5bc stur x8, [x29,#var_38]__text:000000000000e5c0 add x8, sp, #0x440+var_438__text:000000000000e5c4 str x8, [sp,#0x440+var_440]__text:000000000000e5c8 mov w1, #0x32 ; int__text:000000000000e5cc bl _fcntl__text:000000000000e5d0 cmn w0, #1__text:000000000000e5d4 b.eq loc_e6c0__text:000000000000e5d8 nop__text:000000000000e5dc ldr x0, =_objc_class_$_nsfilemanager ; void *__text:000000000000e5e0 nop__text:000000000000e5e4 ldr x1, =sel_defaultmanager ; defaultmanager__text:000000000000e5e8 bl _objc_msgsend__text:000000000000e5ec mov x29, x29__text:000000000000e5f0 bl _objc_retainautoreleasedreturnvalue__text:000000000000e5f4 mov x22, x0__text:000000000000e5f8 add x0, sp, #0x440+var_438 ; char *__text:000000000000e5fc bl _strlen__text:000000000000e600 mov x3, x0__text:000000000000e604 nop__text:000000000000e608 ldr x1, =sel_stringwithfilesystemrepresentation_length_ ; stringwithfilesystemrepresentation:leng...__text:000000000000e60c add x2, sp, #0x440+var_438__text:000000000000e610 mov x0, x22 ; void *__text:000000000000e614 bl _objc_msgsend__text:000000000000e618 mov x29, x29__text:000000000000e61c bl _objc_retainautoreleasedreturnvalue__text:000000000000e620 mov x21, x0__text:000000000000e624 mov x0, x22__text:000000000000e628 bl _objc_release__text:000000000000e62c nop__text:000000000000e630 ldr x0, qword_26080 ; void *__text:000000000000e634 nop__text:000000000000e638 ldr x1, =sel_ispathrestricted_ ; ispathrestricted:__text:000000000000e63c mov x2, x21__text:000000000000e640 bl _objc_msgsend__text:000000000000e644 cbz w0, loc_e664__text:000000000000e648 bl ___error__text:000000000000e64c mov w8, #9__text:000000000000e650 str w8, [x0]__text:000000000000e654 mov w20, #0xffffffff__text:000000000000e658__text:000000000000e658 loc_e658 ; code xref: sub_e590+124↓j__text:000000000000e658 mov x0, x21__text:000000000000e65c bl _objc_release__text:000000000000e660 b loc_e6d8__text:000000000000e664 ; ---------------------------------------------------------------------------__text:000000000000e664__text:000000000000e664 loc_e664 ; code xref: sub_e590+b4↑j__text:000000000000e664 cbz x19, loc_e6b8__text:000000000000e668 nop__text:000000000000e66c ldr x1, =sel_isequaltostring_ ; isequaltostring:__text:000000000000e670 adr x2, cfstr_bin ; /bin__text:000000000000e674 nop__text:000000000000e678 mov x0, x21 ; void *__text:000000000000e67c bl _objc_msgsend__text:000000000000e680 cbz w0, loc_e6b8__text:000000000000e684 nop__text:000000000000e688 ldr x8, qword_260a8__text:000000000000e68c mov x0, x20__text:000000000000e690 mov x1, x19__text:000000000000e694 blr x8__text:000000000000e698 cbnz w0, loc_e6b8__text:000000000000e69c ldr x8, [x19,#0x60]__text:000000000000e6a0 cmp x8, #0x80__text:000000000000e6a4 b.le loc_e6b8__text:000000000000e6a8 mov w20, #0__text:000000000000e6ac mov w8, #0x80__text:000000000000e6b0 str x8, [x19,#0x60]__text:000000000000e6b4 b loc_e658__text:000000000000e6b8 ; ---------------------------------------------------------------------------__text:000000000000e6b8__text:000000000000e6b8 loc_e6b8 ; code xref: sub_e590:loc_e664↑j__text:000000000000e6b8 ; sub_e590+f0↑j ...__text:000000000000e6b8 mov x0, x21__text:000000000000e6bc bl _objc_release__text:000000000000e6c0__text:000000000000e6c0 loc_e6c0 ; code xref: sub_e590+44↑j__text:000000000000e6c0 nop__text:000000000000e6c4 ldr x8, qword_260a8__text:000000000000e6c8 mov x0, x20__text:000000000000e6cc mov x1, x19__text:000000000000e6d0 blr x8__text:000000000000e6d4 mov x20, x0__text:000000000000e6d8__text:000000000000e6d8 loc_e6d8 ; code xref: sub_e590+d0↑j__text:000000000000e6d8 ldur x8, [x29,#var_38]__text:000000000000e6dc nop__text:000000000000e6e0 ldr x9, =___stack_chk_guard__text:000000000000e6e4 ldr x9, [x9]__text:000000000000e6e8 cmp x9, x8__text:000000000000e6ec b.ne loc_e70c__text:000000000000e6f0 mov x0, x20__text:000000000000e6f4 add sp, sp, #0x410__text:000000000000e6f8 ldp x29, x30, [sp,#0x30+var_s0]__text:000000000000e6fc ldp x20, x19, [sp,#0x30+var_10]__text:000000000000e700 ldp x22, x21, [sp,#0x30+var_20]__text:000000000000e704 ldp x28, x27, [sp+0x30+var_30],#0x40__text:000000000000e708 ret__text:000000000000e70c ; ---------------------------------------------------------------------------__text:000000000000e70c__text:000000000000e70c loc_e70c ; code xref: sub_e590+15c↑j__text:000000000000e70c bl ___stack_chk_fail__text:000000000000e70c ; end of function sub_e590
看起来很复杂,其实这个函数是对任何调用fstat的路径判断是否是在指定限制目录或/bin下,如果是就绕过,否则就继续调用qword_260a8(fstat原地址)处理。
按照同样思路分析,可以得到这个表格
原函数 钩子函数作用
fstat 绕过指定限制目录或/bin/下文件
dlopen 绕过指定限制镜像
open 绕过指定限制目录的文件
openat 绕过指定限制目录的文件
nsversionofruntimelibrary 绕过指定限制镜像
nsversionoflinktimelibrary 绕过指定限制镜像
opendir 绕过指定限制目录
readdir 绕过指定限制目录
csops 对getpid结果处理
access 对指定限制目录或前缀为/library/mobilesubstrate绕过
getenv 对dyld_insert_libraries,_mssafemode,_safemode绕过
fopen 绕过指定限制目录的文件
freopen 绕过指定限制目录的文件
stat 绕过指定限制目录或/bin/下文件
lstat 绕过指定限制目录或/bin/,
/applications,
/usr/share,
/usr/libexec,
/usr/include,
/library/ringtones,
/library/wallpaper下文件
fstatfs 对指定限制目录或前缀为/var, /private/var绕过
statfs 对指定限制目录或前缀为/var, /private/var绕过
posix_spawn 绕过指定限制目录的文件
posix_spawnp 绕过指定限制目录的文件
realpath 绕过指定限制目录的路径
symlink 绕过指定限制目录的路径
rename 绕过指定限制目录的路径
rename 绕过指定限制目录的路径
unlink 绕过指定限制目录的路径
unlinkat 绕过指定限制目录的路径
rmdir 绕过指定限制目录的目录
chdir 绕过指定限制目录的目录
fchdir 绕过指定限制目录的目录
link 绕过指定限制目录的路径
fstatat 绕过指定限制目录的路径
faccessat 绕过指定限制目录的路径
chroot 绕过指定限制目录的路径
sysctl 从内核里获取所有进程,对当前进程比对,并获取当前进程是否被调试
getppid 对指定限制目录的文件绕过
readlink 绕过指定限制目录的路径
readlinkat 绕过指定限制目录的路径
_dyld_image_count 绕过指定限制镜像
_dyld_get_image_name 绕过指定限制镜像
dlopen_preflight 绕过指定限制镜像
dladdr 绕过指定限制镜像
creat 绕过指定限制目录的文件
vfork 直接返回-1,禁止创建进程
fork 直接返回-1,禁止创建进程
popen 直接返回0
setgid,setuid,setegid,seteuid,setreuid,setregid 直接返回-1
getuid,getgid,geteuid,getegid 返回0x1f5
objc_copyimagenames 获取镜像名称和某个库一样,就返回0
objc_copyclassnamesforimage 绕过指定限制镜像
dlsym 对符号前缀为ms,sub,ps,lm,rocketbootstrap,
substitute_,_logos返回0,绕过
再看mshookmessageex,它的调用点有149处。它的原型如下
void mshookmessageex(class _class, sel message, imp hook, imp *old);
是找到某个类_class对应的成员函数message,把hook挂在上面,并用old保存原成员函数地址。
像mshookfunction的方式分析,得到下表
类 钩子函数作用
springboard 返回和黑名单列表匹配的结果
nsdata,uiapplication,
nsfilemanager,nsfilewrapper,
nsfileversion,nsfilehandle,
nsurl,nsmutablearray,
nsarray,nsmutabledictionary,
nsdictionary,nsstring, 绕过指定限制目录或指定限制url的路径
nsbundle 防止获取signeridentity, 绕过指定限制目录或指定限制url的路径
nsprocessinfo,uiimage 绕过指定限制目录的路径
nsdirectoryenumerator 绕过特定类和限制目录和限制url
uidevice 挂钩以下方法isjailbroken,isjailbreak,isjailbroken,均返回0
jailbreakdetectionvc, dttjailbreakdetection,
gbdeviceinfo,cpwrdeviceinfo,
cpwrsessioninfo,kssysteminfo,
fcrsystemmetadata,onesignaljailbreakdetection 挂钩isjailbroken,返回0
ansmetadata 挂钩computeisjailbroken,isjailbroken,返回0
appsflyerutils 挂钩isjailbreakon,返回0
cmarapprestrictionsdelegate 挂钩isdevicenoncompliant,返回0
adysecuritycheck 挂钩isdevicejailbroken,返回0
ubreportmetadatadevice 挂钩is_rooted,返回0
utilitysystem,gemaltoconfiguration 挂钩isjailbreak,返回0
emdskppconfiguration 挂钩jailbroken,返回0
enrollparameters 挂钩jailbroken,返回0
emdskppconfigurationbuilder 挂钩jailbreakstatus,返回0
v_vdmap 挂钩isjailbrokendetectedbyvos,isdfphookeddetecedbyvos,
iscodeinjectiondetectedbyvos,isdebuggercheckdetectedbyvos,
isappsignercheckdetectedbyvos,v_checkamodified,返回0
sdmutils 挂钩isjailbroken,返回0
digipasshandler 挂钩rooteddevicetestresult,返回0
awmydevicegeneralinfo 挂钩iscompliant,返回1
其中限制目录,url或镜像都是取这些目录或以这些目录为前缀
//.hfs/.trashes/.ba/.file/.mb/applications/applications/axuiviewservice.app/applications/accountauthenticationdialog.app/applications/activitymessagesapp.app/applications/adplatformsdiagnostics.app/applications/appstore.app/applications/askpermissionui.app/applications/businessextensionswrapper.app/applications/ctcarrierspaceauth.app/applications/camera.app/applications/checkerboard.app/applications/compasscalibrationviewservice.app/applications/continuitycamera.app/applications/coreauthui.app/applications/ddactionsservice.app/applications/dndbuddy.app/applications/dataactivation.app/applications/demoapp.app/applications/diagnostics.app/applications/diagnosticsservice.app/applications/ftminternal-4.app/applications/family.app/applications/feedback/applications/fieldtest.app/applications/findmyiphone.app/applications/funcamerashapes.app/applications/funcameratext.app/applications/gamecenteruiservice.app/applications/hashtagimages.app/applications/health.app/applications/healthprivacyservice.app/applications/homeuiservice.app/applications/incallservice.app/applications/magnifier.app/applications/mailcompositionservice.app/applications/messagesviewservice.app/applications/mobilephone.app/applications/mobilesms.app/applications/mobilesafari.app/applications/mobileslideshow.app/applications/mobiletimer.app/applications/musicuiservice.app/applications/passbook.app/applications/passbookuiservice.app/applications/photosviewservice.app/applications/preboard.app/applications/preferences.app/applications/print/applications/simsetupuiservice.app/applications/slgoogleauth.app/applications/slyahooauth.app/applications/safariviewservice.app/applications/screensharingviewservice.app/applications/screenshotservicesservice.app/applications/setup.app/applications/sharedwebcredentialviewservice.app/applications/sharingviewservice.app/applications/siriviewservice.app/applications/softwareupdateuiservice.app/applications/storedemoviewservice.app/applications/storekituiservice.app/applications/trustme.app/applications/utilities/applications/videosubscriberaccountviewservice.app/applications/wlaccessservice.app/applications/web.app/applications/webapp1.app/applications/webcontentanalysisui.app/applications/websheet.app/applications/iadoptout.app/applications/icloud.app/developer/library/library/application/library/application/library/application/library/audio/library/caches/library/caches/cy-/library/filesystems/library/frameworks/library/frameworks/cephei.framework/cephei/library/frameworks/cydiasubstrate.framework/cydiasubstrate/library/internet/library/keychains/library/launchagents/library/launchdaemons/library/logs/library/managed/library/mobiledevice/library/mobilesubstrate/library/mobilesubstrate/dynamiclibraries/0shadow.dylib/library/musicuisupport/library/preferencebundles/library/preferences/library/printers/library/ringtones/library/snowboard/library/themes/library/tweakinject/library/updates/library/wallpaper/system/system/library/frameworks/corefoundation.framework/corefoundation/system/library/frameworks/foundation.framework/foundation/system/library/preferencebundles/applist.bundle/user/library/preferences/bin/bin/df/bin/ps/cores/dev/dev/dlci./dev/kmem/dev/mem/dev/vn0/dev/vn1/etc/etc/asl/etc/asl.conf/etc/fstab/etc/group/etc/hosts/etc/hosts.equiv/etc/master.passwd/etc/networks/etc/notify.conf/etc/passwd/etc/ppp/etc/protocols/etc/racoon/etc/services/etc/ttys/lib/mnt/private/private/etc/private/system_data/private/var/private/var/containers/bundle/application/private/var/mobile/containers/bundle/application/private/xarts/sbin/sbin/fsck/sbin/launchd/sbin/mount/sbin/pfctl/tmp/tmp/substrate/tmp/amfid_payload.alive/tmp/amfidebilitate.out/tmp/com.apple/tmp/cydia.log/tmp/jailbreakd.pid/tmp/org.coolstar/tmp/slide.txt/tmp/substrate/tmp/syslog/usr/usr/bin/usr/bin/dumpbasebandcrash/usr/bin/perfpowerservicesextended/usr/bin/abmlite/usr/bin/brctl/usr/bin/footprint/usr/bin/hidutil/usr/bin/hpmdiagnose/usr/bin/kbdebug/usr/bin/powerloghelperd/usr/bin/sysdiagnose/usr/bin/tailspin/usr/bin/taskinfo/usr/bin/vm_stat/usr/bin/zprint/usr/include/usr/lib/usr/lib/fdrsealingmap.plist/usr/lib/tweakinject/usr/lib/apt/usr/lib/bash/usr/lib/bbmasks/usr/lib/cycript/usr/lib/dyld/usr/lib/lib%@.dylib/usr/lib/libcrfsuite/usr/lib/libdhcpserver/usr/lib/libmatch/usr/lib/libsubstitrate/usr/lib/libsystem/usr/lib/libsystem.b.dylib/usr/lib/libarchive/usr/lib/libbsm/usr/lib/libbz2/usr/lib/libc/usr/lib/libc++/usr/lib/libc++.1.dylib/usr/lib/libcharset/usr/lib/libcurses/usr/lib/libdbm/usr/lib/libdl/usr/lib/libeasyperf/usr/lib/libedit/usr/lib/libexslt/usr/lib/libextension/usr/lib/libform/usr/lib/libiconv/usr/lib/libicucore/usr/lib/libinfo/usr/lib/libipsec/usr/lib/liblzma/usr/lib/libm/usr/lib/libmecab/usr/lib/libmis.dylib/usr/lib/libncurses/usr/lib/libobjc/usr/lib/libobjc.a.dylib/usr/lib/libpcap/usr/lib/libperfcheck/usr/lib/libpmsample/usr/lib/libpoll/usr/lib/libproc/usr/lib/libpthread/usr/lib/libresolv/usr/lib/librpcsvc/usr/lib/libsandbox/usr/lib/libsqlite3/usr/lib/libstdc++/usr/lib/libsubstitute/usr/lib/libsubstitute.dylib/usr/lib/libsubstrate/usr/lib/libtidy/usr/lib/libutil/usr/lib/libxml2/usr/lib/libxslt/usr/lib/libz/usr/lib/log/usr/lib/substrate/usr/lib/system/usr/lib/tweaks/usr/lib/updaters/usr/lib/xpc/usr/libexec/usr/libexec/backupagent/usr/libexec/backupagent2/usr/libexec/crashhousekeeping/usr/libexec/datadetectorssourceaccess/usr/libexec/fstaskscheduler/usr/libexec/finishrestorefrombackup/usr/libexec/ioaccelmemoryinfocollector/usr/libexec/iomfb_bics_daemon/usr/libexec/library/usr/libexec/mobilegestalthelper/usr/libexec/mobilestoragemounter/usr/libexec/nandtaskscheduler/usr/libexec/otataskingagent/usr/libexec/poweruiagent/usr/libexec/preboardservice/usr/libexec/proxiedcrashcopier/usr/libexec/purplereverseproxy/usr/libexec/reportmemoryexception/usr/libexec/safaricloudhistorypushagent/usr/libexec/sidecarrelay/usr/libexec/syncagent/usr/libexec/usereventagent/usr/libexec/addressbooksyncd/usr/libexec/adid/usr/libexec/adprivacyd/usr/libexec/adservicesd/usr/libexec/afcd/usr/libexec/airtunesd/usr/libexec/amfid/usr/libexec/asd/usr/libexec/assertiond/usr/libexec/atc/usr/libexec/atwakeup/usr/libexec/backboardd/usr/libexec/biometrickitd/usr/libexec/bootpd/usr/libexec/bulletindistributord/usr/libexec/captiveagent/usr/libexec/cc_fips_test/usr/libexec/checkpointd/usr/libexec/cloudpaird/usr/libexec/com.apple.automation.defaultslockdownserviced/usr/libexec/companion_proxy/usr/libexec/configd/usr/libexec/corecaptured/usr/libexec/coreduetd/usr/libexec/crash_mover/usr/libexec/dasd/usr/libexec/demod/usr/libexec/demod_helper/usr/libexec/dhcpd/usr/libexec/diagnosticd/usr/libexec/diagnosticextensionsd/usr/libexec/dmd/usr/libexec/dprivacyd/usr/libexec/dtrace/usr/libexec/duetexpertd/usr/libexec/eventkitsyncd/usr/libexec/fdrhelper/usr/libexec/findmydeviced/usr/libexec/finish_demo_restore/usr/libexec/fmfd/usr/libexec/fmflocatord/usr/libexec/fseventsd/usr/libexec/ftp-proxy/usr/libexec/gamecontrollerd/usr/libexec/gamed/usr/libexec/gpsd/usr/libexec/hangreporter/usr/libexec/hangtracerd/usr/libexec/heartbeatd/usr/libexec/hostapd/usr/libexec/idamd/usr/libexec/init_data_protection/usr/libexec/installd/usr/libexec/ioupsd/usr/libexec/keybagd/usr/libexec/languageassetd/usr/libexec/locationd/usr/libexec/lockdownd/usr/libexec/logd/usr/libexec/lsd/usr/libexec/lskdd/usr/libexec/lskdmsed/usr/libexec/magicswitchd/usr/libexec/mc_mobile_tunnel/usr/libexec/microstackshot/usr/libexec/misagent/usr/libexec/misd/usr/libexec/mmaintenanced/usr/libexec/mobile_assertion_agent/usr/libexec/mobile_diagnostics_relay/usr/libexec/mobile_house_arrest/usr/libexec/mobile_installation_proxy/usr/libexec/mobile_obliterator/usr/libexec/mobile_storage_proxy/usr/libexec/mobileactivationd/usr/libexec/mobileassetd/usr/libexec/mobilewatchdog/usr/libexec/mtmergeprops/usr/libexec/nanomediaremotelinkagent/usr/libexec/nanoregistryd/usr/libexec/nanoregistrylaunchd/usr/libexec/neagent/usr/libexec/nehelper/usr/libexec/nesessionmanager/usr/libexec/networkserviceproxy/usr/libexec/nfcd/usr/libexec/nfrestore_service/usr/libexec/nlcd/usr/libexec/notification_proxy/usr/libexec/nptocompaniond/usr/libexec/nsurlsessiond/usr/libexec/nsurlstoraged/usr/libexec/online-auth-agent/usr/libexec/oscard/usr/libexec/pcapd/usr/libexec/pcsstatus/usr/libexec/pfd/usr/libexec/pipelined/usr/libexec/pkd/usr/libexec/pkreporter/usr/libexec/ptpd/usr/libexec/rapportd/usr/libexec/replayd/usr/libexec/resourcegrabberd/usr/libexec/rolld/usr/libexec/routined/usr/libexec/rtbuddyd/usr/libexec/rtcreportingd/usr/libexec/safarifetcherd/usr/libexec/screenshotsyncd/usr/libexec/security-sysdiagnose/usr/libexec/securityd/usr/libexec/securityuploadd/usr/libexec/seld/usr/libexec/seputil/usr/libexec/sharingd/usr/libexec/signpost_reporter/usr/libexec/silhouette/usr/libexec/siriknowledged/usr/libexec/smcdiagnose/usr/libexec/splashboardd/usr/libexec/springboardservicesrelay/usr/libexec/streaming_zip_conduit/usr/libexec/swcd/usr/libexec/symptomsd/usr/libexec/symptomsd-helper/usr/libexec/sysdiagnose_helper/usr/libexec/sysstatuscheck/usr/libexec/tailspind/usr/libexec/timed/usr/libexec/tipsd/usr/libexec/topicsmap.db/usr/libexec/transitd/usr/libexec/trustd/usr/libexec/tursd/usr/libexec/tzd/usr/libexec/tzinit/usr/libexec/tzlinkd/usr/libexec/videosubscriptionsd/usr/libexec/wapic/usr/libexec/wcd/usr/libexec/webbookmarksd/usr/libexec/webinspectord/usr/libexec/wififirmwareloader/usr/libexec/wifivelocityd/usr/libexec/xpcproxy/usr/libexec/xpcroleaccountd/usr/local/usr/local/bin/usr/local/lib/usr/local/standalone/usr/sbin/usr/sbin/btavrcp/usr/sbin/btleserver/usr/sbin/btmap/usr/sbin/btpbap/usr/sbin/bluetool/usr/sbin/wifinetworkstoremodel.momd/usr/sbin/wirelessradiomanagerd/usr/sbin/absd/usr/sbin/addnetworkinterface/usr/sbin/applecamerad/usr/sbin/aslmanager/usr/sbin/bluetoothd/usr/sbin/cfprefsd/usr/sbin/ckksctl/usr/sbin/distnoted/usr/sbin/fairplayd.h2/usr/sbin/filecoordinationd/usr/sbin/ioreg/usr/sbin/ipconfig/usr/sbin/mdnsresponder/usr/sbin/mdnsresponderhelper/usr/sbin/mediaserverd/usr/sbin/notifyd/usr/sbin/nvram/usr/sbin/pppd/usr/sbin/racoon/usr/sbin/rtadvd/usr/sbin/scutil/usr/sbin/spindump/usr/sbin/syslogd/usr/sbin/wifid/usr/sbin/wirelessproxd/usr/share/usr/share/csi/usr/share/com.apple.languageassetd/usr/share/firmware/usr/share/icu/usr/share/langid/usr/share/locale/usr/share/mecabra/usr/share/misc/usr/share/progressui/usr/share/tokenizer/usr/share/zoneinfo/usr/share/zoneinfo.default/usr/standalone/var/var/.documentrevisions/var/.fseventsd/var/.overprovisioning_file/var/keychains/var/managed/var/mobileasset/var/mobiledevice/var/mobilesoftwareupdate/var/audit/var/backups/var/buddy/var/containers/var/containers/bundle/var/containers/bundle/application/var/containers/bundle/framework/var/containers/bundle/pluginkitplugin/var/containers/bundle/vpnplugin/var/containers/bundle/dylibs/var/containers/bundle/tweaksupport/var/cores/var/db/var/db/stash/var/ea/var/empty/var/folders/var/hardware/var/installd/var/internal/var/keybags/var/lib/var/lib/dpkg/info/var/local/var/lock/var/log/var/log/asl/var/log/com.apple.xpc.launchd/var/log/corecaptured.log/var/log/ppp/var/log/ppp.log/var/log/racoon.log/var/log/sa/var/logs/var/mobile/var/mobile/applications/var/mobile/containers/var/mobile/containers/bundle/application/var/mobile/containers/data/var/mobile/containers/data/application/var/mobile/containers/data/internaldaemon/var/mobile/containers/data/pluginkitplugin/var/mobile/containers/data/tempdir/var/mobile/containers/data/vpnplugin/var/mobile/containers/data/xpcservice/var/mobile/containers/shared/var/mobile/containers/shared/appgroup/var/mobile/documents/var/mobile/downloads/var/mobile/library/var/mobile/library/caches/var/mobile/library/caches/.com.apple/var/mobile/library/caches/acmigrationlock/var/mobile/library/caches/accountmigrationinprogress/var/mobile/library/caches/admob/var/mobile/library/caches/btavrcp/var/mobile/library/caches/checkpoint.plist/var/mobile/library/caches/cloudkit/var/mobile/library/caches/dateformats.plist/var/mobile/library/caches/familycircle/var/mobile/library/caches/gamekit/var/mobile/library/caches/geoservices/var/mobile/library/caches/mappedimagecache/var/mobile/library/caches/otacrashcopier/var/mobile/library/caches/passkit/var/mobile/library/caches/snapshots/var/mobile/library/caches/snapshots/com.apple/var/mobile/library/caches/telephonyui/var/mobile/library/caches/weather/var/mobile/library/caches/cache/var/mobile/library/caches/ckkeyrolld/var/mobile/library/caches/com.apple/var/mobile/library/caches/rtcreportingd/var/mobile/library/caches/sharedcaches/var/mobile/library/controlcenter/var/mobile/library/controlcenter/moduleconfiguration.plist/var/mobile/library/cydia/var/mobile/library/logs/cydia/var/mobile/library/preferences/var/mobile/library/preferences/.globalpreferences.plist/var/mobile/library/preferences/uitextinputcontextidentifiers.plist/var/mobile/library/preferences/wallpaper.png/var/mobile/library/preferences/ckkeyrolld.plist/var/mobile/library/preferences/com.apple./var/mobile/library/preferences/nfcd.plist/var/mobile/library/sbsettings/var/mobile/library/sileo/var/mobile/media/var/mobile/mobilesoftwareupdate/var/msgs/var/networkd/var/preferences/var/root/var/run/var/run/asl_input/var/run/configd.pid/var/run/fudinit/var/run/lockbot/var/run/lockdown/var/run/lockdown.sock/var/run/lockdown_first_run/var/run/mdnsresponder/var/run/pppconfd/var/run/printd/var/run/syslog/var/run/syslog.pid/var/run/utmpx/var/run/vpncontrol.sock/var/spool/var/staged_system_apps/var/tmp/var/vm/var/wireless
除了上面目录,还对这些路径匹配绕过
listfirmware-sbin.listgsc.firmware-sbin.list
同时对包含这些字段的路径绕过
substratesubstratesubstitutesubstitratetweakinjectjailbreakcycriptsbinjectpspawnrocketbootstrapbfdecrypt
对url包含这种模式绕过
cydiasileo
检测
从上面来看,这个越狱工具从目录和系统api上做了很多绕过措施,但还是有地方囊括不够的。
对比在基本思路里的几条,基本如下
保护环境变量的访问 ---- 有部分
禁止某些命令的执行 --- 没有
禁止某些路径访问 ---- 有
禁止某些系统参数访问 -- 有部分
挂钩某些系统调用 --- 有部分
那么检测方案可以这样:
没有挂钩mkdir,考虑使用mkdir在正常情况下禁止访问的目录下创建子目录,如果ok,就说明是被越狱。
没有挂钩execve,可以考虑执行一个正常情况下禁止执行的程序,如果成功,说明被越狱。
没有挂钩ptrace,可以使用它进行自身调试,如果成功,说明被越狱
创建一个库,里面定义一些函数是ms,sub,ps,lm,rocketbootstrap, substitute_,_logos为前缀的,如果调用dlsym返回失败,说明被越狱
只对sysctl挂钩了,但对sysctlbyname,sysctlnametomib没有挂钩,可以调用这两个函数来获取进程信息。同时sysctl也并不是所有情况都处理了,比如获取硬件信息就没有。这三个系统调用可以获取一些高权限信息,说明被越狱
不引入其它检测越狱的库,但自己实现一个同名的类和方法,比如sdmutils和方法isjailbroken,这个方法只返回一个结果,就是1。如果调用这个方法,返回值为0,那么说明被越狱
还有很多,不过,本人对ios不熟悉,对它的系统调用也不熟悉,只能给出这些。
长虹电视遥控器代码
osp表面处理工艺介绍
虹科案例 | 虹科intesis DALI网关在公路隧道新型照明系统中的应用
一种用于制造晶体管的单原子厚度材料
钨丝电阻 vs. 炭化物电阻:哪个更适合你的电路?
iOS进程启动模型
Marvell获得芯原第三代ZSP核授权
使用双电源的运放交流放大电路
AMD针对资料中心首度与x86、ARM处理器结合
Connecting the Agere Supermapp
二三极管在65W快充产品中的应用
汽车水泵/汽车风机/汽车油泵专用车规级MCU案例展示(LCA037BT(K)32EU8)
华为65英寸和55英寸智慧屏上架,其他尺寸也已跟上脚步
物联网是什么,它会为我们带来哪些影响
光伏测试介绍
基于IP核的PCI接口与具体功能的FPGA芯片设计
友猫拓展坞仅是USB转接头?怎么可能,有你意想不到的功能!
关于运算放大器和仪表放大器的区别分析
SUNLORD顺络小尺寸一体成型功率电感MWTC新品发布
每日一课 | 智慧灯杆5G覆盖规划之覆盖规划流程及覆盖方式的选择
基本思路
在分析越狱工具shadow之前,所有越狱工具都是对进程进行注入挂钩来实现。注入从作用范围来看,分为两类:
用户态注入,通过动态库
内核态注入,通过驱动
在苹果系统开发驱动,需要苹果授权,所以,越狱工具是没办法走这条路,只可能进行用户态注入。
那么,分析它就需要对进程启动时如何加载动态库了解,这就涉及到ios进程启动模型。
本文的思路如下:
ios进程启动模型
依赖分析
钩子点分析
检测
ios进程启动模型
ios也是unix族的衍生类。在unix族里,进程启动模型的都大致如下:
加载执行文件:从绝对路径或相对路径或从环境变量指定搜索的路径搜索出来
根据执行文件依赖(导入表)来加载动态库文件:从绝对路径或相对路径或从环境变量和系统配置指定的搜索路径搜索出来
完成所有符号匹配,启动进程
进程处理输入参数和相应配置文件
从上面来看,只有1,2两步才可能进行注入。
在unix族里,和执行文件加载相关的环境变量一般是**path** ,它一般是执行路径的列表,如/bin, /usr/bin, 和/usr/local/bin等,这个环境变量一般可以设置。搜索顺序是按照列表元素先后顺序进行,一旦找到,立马停止搜索。假设这个环境变量设置是这样的
path=/bin:/usr/bin:/usr/local/bin
这些路径都有一个ls执行文件,当执行ls时,只会执行/bin/ls。
如果越狱工具要在这一步注入,它必须构建一个沙箱,接管所有程序执行。这种方式,所有用户态进程都可以变成它的子进程,这个沙箱可以任意更改子进程的环境变量,完成静态注入,甚至可以通过ptrace之类的系统调用来进行动态注入。这种方式可以非常好地绕过各种越狱检测工具的检测。
在unix族,和动态库加载相关的环境变量和系统配置,就各有各的不同。
从上面可以看到ios依次对下面这些环境变量包含的路径列表按照先后顺序遍历,一旦找到相应动态库,立马停止该次遍历,查找下一个:
dyld_insert_libraries
dyld_versioned_framework_path
dyld_framework_path
dyld_library_path
dyld_fallback_framework_path
dyld_fallback_library_path
目前不少app检测ios是否越狱,都是做下列动作:
访问root才能够访问的目录和文件,执行读或写
执行root才能够执行的命令
访问或更改root才能够访问的环境变量
调用root才能够调用的系统调用
访问root才能够访问的系统参数
根据上面进程启动模型分析,越狱工具要具有反检测的能力,必须要做这样事情:
保护环境变量的访问
禁止某些命令的执行
禁止某些路径访问
禁止某些系统参数访问
挂钩某些系统调用
依赖分析
根据上面的探究后,我们实际上看一下这个越狱工具是怎样的。
把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解压的目录大致如下
ps d:library> get-childitem -recurse 目录: d:librarymode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 mobilesubstrate d----- 2019/8/2 1:59 preferencebundles d----- 2019/8/2 1:59 preferenceloader 目录: d:librarymobilesubstratemode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 dynamiclibraries 目录: d:librarymobilesubstratedynamiclibrariesmode lastwritetime length name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 728432 0shadow.dylib -a---- 2019/8/2 1:59 87 0shadow.plist 目录: d:librarypreferencebundlesmode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 shadowpreferences.bundle 目录: d:librarypreferencebundlesshadowpreferences.bundlemode lastwritetime length name ---- ------------- ------ ---- d----- 2019/7/14 1:29 en.lproj -a---l 2021/4/10 0:27 0 base.lproj -a---- 2019/8/2 1:59 751 icon-small.png -a---- 2019/8/2 1:59 1610 icon-small@2x.png -a---- 2019/8/2 1:59 2693 icon-small@3x.png -a---- 2019/8/2 1:59 404 info.plist -a---- 2019/8/2 1:59 3123 root.plist -a---- 2019/7/29 4:37 265808 shadowpreferences 目录: d:librarypreferencebundlesshadowpreferences.bundleen.lprojmode lastwritetime length name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 3915 root.strings 目录: d:librarypreferenceloadermode lastwritetime length name ---- ------------- ------ ---- d----- 2019/8/2 1:59 preferences 目录: d:librarypreferenceloaderpreferencesmode lastwritetime length name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 199 shadowpreferences.plist
从大小来看,只有d:librarymobilesubstratedynamiclibraries�shadow.dylib值得分析,用ida打开一看,看一下导入表
addressordinalnamelibrary0000000000026830_objc_class_$_hbpreferences/library/frameworks/cephei.framework/cephei0000000000026838_msgetimagebyname/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026840_mshookfunction/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026848_mshookmessageex/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026800_objc_class_$_nsarray/system/library/frameworks/corefoundation.framework/corefoundation0000000000026808_objc_class_$_nsdictionary/system/library/frameworks/corefoundation.framework/corefoundation0000000000026810_objc_class_$_nsmutablearray/system/library/frameworks/corefoundation.framework/corefoundation0000000000026818_objc_class_$_nsmutabledictionary/system/library/frameworks/corefoundation.framework/corefoundation0000000000026820_objc_class_$_nsurl/system/library/frameworks/corefoundation.framework/corefoundation0000000000026828___cfconstantstringclassreference/system/library/frameworks/corefoundation.framework/corefoundation00000000000267a0_nscocoaerrordomain/system/library/frameworks/foundation.framework/foundation00000000000267a8_nslocalizeddescriptionkey/system/library/frameworks/foundation.framework/foundation00000000000267b0_nslocalizedfailurereasonerrorkey/system/library/frameworks/foundation.framework/foundation00000000000267b8_nslocalizedrecoverysuggestionerrorkey/system/library/frameworks/foundation.framework/foundation00000000000267c0_objc_class_$_nsbundle/system/library/frameworks/foundation.framework/foundation00000000000267c8_objc_class_$_nscharacterset/system/library/frameworks/foundation.framework/foundation00000000000267d0_objc_class_$_nserror/system/library/frameworks/foundation.framework/foundation00000000000267d8_objc_class_$_nsfilemanager/system/library/frameworks/foundation.framework/foundation00000000000267e0_objc_class_$_nsnumber/system/library/frameworks/foundation.framework/foundation00000000000267e8_objc_class_$_nsprocessinfo/system/library/frameworks/foundation.framework/foundation00000000000267f0_objc_class_$_nsstring/system/library/frameworks/foundation.framework/foundation00000000000267f8_objc_class_$_nsvalue/system/library/frameworks/foundation.framework/foundation0000000000026858_nsversionoflinktimelibrary/usr/lib/libsystem.b.dylib0000000000026860_nsversionofruntimelibrary/usr/lib/libsystem.b.dylib0000000000026868___stack_chk_guard/usr/lib/libsystem.b.dylib0000000000026870__dyld_get_image_name/usr/lib/libsystem.b.dylib0000000000026878__dyld_image_count/usr/lib/libsystem.b.dylib0000000000026880_access/usr/lib/libsystem.b.dylib0000000000026888_chdir/usr/lib/libsystem.b.dylib0000000000026890_chroot/usr/lib/libsystem.b.dylib0000000000026898_creat/usr/lib/libsystem.b.dylib00000000000268a0_csops/usr/lib/libsystem.b.dylib00000000000268a8_dladdr/usr/lib/libsystem.b.dylib00000000000268b0_dlopen/usr/lib/libsystem.b.dylib00000000000268b8_dlopen_preflight/usr/lib/libsystem.b.dylib00000000000268c0_dlsym/usr/lib/libsystem.b.dylib00000000000268c8_faccessat/usr/lib/libsystem.b.dylib00000000000268d0_fchdir/usr/lib/libsystem.b.dylib00000000000268d8_fopen/usr/lib/libsystem.b.dylib00000000000268e0_fork/usr/lib/libsystem.b.dylib00000000000268e8_freopen/usr/lib/libsystem.b.dylib00000000000268f0_fstat/usr/lib/libsystem.b.dylib00000000000268f8_fstatat/usr/lib/libsystem.b.dylib0000000000026900_fstatfs/usr/lib/libsystem.b.dylib0000000000026908_getegid/usr/lib/libsystem.b.dylib0000000000026910_getenv/usr/lib/libsystem.b.dylib0000000000026918_geteuid/usr/lib/libsystem.b.dylib0000000000026920_getgid/usr/lib/libsystem.b.dylib0000000000026928_getppid/usr/lib/libsystem.b.dylib0000000000026930_getuid/usr/lib/libsystem.b.dylib0000000000026938_link/usr/lib/libsystem.b.dylib0000000000026940_lstat/usr/lib/libsystem.b.dylib0000000000026948_open/usr/lib/libsystem.b.dylib0000000000026950_openat/usr/lib/libsystem.b.dylib0000000000026958_opendir/usr/lib/libsystem.b.dylib0000000000026960_popen/usr/lib/libsystem.b.dylib0000000000026968_posix_spawn/usr/lib/libsystem.b.dylib0000000000026970_posix_spawnp/usr/lib/libsystem.b.dylib0000000000026978_readdir/usr/lib/libsystem.b.dylib0000000000026980_readlink/usr/lib/libsystem.b.dylib0000000000026988_readlinkat/usr/lib/libsystem.b.dylib0000000000026990_realpath$darwin_extsn/usr/lib/libsystem.b.dylib0000000000026998_remove/usr/lib/libsystem.b.dylib00000000000269a0_rename/usr/lib/libsystem.b.dylib00000000000269a8_rmdir/usr/lib/libsystem.b.dylib00000000000269b0_setegid/usr/lib/libsystem.b.dylib00000000000269b8_seteuid/usr/lib/libsystem.b.dylib00000000000269c0_setgid/usr/lib/libsystem.b.dylib00000000000269c8_setregid/usr/lib/libsystem.b.dylib00000000000269d0_setreuid/usr/lib/libsystem.b.dylib00000000000269d8_setuid/usr/lib/libsystem.b.dylib00000000000269e0_stat/usr/lib/libsystem.b.dylib00000000000269e8_statfs/usr/lib/libsystem.b.dylib00000000000269f0_symlink/usr/lib/libsystem.b.dylib00000000000269f8_sysctl/usr/lib/libsystem.b.dylib0000000000026a00_unlink/usr/lib/libsystem.b.dylib0000000000026a08_unlinkat/usr/lib/libsystem.b.dylib0000000000026a10_vfork/usr/lib/libsystem.b.dylib0000000000026a18dyld_stub_binder/usr/lib/libsystem.b.dylib0000000000026a20__unwind_resume/usr/lib/libsystem.b.dylib0000000000026a28___error/usr/lib/libsystem.b.dylib0000000000026a30___stack_chk_fail/usr/lib/libsystem.b.dylib0000000000026a38__dyld_register_func_for_add_image/usr/lib/libsystem.b.dylib0000000000026a40_dirfd/usr/lib/libsystem.b.dylib0000000000026a48_dlclose/usr/lib/libsystem.b.dylib0000000000026a50_fclose/usr/lib/libsystem.b.dylib0000000000026a58_fcntl/usr/lib/libsystem.b.dylib0000000000026a60_free/usr/lib/libsystem.b.dylib0000000000026a68_getpid/usr/lib/libsystem.b.dylib0000000000026a70_strcmp/usr/lib/libsystem.b.dylib0000000000026a78_strlen/usr/lib/libsystem.b.dylib0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib0000000000026720_objc_class_$_nsobject/usr/lib/libobjc.a.dylib0000000000026728_objc_metaclass_$_nsobject/usr/lib/libobjc.a.dylib0000000000026730__objc_empty_cache/usr/lib/libobjc.a.dylib0000000000026738_objc_copyclassnamesforimage/usr/lib/libobjc.a.dylib0000000000026740_objc_copyimagenames/usr/lib/libobjc.a.dylib0000000000026748_objc_autoreleasereturnvalue/usr/lib/libobjc.a.dylib0000000000026750_objc_enumerationmutation/usr/lib/libobjc.a.dylib0000000000026758_objc_getclass/usr/lib/libobjc.a.dylib0000000000026760_objc_msgsend/usr/lib/libobjc.a.dylib0000000000026768_objc_msgsendsuper2/usr/lib/libobjc.a.dylib0000000000026770_objc_release/usr/lib/libobjc.a.dylib0000000000026778_objc_retain/usr/lib/libobjc.a.dylib0000000000026780_objc_retainautorelease/usr/lib/libobjc.a.dylib0000000000026788_objc_retainautoreleasedreturnvalue/usr/lib/libobjc.a.dylib0000000000026790_objc_storestrong/usr/lib/libobjc.a.dylib0000000000026798_object_getclass/usr/lib/libobjc.a.dylib
可以看到,这个工具除了系统的框架外,只引用了/library/frameworks/cephei.framework/cephei, /library/frameworks/cydiasubstrate.framework/cydiasubstrate两个框架
对这个导入项进行分析
0000000000026830_objc_class_$_hbpreferences/library/frameworks/cephei.framework/cephei
_objc_class_$_hbpreferences这个符号经过name mangling处理,实际上它是引入了hbpreferences这个类, 这个类是处理界面上配置。
只剩下这三个符号了
0000000000026838_msgetimagebyname/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026840_mshookfunction/library/frameworks/cydiasubstrate.framework/cydiasubstrate0000000000026848_mshookmessageex/library/frameworks/cydiasubstrate.framework/cydiasubstrate
同样根据name mangling原则,这三个符号实际上是msgetimagebyname, mshookfunction, mshookmessageex。
先分析一下msgetimagebyname,
从它的引用来看
directiontypeaddresstextuppinitfunc_0+64cbl _msgetimagebyname
只有一处地方,就是initfunc_0+64c。
在ida操作,是从导入表选中这个符号,双击,进入这个符号所在代码位置,在代码位置选中这个符号,右键选中jump to xref to operand...,就可以得到所有引用了
看引用它的汇编
_text:000000000000c34c adr x0, ausrliblibsubst_2 ; /usr/lib/libsubstitute.dylib__text:000000000000c350 nop__text:000000000000c354 stp x19, x26, [sp,#0x210+var_210]__text:000000000000c358 str x23, [sp,#0x210+var_200]__text:000000000000c35c bl _msgetimagebyname__text:000000000000c360 mov x24, x0__text:000000000000c364 nop__text:000000000000c368 ldr x0, qword_26080 ; void *__text:000000000000c36c nop__text:000000000000c370 ldr x20, =sel_setuseinjectcompatibilitymode_ ; setuseinjectcompatibilitymode:__text:000000000000c374 cbz x24, loc_c3a0__text:000000000000c378 mov w2, #0__text:000000000000c37c mov x1, x20 ; char *__text:000000000000c380 bl _objc_msgsend__text:000000000000c384 b loc_c3ac
可见是加载/usr/lib/libsubstitute.dylib, 再把获得的句柄判断这个文件是否存在,再跳转。
__text:000000000000c354 stp x19, x26, [sp,#0x210+var_210]__text:000000000000c358 str x23, [sp,#0x210+var_200]
这几两行指令其实没多少用处,只是编译器为了代码优化做的乱序执行。其实和这个接口引用无关。
从这个句柄的处理汇编
__text:000000000000c3a0 loc_c3a0 ; code xref: initfunc_0+664↑j__text:000000000000c3a0 mov w2, #1__text:000000000000c3a4 mov x1, x20 ; char *__text:000000000000c3a8 bl _objc_msgsend__text:000000000000c3ac__text:000000000000c3ac loc_c3ac ; code xref: initfunc_0+674↑j__text:000000000000c3ac ldr x0, [sp,#0x210+var_1e0] ; void *__text:000000000000c3b0 mov x1, x28 ; char *__text:000000000000c3b4 ldr x2, [sp,#0x210+var_1b8]__text:000000000000c3b8 bl _objc_msgsend__text:000000000000c3bc cbz w0, loc_c6a0__text:000000000000c3c0 nop
无非就是和管理配置通信,可以忽略。
mshookfunction是对api挂钩,而mshookmessageex则对类的成员函数挂钩。
钩子点分析
先看mshookfunction,获取它所有的引用点,一共57处。
directiontypeaddresstextuppinitfunc_0+6c8bl _mshookfunctionuppinitfunc_0+6e4bl _mshookfunctionuppinitfunc_0+700bl _mshookfunctionuppinitfunc_0+71cbl _mshookfunctionuppinitfunc_0+8dcbl _mshookfunctionuppinitfunc_0+8f8bl _mshookfunctionuppinitfunc_0+9c4bl _mshookfunctionuppinitfunc_0+9e0bl _mshookfunctionuppinitfunc_0+a9cbl _mshookfunctionuppinitfunc_0+1124bl _mshookfunctionuppinitfunc_0+1140bl _mshookfunctionuppinitfunc_0+115cbl _mshookfunctionuppinitfunc_0+1178bl _mshookfunctionuppinitfunc_0+1194bl _mshookfunctionuppinitfunc_0+11b0bl _mshookfunctionuppinitfunc_0+11ccbl _mshookfunctionuppinitfunc_0+11e8bl _mshookfunctionuppinitfunc_0+1204bl _mshookfunctionuppinitfunc_0+1220bl _mshookfunctionuppinitfunc_0+123cbl _mshookfunctionuppinitfunc_0+1258bl _mshookfunctionuppinitfunc_0+1274bl _mshookfunctionuppinitfunc_0+1290bl _mshookfunctionuppinitfunc_0+12acbl _mshookfunctionuppinitfunc_0+12c8bl _mshookfunctionuppinitfunc_0+12e4bl _mshookfunctionuppinitfunc_0+1300bl _mshookfunctionuppinitfunc_0+131cbl _mshookfunctionuppinitfunc_0+1338bl _mshookfunctionuppinitfunc_0+1354bl _mshookfunctionuppinitfunc_0+1370bl _mshookfunctionuppinitfunc_0+138cbl _mshookfunctionuppinitfunc_0+13a8bl _mshookfunctionuppinitfunc_0+13c4bl _mshookfunctionuppinitfunc_0+196cbl _mshookfunctionuppinitfunc_0+1988bl _mshookfunctionuppinitfunc_0+1e84bl _mshookfunctionuppinitfunc_0+1ea0bl _mshookfunctionuppinitfunc_0+1ebcbl _mshookfunctionuppinitfunc_0+1ed8bl _mshookfunctionuppinitfunc_0+2168bl _mshookfunctionuppinitfunc_0+2184bl _mshookfunctionuppinitfunc_0+21a0bl _mshookfunctionuppinitfunc_0+21bcbl _mshookfunctionuppinitfunc_0+21d8bl _mshookfunctionuppinitfunc_0+21f4bl _mshookfunctionuppinitfunc_0+2210bl _mshookfunctionuppinitfunc_0+222cbl _mshookfunctionuppinitfunc_0+2248bl _mshookfunctionuppinitfunc_0+2264bl _mshookfunctionuppinitfunc_0+2280bl _mshookfunctionuppinitfunc_0+229cbl _mshookfunctionuppinitfunc_0+22b8bl _mshookfunctionuppinitfunc_0+22d4bl _mshookfunctionuppinitfunc_0+2354bl _mshookfunctionuppinitfunc_0+2370bl _mshookfunctionuppinitfunc_0+23a0bl _mshookfunction
先看第一处
up p initfunc_0+6c8 bl _mshookfunction
按照mshookfunction的原型
void mshookfunction(void *symbol, void *hook, void **old);
是找到某个symbol对应的函数,把hook挂在上面,并用old保存原函数地址。
根据initfunc的位置
__text:000000000000bd10 initfunc_0
initfunc_0+6c8就是000000000000c3d8:
__text:000000000000c3c4 ldr x0, =_fstat__text:000000000000c3c8 adr x1, sub_e590__text:000000000000c3cc nop__text:000000000000c3d0 adr x2, qword_260a8__text:000000000000c3d4 nop__text:000000000000c3d8 bl _mshookfunction
可见,这处是用sub_e590对fstat进行挂钩,并把fstat函数地址保存在qword_260a8。那么分析一下sub_e590
__text:000000000000e590 sub_e590 ; data xref: initfunc_0+6b8↑o__text:000000000000e590__text:000000000000e590 var_440 = -0x440__text:000000000000e590 var_438 = -0x438__text:000000000000e590 var_38 = -0x38__text:000000000000e590 var_30 = -0x30__text:000000000000e590 var_20 = -0x20__text:000000000000e590 var_10 = -0x10__text:000000000000e590 var_s0 = 0__text:000000000000e590__text:000000000000e590 stp x28, x27, [sp,#-0x10+var_30]!__text:000000000000e594 stp x22, x21, [sp,#0x30+var_20]__text:000000000000e598 stp x20, x19, [sp,#0x30+var_10]__text:000000000000e59c stp x29, x30, [sp,#0x30+var_s0]__text:000000000000e5a0 add x29, sp, #0x30__text:000000000000e5a4 sub sp, sp, #0x410__text:000000000000e5a8 mov x19, x1__text:000000000000e5ac mov x20, x0__text:000000000000e5b0 nop__text:000000000000e5b4 ldr x8, =___stack_chk_guard__text:000000000000e5b8 ldr x8, [x8]__text:000000000000e5bc stur x8, [x29,#var_38]__text:000000000000e5c0 add x8, sp, #0x440+var_438__text:000000000000e5c4 str x8, [sp,#0x440+var_440]__text:000000000000e5c8 mov w1, #0x32 ; int__text:000000000000e5cc bl _fcntl__text:000000000000e5d0 cmn w0, #1__text:000000000000e5d4 b.eq loc_e6c0__text:000000000000e5d8 nop__text:000000000000e5dc ldr x0, =_objc_class_$_nsfilemanager ; void *__text:000000000000e5e0 nop__text:000000000000e5e4 ldr x1, =sel_defaultmanager ; defaultmanager__text:000000000000e5e8 bl _objc_msgsend__text:000000000000e5ec mov x29, x29__text:000000000000e5f0 bl _objc_retainautoreleasedreturnvalue__text:000000000000e5f4 mov x22, x0__text:000000000000e5f8 add x0, sp, #0x440+var_438 ; char *__text:000000000000e5fc bl _strlen__text:000000000000e600 mov x3, x0__text:000000000000e604 nop__text:000000000000e608 ldr x1, =sel_stringwithfilesystemrepresentation_length_ ; stringwithfilesystemrepresentation:leng...__text:000000000000e60c add x2, sp, #0x440+var_438__text:000000000000e610 mov x0, x22 ; void *__text:000000000000e614 bl _objc_msgsend__text:000000000000e618 mov x29, x29__text:000000000000e61c bl _objc_retainautoreleasedreturnvalue__text:000000000000e620 mov x21, x0__text:000000000000e624 mov x0, x22__text:000000000000e628 bl _objc_release__text:000000000000e62c nop__text:000000000000e630 ldr x0, qword_26080 ; void *__text:000000000000e634 nop__text:000000000000e638 ldr x1, =sel_ispathrestricted_ ; ispathrestricted:__text:000000000000e63c mov x2, x21__text:000000000000e640 bl _objc_msgsend__text:000000000000e644 cbz w0, loc_e664__text:000000000000e648 bl ___error__text:000000000000e64c mov w8, #9__text:000000000000e650 str w8, [x0]__text:000000000000e654 mov w20, #0xffffffff__text:000000000000e658__text:000000000000e658 loc_e658 ; code xref: sub_e590+124↓j__text:000000000000e658 mov x0, x21__text:000000000000e65c bl _objc_release__text:000000000000e660 b loc_e6d8__text:000000000000e664 ; ---------------------------------------------------------------------------__text:000000000000e664__text:000000000000e664 loc_e664 ; code xref: sub_e590+b4↑j__text:000000000000e664 cbz x19, loc_e6b8__text:000000000000e668 nop__text:000000000000e66c ldr x1, =sel_isequaltostring_ ; isequaltostring:__text:000000000000e670 adr x2, cfstr_bin ; /bin__text:000000000000e674 nop__text:000000000000e678 mov x0, x21 ; void *__text:000000000000e67c bl _objc_msgsend__text:000000000000e680 cbz w0, loc_e6b8__text:000000000000e684 nop__text:000000000000e688 ldr x8, qword_260a8__text:000000000000e68c mov x0, x20__text:000000000000e690 mov x1, x19__text:000000000000e694 blr x8__text:000000000000e698 cbnz w0, loc_e6b8__text:000000000000e69c ldr x8, [x19,#0x60]__text:000000000000e6a0 cmp x8, #0x80__text:000000000000e6a4 b.le loc_e6b8__text:000000000000e6a8 mov w20, #0__text:000000000000e6ac mov w8, #0x80__text:000000000000e6b0 str x8, [x19,#0x60]__text:000000000000e6b4 b loc_e658__text:000000000000e6b8 ; ---------------------------------------------------------------------------__text:000000000000e6b8__text:000000000000e6b8 loc_e6b8 ; code xref: sub_e590:loc_e664↑j__text:000000000000e6b8 ; sub_e590+f0↑j ...__text:000000000000e6b8 mov x0, x21__text:000000000000e6bc bl _objc_release__text:000000000000e6c0__text:000000000000e6c0 loc_e6c0 ; code xref: sub_e590+44↑j__text:000000000000e6c0 nop__text:000000000000e6c4 ldr x8, qword_260a8__text:000000000000e6c8 mov x0, x20__text:000000000000e6cc mov x1, x19__text:000000000000e6d0 blr x8__text:000000000000e6d4 mov x20, x0__text:000000000000e6d8__text:000000000000e6d8 loc_e6d8 ; code xref: sub_e590+d0↑j__text:000000000000e6d8 ldur x8, [x29,#var_38]__text:000000000000e6dc nop__text:000000000000e6e0 ldr x9, =___stack_chk_guard__text:000000000000e6e4 ldr x9, [x9]__text:000000000000e6e8 cmp x9, x8__text:000000000000e6ec b.ne loc_e70c__text:000000000000e6f0 mov x0, x20__text:000000000000e6f4 add sp, sp, #0x410__text:000000000000e6f8 ldp x29, x30, [sp,#0x30+var_s0]__text:000000000000e6fc ldp x20, x19, [sp,#0x30+var_10]__text:000000000000e700 ldp x22, x21, [sp,#0x30+var_20]__text:000000000000e704 ldp x28, x27, [sp+0x30+var_30],#0x40__text:000000000000e708 ret__text:000000000000e70c ; ---------------------------------------------------------------------------__text:000000000000e70c__text:000000000000e70c loc_e70c ; code xref: sub_e590+15c↑j__text:000000000000e70c bl ___stack_chk_fail__text:000000000000e70c ; end of function sub_e590
看起来很复杂,其实这个函数是对任何调用fstat的路径判断是否是在指定限制目录或/bin下,如果是就绕过,否则就继续调用qword_260a8(fstat原地址)处理。
按照同样思路分析,可以得到这个表格
原函数 钩子函数作用
fstat 绕过指定限制目录或/bin/下文件
dlopen 绕过指定限制镜像
open 绕过指定限制目录的文件
openat 绕过指定限制目录的文件
nsversionofruntimelibrary 绕过指定限制镜像
nsversionoflinktimelibrary 绕过指定限制镜像
opendir 绕过指定限制目录
readdir 绕过指定限制目录
csops 对getpid结果处理
access 对指定限制目录或前缀为/library/mobilesubstrate绕过
getenv 对dyld_insert_libraries,_mssafemode,_safemode绕过
fopen 绕过指定限制目录的文件
freopen 绕过指定限制目录的文件
stat 绕过指定限制目录或/bin/下文件
lstat 绕过指定限制目录或/bin/,
/applications,
/usr/share,
/usr/libexec,
/usr/include,
/library/ringtones,
/library/wallpaper下文件
fstatfs 对指定限制目录或前缀为/var, /private/var绕过
statfs 对指定限制目录或前缀为/var, /private/var绕过
posix_spawn 绕过指定限制目录的文件
posix_spawnp 绕过指定限制目录的文件
realpath 绕过指定限制目录的路径
symlink 绕过指定限制目录的路径
rename 绕过指定限制目录的路径
rename 绕过指定限制目录的路径
unlink 绕过指定限制目录的路径
unlinkat 绕过指定限制目录的路径
rmdir 绕过指定限制目录的目录
chdir 绕过指定限制目录的目录
fchdir 绕过指定限制目录的目录
link 绕过指定限制目录的路径
fstatat 绕过指定限制目录的路径
faccessat 绕过指定限制目录的路径
chroot 绕过指定限制目录的路径
sysctl 从内核里获取所有进程,对当前进程比对,并获取当前进程是否被调试
getppid 对指定限制目录的文件绕过
readlink 绕过指定限制目录的路径
readlinkat 绕过指定限制目录的路径
_dyld_image_count 绕过指定限制镜像
_dyld_get_image_name 绕过指定限制镜像
dlopen_preflight 绕过指定限制镜像
dladdr 绕过指定限制镜像
creat 绕过指定限制目录的文件
vfork 直接返回-1,禁止创建进程
fork 直接返回-1,禁止创建进程
popen 直接返回0
setgid,setuid,setegid,seteuid,setreuid,setregid 直接返回-1
getuid,getgid,geteuid,getegid 返回0x1f5
objc_copyimagenames 获取镜像名称和某个库一样,就返回0
objc_copyclassnamesforimage 绕过指定限制镜像
dlsym 对符号前缀为ms,sub,ps,lm,rocketbootstrap,
substitute_,_logos返回0,绕过
再看mshookmessageex,它的调用点有149处。它的原型如下
void mshookmessageex(class _class, sel message, imp hook, imp *old);
是找到某个类_class对应的成员函数message,把hook挂在上面,并用old保存原成员函数地址。
像mshookfunction的方式分析,得到下表
类 钩子函数作用
springboard 返回和黑名单列表匹配的结果
nsdata,uiapplication,
nsfilemanager,nsfilewrapper,
nsfileversion,nsfilehandle,
nsurl,nsmutablearray,
nsarray,nsmutabledictionary,
nsdictionary,nsstring, 绕过指定限制目录或指定限制url的路径
nsbundle 防止获取signeridentity, 绕过指定限制目录或指定限制url的路径
nsprocessinfo,uiimage 绕过指定限制目录的路径
nsdirectoryenumerator 绕过特定类和限制目录和限制url
uidevice 挂钩以下方法isjailbroken,isjailbreak,isjailbroken,均返回0
jailbreakdetectionvc, dttjailbreakdetection,
gbdeviceinfo,cpwrdeviceinfo,
cpwrsessioninfo,kssysteminfo,
fcrsystemmetadata,onesignaljailbreakdetection 挂钩isjailbroken,返回0
ansmetadata 挂钩computeisjailbroken,isjailbroken,返回0
appsflyerutils 挂钩isjailbreakon,返回0
cmarapprestrictionsdelegate 挂钩isdevicenoncompliant,返回0
adysecuritycheck 挂钩isdevicejailbroken,返回0
ubreportmetadatadevice 挂钩is_rooted,返回0
utilitysystem,gemaltoconfiguration 挂钩isjailbreak,返回0
emdskppconfiguration 挂钩jailbroken,返回0
enrollparameters 挂钩jailbroken,返回0
emdskppconfigurationbuilder 挂钩jailbreakstatus,返回0
v_vdmap 挂钩isjailbrokendetectedbyvos,isdfphookeddetecedbyvos,
iscodeinjectiondetectedbyvos,isdebuggercheckdetectedbyvos,
isappsignercheckdetectedbyvos,v_checkamodified,返回0
sdmutils 挂钩isjailbroken,返回0
digipasshandler 挂钩rooteddevicetestresult,返回0
awmydevicegeneralinfo 挂钩iscompliant,返回1
其中限制目录,url或镜像都是取这些目录或以这些目录为前缀
//.hfs/.trashes/.ba/.file/.mb/applications/applications/axuiviewservice.app/applications/accountauthenticationdialog.app/applications/activitymessagesapp.app/applications/adplatformsdiagnostics.app/applications/appstore.app/applications/askpermissionui.app/applications/businessextensionswrapper.app/applications/ctcarrierspaceauth.app/applications/camera.app/applications/checkerboard.app/applications/compasscalibrationviewservice.app/applications/continuitycamera.app/applications/coreauthui.app/applications/ddactionsservice.app/applications/dndbuddy.app/applications/dataactivation.app/applications/demoapp.app/applications/diagnostics.app/applications/diagnosticsservice.app/applications/ftminternal-4.app/applications/family.app/applications/feedback/applications/fieldtest.app/applications/findmyiphone.app/applications/funcamerashapes.app/applications/funcameratext.app/applications/gamecenteruiservice.app/applications/hashtagimages.app/applications/health.app/applications/healthprivacyservice.app/applications/homeuiservice.app/applications/incallservice.app/applications/magnifier.app/applications/mailcompositionservice.app/applications/messagesviewservice.app/applications/mobilephone.app/applications/mobilesms.app/applications/mobilesafari.app/applications/mobileslideshow.app/applications/mobiletimer.app/applications/musicuiservice.app/applications/passbook.app/applications/passbookuiservice.app/applications/photosviewservice.app/applications/preboard.app/applications/preferences.app/applications/print/applications/simsetupuiservice.app/applications/slgoogleauth.app/applications/slyahooauth.app/applications/safariviewservice.app/applications/screensharingviewservice.app/applications/screenshotservicesservice.app/applications/setup.app/applications/sharedwebcredentialviewservice.app/applications/sharingviewservice.app/applications/siriviewservice.app/applications/softwareupdateuiservice.app/applications/storedemoviewservice.app/applications/storekituiservice.app/applications/trustme.app/applications/utilities/applications/videosubscriberaccountviewservice.app/applications/wlaccessservice.app/applications/web.app/applications/webapp1.app/applications/webcontentanalysisui.app/applications/websheet.app/applications/iadoptout.app/applications/icloud.app/developer/library/library/application/library/application/library/application/library/audio/library/caches/library/caches/cy-/library/filesystems/library/frameworks/library/frameworks/cephei.framework/cephei/library/frameworks/cydiasubstrate.framework/cydiasubstrate/library/internet/library/keychains/library/launchagents/library/launchdaemons/library/logs/library/managed/library/mobiledevice/library/mobilesubstrate/library/mobilesubstrate/dynamiclibraries/0shadow.dylib/library/musicuisupport/library/preferencebundles/library/preferences/library/printers/library/ringtones/library/snowboard/library/themes/library/tweakinject/library/updates/library/wallpaper/system/system/library/frameworks/corefoundation.framework/corefoundation/system/library/frameworks/foundation.framework/foundation/system/library/preferencebundles/applist.bundle/user/library/preferences/bin/bin/df/bin/ps/cores/dev/dev/dlci./dev/kmem/dev/mem/dev/vn0/dev/vn1/etc/etc/asl/etc/asl.conf/etc/fstab/etc/group/etc/hosts/etc/hosts.equiv/etc/master.passwd/etc/networks/etc/notify.conf/etc/passwd/etc/ppp/etc/protocols/etc/racoon/etc/services/etc/ttys/lib/mnt/private/private/etc/private/system_data/private/var/private/var/containers/bundle/application/private/var/mobile/containers/bundle/application/private/xarts/sbin/sbin/fsck/sbin/launchd/sbin/mount/sbin/pfctl/tmp/tmp/substrate/tmp/amfid_payload.alive/tmp/amfidebilitate.out/tmp/com.apple/tmp/cydia.log/tmp/jailbreakd.pid/tmp/org.coolstar/tmp/slide.txt/tmp/substrate/tmp/syslog/usr/usr/bin/usr/bin/dumpbasebandcrash/usr/bin/perfpowerservicesextended/usr/bin/abmlite/usr/bin/brctl/usr/bin/footprint/usr/bin/hidutil/usr/bin/hpmdiagnose/usr/bin/kbdebug/usr/bin/powerloghelperd/usr/bin/sysdiagnose/usr/bin/tailspin/usr/bin/taskinfo/usr/bin/vm_stat/usr/bin/zprint/usr/include/usr/lib/usr/lib/fdrsealingmap.plist/usr/lib/tweakinject/usr/lib/apt/usr/lib/bash/usr/lib/bbmasks/usr/lib/cycript/usr/lib/dyld/usr/lib/lib%@.dylib/usr/lib/libcrfsuite/usr/lib/libdhcpserver/usr/lib/libmatch/usr/lib/libsubstitrate/usr/lib/libsystem/usr/lib/libsystem.b.dylib/usr/lib/libarchive/usr/lib/libbsm/usr/lib/libbz2/usr/lib/libc/usr/lib/libc++/usr/lib/libc++.1.dylib/usr/lib/libcharset/usr/lib/libcurses/usr/lib/libdbm/usr/lib/libdl/usr/lib/libeasyperf/usr/lib/libedit/usr/lib/libexslt/usr/lib/libextension/usr/lib/libform/usr/lib/libiconv/usr/lib/libicucore/usr/lib/libinfo/usr/lib/libipsec/usr/lib/liblzma/usr/lib/libm/usr/lib/libmecab/usr/lib/libmis.dylib/usr/lib/libncurses/usr/lib/libobjc/usr/lib/libobjc.a.dylib/usr/lib/libpcap/usr/lib/libperfcheck/usr/lib/libpmsample/usr/lib/libpoll/usr/lib/libproc/usr/lib/libpthread/usr/lib/libresolv/usr/lib/librpcsvc/usr/lib/libsandbox/usr/lib/libsqlite3/usr/lib/libstdc++/usr/lib/libsubstitute/usr/lib/libsubstitute.dylib/usr/lib/libsubstrate/usr/lib/libtidy/usr/lib/libutil/usr/lib/libxml2/usr/lib/libxslt/usr/lib/libz/usr/lib/log/usr/lib/substrate/usr/lib/system/usr/lib/tweaks/usr/lib/updaters/usr/lib/xpc/usr/libexec/usr/libexec/backupagent/usr/libexec/backupagent2/usr/libexec/crashhousekeeping/usr/libexec/datadetectorssourceaccess/usr/libexec/fstaskscheduler/usr/libexec/finishrestorefrombackup/usr/libexec/ioaccelmemoryinfocollector/usr/libexec/iomfb_bics_daemon/usr/libexec/library/usr/libexec/mobilegestalthelper/usr/libexec/mobilestoragemounter/usr/libexec/nandtaskscheduler/usr/libexec/otataskingagent/usr/libexec/poweruiagent/usr/libexec/preboardservice/usr/libexec/proxiedcrashcopier/usr/libexec/purplereverseproxy/usr/libexec/reportmemoryexception/usr/libexec/safaricloudhistorypushagent/usr/libexec/sidecarrelay/usr/libexec/syncagent/usr/libexec/usereventagent/usr/libexec/addressbooksyncd/usr/libexec/adid/usr/libexec/adprivacyd/usr/libexec/adservicesd/usr/libexec/afcd/usr/libexec/airtunesd/usr/libexec/amfid/usr/libexec/asd/usr/libexec/assertiond/usr/libexec/atc/usr/libexec/atwakeup/usr/libexec/backboardd/usr/libexec/biometrickitd/usr/libexec/bootpd/usr/libexec/bulletindistributord/usr/libexec/captiveagent/usr/libexec/cc_fips_test/usr/libexec/checkpointd/usr/libexec/cloudpaird/usr/libexec/com.apple.automation.defaultslockdownserviced/usr/libexec/companion_proxy/usr/libexec/configd/usr/libexec/corecaptured/usr/libexec/coreduetd/usr/libexec/crash_mover/usr/libexec/dasd/usr/libexec/demod/usr/libexec/demod_helper/usr/libexec/dhcpd/usr/libexec/diagnosticd/usr/libexec/diagnosticextensionsd/usr/libexec/dmd/usr/libexec/dprivacyd/usr/libexec/dtrace/usr/libexec/duetexpertd/usr/libexec/eventkitsyncd/usr/libexec/fdrhelper/usr/libexec/findmydeviced/usr/libexec/finish_demo_restore/usr/libexec/fmfd/usr/libexec/fmflocatord/usr/libexec/fseventsd/usr/libexec/ftp-proxy/usr/libexec/gamecontrollerd/usr/libexec/gamed/usr/libexec/gpsd/usr/libexec/hangreporter/usr/libexec/hangtracerd/usr/libexec/heartbeatd/usr/libexec/hostapd/usr/libexec/idamd/usr/libexec/init_data_protection/usr/libexec/installd/usr/libexec/ioupsd/usr/libexec/keybagd/usr/libexec/languageassetd/usr/libexec/locationd/usr/libexec/lockdownd/usr/libexec/logd/usr/libexec/lsd/usr/libexec/lskdd/usr/libexec/lskdmsed/usr/libexec/magicswitchd/usr/libexec/mc_mobile_tunnel/usr/libexec/microstackshot/usr/libexec/misagent/usr/libexec/misd/usr/libexec/mmaintenanced/usr/libexec/mobile_assertion_agent/usr/libexec/mobile_diagnostics_relay/usr/libexec/mobile_house_arrest/usr/libexec/mobile_installation_proxy/usr/libexec/mobile_obliterator/usr/libexec/mobile_storage_proxy/usr/libexec/mobileactivationd/usr/libexec/mobileassetd/usr/libexec/mobilewatchdog/usr/libexec/mtmergeprops/usr/libexec/nanomediaremotelinkagent/usr/libexec/nanoregistryd/usr/libexec/nanoregistrylaunchd/usr/libexec/neagent/usr/libexec/nehelper/usr/libexec/nesessionmanager/usr/libexec/networkserviceproxy/usr/libexec/nfcd/usr/libexec/nfrestore_service/usr/libexec/nlcd/usr/libexec/notification_proxy/usr/libexec/nptocompaniond/usr/libexec/nsurlsessiond/usr/libexec/nsurlstoraged/usr/libexec/online-auth-agent/usr/libexec/oscard/usr/libexec/pcapd/usr/libexec/pcsstatus/usr/libexec/pfd/usr/libexec/pipelined/usr/libexec/pkd/usr/libexec/pkreporter/usr/libexec/ptpd/usr/libexec/rapportd/usr/libexec/replayd/usr/libexec/resourcegrabberd/usr/libexec/rolld/usr/libexec/routined/usr/libexec/rtbuddyd/usr/libexec/rtcreportingd/usr/libexec/safarifetcherd/usr/libexec/screenshotsyncd/usr/libexec/security-sysdiagnose/usr/libexec/securityd/usr/libexec/securityuploadd/usr/libexec/seld/usr/libexec/seputil/usr/libexec/sharingd/usr/libexec/signpost_reporter/usr/libexec/silhouette/usr/libexec/siriknowledged/usr/libexec/smcdiagnose/usr/libexec/splashboardd/usr/libexec/springboardservicesrelay/usr/libexec/streaming_zip_conduit/usr/libexec/swcd/usr/libexec/symptomsd/usr/libexec/symptomsd-helper/usr/libexec/sysdiagnose_helper/usr/libexec/sysstatuscheck/usr/libexec/tailspind/usr/libexec/timed/usr/libexec/tipsd/usr/libexec/topicsmap.db/usr/libexec/transitd/usr/libexec/trustd/usr/libexec/tursd/usr/libexec/tzd/usr/libexec/tzinit/usr/libexec/tzlinkd/usr/libexec/videosubscriptionsd/usr/libexec/wapic/usr/libexec/wcd/usr/libexec/webbookmarksd/usr/libexec/webinspectord/usr/libexec/wififirmwareloader/usr/libexec/wifivelocityd/usr/libexec/xpcproxy/usr/libexec/xpcroleaccountd/usr/local/usr/local/bin/usr/local/lib/usr/local/standalone/usr/sbin/usr/sbin/btavrcp/usr/sbin/btleserver/usr/sbin/btmap/usr/sbin/btpbap/usr/sbin/bluetool/usr/sbin/wifinetworkstoremodel.momd/usr/sbin/wirelessradiomanagerd/usr/sbin/absd/usr/sbin/addnetworkinterface/usr/sbin/applecamerad/usr/sbin/aslmanager/usr/sbin/bluetoothd/usr/sbin/cfprefsd/usr/sbin/ckksctl/usr/sbin/distnoted/usr/sbin/fairplayd.h2/usr/sbin/filecoordinationd/usr/sbin/ioreg/usr/sbin/ipconfig/usr/sbin/mdnsresponder/usr/sbin/mdnsresponderhelper/usr/sbin/mediaserverd/usr/sbin/notifyd/usr/sbin/nvram/usr/sbin/pppd/usr/sbin/racoon/usr/sbin/rtadvd/usr/sbin/scutil/usr/sbin/spindump/usr/sbin/syslogd/usr/sbin/wifid/usr/sbin/wirelessproxd/usr/share/usr/share/csi/usr/share/com.apple.languageassetd/usr/share/firmware/usr/share/icu/usr/share/langid/usr/share/locale/usr/share/mecabra/usr/share/misc/usr/share/progressui/usr/share/tokenizer/usr/share/zoneinfo/usr/share/zoneinfo.default/usr/standalone/var/var/.documentrevisions/var/.fseventsd/var/.overprovisioning_file/var/keychains/var/managed/var/mobileasset/var/mobiledevice/var/mobilesoftwareupdate/var/audit/var/backups/var/buddy/var/containers/var/containers/bundle/var/containers/bundle/application/var/containers/bundle/framework/var/containers/bundle/pluginkitplugin/var/containers/bundle/vpnplugin/var/containers/bundle/dylibs/var/containers/bundle/tweaksupport/var/cores/var/db/var/db/stash/var/ea/var/empty/var/folders/var/hardware/var/installd/var/internal/var/keybags/var/lib/var/lib/dpkg/info/var/local/var/lock/var/log/var/log/asl/var/log/com.apple.xpc.launchd/var/log/corecaptured.log/var/log/ppp/var/log/ppp.log/var/log/racoon.log/var/log/sa/var/logs/var/mobile/var/mobile/applications/var/mobile/containers/var/mobile/containers/bundle/application/var/mobile/containers/data/var/mobile/containers/data/application/var/mobile/containers/data/internaldaemon/var/mobile/containers/data/pluginkitplugin/var/mobile/containers/data/tempdir/var/mobile/containers/data/vpnplugin/var/mobile/containers/data/xpcservice/var/mobile/containers/shared/var/mobile/containers/shared/appgroup/var/mobile/documents/var/mobile/downloads/var/mobile/library/var/mobile/library/caches/var/mobile/library/caches/.com.apple/var/mobile/library/caches/acmigrationlock/var/mobile/library/caches/accountmigrationinprogress/var/mobile/library/caches/admob/var/mobile/library/caches/btavrcp/var/mobile/library/caches/checkpoint.plist/var/mobile/library/caches/cloudkit/var/mobile/library/caches/dateformats.plist/var/mobile/library/caches/familycircle/var/mobile/library/caches/gamekit/var/mobile/library/caches/geoservices/var/mobile/library/caches/mappedimagecache/var/mobile/library/caches/otacrashcopier/var/mobile/library/caches/passkit/var/mobile/library/caches/snapshots/var/mobile/library/caches/snapshots/com.apple/var/mobile/library/caches/telephonyui/var/mobile/library/caches/weather/var/mobile/library/caches/cache/var/mobile/library/caches/ckkeyrolld/var/mobile/library/caches/com.apple/var/mobile/library/caches/rtcreportingd/var/mobile/library/caches/sharedcaches/var/mobile/library/controlcenter/var/mobile/library/controlcenter/moduleconfiguration.plist/var/mobile/library/cydia/var/mobile/library/logs/cydia/var/mobile/library/preferences/var/mobile/library/preferences/.globalpreferences.plist/var/mobile/library/preferences/uitextinputcontextidentifiers.plist/var/mobile/library/preferences/wallpaper.png/var/mobile/library/preferences/ckkeyrolld.plist/var/mobile/library/preferences/com.apple./var/mobile/library/preferences/nfcd.plist/var/mobile/library/sbsettings/var/mobile/library/sileo/var/mobile/media/var/mobile/mobilesoftwareupdate/var/msgs/var/networkd/var/preferences/var/root/var/run/var/run/asl_input/var/run/configd.pid/var/run/fudinit/var/run/lockbot/var/run/lockdown/var/run/lockdown.sock/var/run/lockdown_first_run/var/run/mdnsresponder/var/run/pppconfd/var/run/printd/var/run/syslog/var/run/syslog.pid/var/run/utmpx/var/run/vpncontrol.sock/var/spool/var/staged_system_apps/var/tmp/var/vm/var/wireless
除了上面目录,还对这些路径匹配绕过
listfirmware-sbin.listgsc.firmware-sbin.list
同时对包含这些字段的路径绕过
substratesubstratesubstitutesubstitratetweakinjectjailbreakcycriptsbinjectpspawnrocketbootstrapbfdecrypt
对url包含这种模式绕过
cydiasileo
检测
从上面来看,这个越狱工具从目录和系统api上做了很多绕过措施,但还是有地方囊括不够的。
对比在基本思路里的几条,基本如下
保护环境变量的访问 ---- 有部分
禁止某些命令的执行 --- 没有
禁止某些路径访问 ---- 有
禁止某些系统参数访问 -- 有部分
挂钩某些系统调用 --- 有部分
那么检测方案可以这样:
没有挂钩mkdir,考虑使用mkdir在正常情况下禁止访问的目录下创建子目录,如果ok,就说明是被越狱。
没有挂钩execve,可以考虑执行一个正常情况下禁止执行的程序,如果成功,说明被越狱。
没有挂钩ptrace,可以使用它进行自身调试,如果成功,说明被越狱
创建一个库,里面定义一些函数是ms,sub,ps,lm,rocketbootstrap, substitute_,_logos为前缀的,如果调用dlsym返回失败,说明被越狱
只对sysctl挂钩了,但对sysctlbyname,sysctlnametomib没有挂钩,可以调用这两个函数来获取进程信息。同时sysctl也并不是所有情况都处理了,比如获取硬件信息就没有。这三个系统调用可以获取一些高权限信息,说明被越狱
不引入其它检测越狱的库,但自己实现一个同名的类和方法,比如sdmutils和方法isjailbroken,这个方法只返回一个结果,就是1。如果调用这个方法,返回值为0,那么说明被越狱
还有很多,不过,本人对ios不熟悉,对它的系统调用也不熟悉,只能给出这些。
长虹电视遥控器代码
osp表面处理工艺介绍
虹科案例 | 虹科intesis DALI网关在公路隧道新型照明系统中的应用
一种用于制造晶体管的单原子厚度材料
钨丝电阻 vs. 炭化物电阻:哪个更适合你的电路?
iOS进程启动模型
Marvell获得芯原第三代ZSP核授权
使用双电源的运放交流放大电路
AMD针对资料中心首度与x86、ARM处理器结合
Connecting the Agere Supermapp
二三极管在65W快充产品中的应用
汽车水泵/汽车风机/汽车油泵专用车规级MCU案例展示(LCA037BT(K)32EU8)
华为65英寸和55英寸智慧屏上架,其他尺寸也已跟上脚步
物联网是什么,它会为我们带来哪些影响
光伏测试介绍
基于IP核的PCI接口与具体功能的FPGA芯片设计
友猫拓展坞仅是USB转接头?怎么可能,有你意想不到的功能!
关于运算放大器和仪表放大器的区别分析
SUNLORD顺络小尺寸一体成型功率电感MWTC新品发布
每日一课 | 智慧灯杆5G覆盖规划之覆盖规划流程及覆盖方式的选择