色哟哟视频在线观看-色哟哟视频在线-色哟哟欧美15最新在线-色哟哟免费在线观看-国产l精品国产亚洲区在线观看-国产l精品国产亚洲区久久

0
  • 聊天消息
  • 系統消息
  • 評論與回復
登錄后你可以
  • 下載海量資料
  • 學習在線課程
  • 觀看技術視頻
  • 寫文章/發帖/加入社區
會員中心
創作中心

完善資料讓更多小伙伴認識你,還能領取20積分哦,立即完善>

3天內不再提示

iOS進程啟動模型

哆啦安全 ? 來源:奶牛安全 ? 2023-02-23 09:21 ? 次閱讀

分析工具:IDA 7.0

基本思路

在分析越獄工具shadow之前,所有越獄工具都是對進程進行注入掛鉤來實現。注入從作用范圍來看,分為兩類:

用戶態注入,通過動態庫

內核態注入,通過驅動

在蘋果系統開發驅動,需要蘋果授權,所以,越獄工具是沒辦法走這條路,只可能進行用戶態注入。

那么,分析它就需要對進程啟動時如何加載動態庫了解,這就涉及到iOS進程啟動模型。

本文的思路如下:

iOS進程啟動模型

依賴分析

鉤子點分析

檢測

iOS進程啟動模型

iOS也是Unix族的衍生類。在Unix族里,進程啟動模型的都大致如下:

加載執行文件:從絕對路徑或相對路徑或從環境變量指定搜索的路徑搜索出來

根據執行文件依賴(導入表)來加載動態庫文件:從絕對路徑或相對路徑或從環境變量和系統配置指定的搜索路徑搜索出來

完成所有符號匹配,啟動進程

進程處理輸入參數和相應配置文件

從上面來看,只有1,2兩步才可能進行注入。

在Unix族里,和執行文件加載相關的環境變量一般是**PATH** ,它一般是執行路徑的列表,如/bin, /usr/bin, 和/usr/local/bin等,這個環境變量一般可以設置。搜索順序是按照列表元素先后順序進行,一旦找到,立馬停止搜索。假設這個環境變量設置是這樣的

PATH=/bin:/usr/bin:/usr/local/bin

這些路徑都有一個ls執行文件,當執行ls時,只會執行/bin/ls。

如果越獄工具要在這一步注入,它必須構建一個沙箱,接管所有程序執行。這種方式,所有用戶態進程都可以變成它的子進程,這個沙箱可以任意更改子進程的環境變量,完成靜態注入,甚至可以通過ptrace之類的系統調用來進行動態注入。這種方式可以非常好地繞過各種越獄檢測工具的檢測。

在Unix族,和動態庫加載相關的環境變量和系統配置,就各有各的不同。

從上面可以看到iOS依次對下面這些環境變量包含的路徑列表按照先后順序遍歷,一旦找到相應動態庫,立馬停止該次遍歷,查找下一個:

DYLD_INSERT_LIBRARIES

DYLD_VERSIONED_FRAMEWORK_PATH

DYLD_FRAMEWORK_PATH

DYLD_LIBRARY_PATH

DYLD_FALLBACK_FRAMEWORK_PATH

DYLD_FALLBACK_LIBRARY_PATH

目前不少APP檢測iOS是否越獄,都是做下列動作:

訪問root才能夠訪問的目錄和文件,執行讀或寫

執行root才能夠執行的命令

訪問或更改root才能夠訪問的環境變量

調用root才能夠調用的系統調用

訪問root才能夠訪問的系統參數

根據上面進程啟動模型分析,越獄工具要具有反檢測的能力,必須要做這樣事情:

保護環境變量的訪問

禁止某些命令的執行

禁止某些路徑訪問

禁止某些系統參數訪問

掛鉤某些系統調用

依賴分析

根據上面的探究后,我們實際上看一下這個越獄工具是怎樣的。

把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解壓的目錄大致如下

PS D:Library> Get-ChildItem -Recurse


    目錄: D:Library


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                MobileSubstrate                                                                                                       
d-----         2019/8/2      1:59                PreferenceBundles                                                                                                     
d-----         2019/8/2      1:59                PreferenceLoader                                                                                                      


    目錄: D:LibraryMobileSubstrate


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                DynamicLibraries                                                                                                      


    目錄: D:LibraryMobileSubstrateDynamicLibraries


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59         728432 0Shadow.dylib                                                                                                         
-a----         2019/8/2      1:59             87 0Shadow.plist                                                                                                         


    目錄: D:LibraryPreferenceBundles


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                ShadowPreferences.bundle                                                                                              


    目錄: D:LibraryPreferenceBundlesShadowPreferences.bundle


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----        2019/7/14      1:29                en.lproj                                                                                                              
-a---l        2021/4/10      0:27              0 Base.lproj                                                                                                            
-a----         2019/8/2      1:59            751 Icon-Small.png                                                                                                        
-a----         2019/8/2      1:59           1610 Icon-Small@2x.png                                                                                                     
-a----         2019/8/2      1:59           2693 Icon-Small@3x.png                                                                                                     
-a----         2019/8/2      1:59            404 Info.plist                                                                                                            
-a----         2019/8/2      1:59           3123 Root.plist                                                                                                            
-a----        2019/7/29      4:37         265808 ShadowPreferences                                                                                                     


    目錄: D:LibraryPreferenceBundlesShadowPreferences.bundleen.lproj


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59           3915 Root.strings                                                                                                          


    目錄: D:LibraryPreferenceLoader


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                Preferences                                                                                                           


    目錄: D:LibraryPreferenceLoaderPreferences


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59            199 ShadowPreferences.plist

從大小來看,只有D:LibraryMobileSubstrateDynamicLibraries?Shadow.dylib值得分析,用IDA打開一看,看一下導入表

AddressOrdinalNameLibrary
0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei
0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026800_OBJC_CLASS_$_NSArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026808_OBJC_CLASS_$_NSDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026810_OBJC_CLASS_$_NSMutableArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026818_OBJC_CLASS_$_NSMutableDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026820_OBJC_CLASS_$_NSURL/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026828___CFConstantStringClassReference/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
00000000000267A0_NSCocoaErrorDomain/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267A8_NSLocalizedDescriptionKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B0_NSLocalizedFailureReasonErrorKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B8_NSLocalizedRecoverySuggestionErrorKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C0_OBJC_CLASS_$_NSBundle/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C8_OBJC_CLASS_$_NSCharacterSet/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D0_OBJC_CLASS_$_NSError/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D8_OBJC_CLASS_$_NSFileManager/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E0_OBJC_CLASS_$_NSNumber/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E8_OBJC_CLASS_$_NSProcessInfo/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F0_OBJC_CLASS_$_NSString/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F8_OBJC_CLASS_$_NSValue/System/Library/Frameworks/Foundation.framework/Foundation
0000000000026858_NSVersionOfLinkTimeLibrary/usr/lib/libSystem.B.dylib
0000000000026860_NSVersionOfRunTimeLibrary/usr/lib/libSystem.B.dylib
0000000000026868___stack_chk_guard/usr/lib/libSystem.B.dylib
0000000000026870__dyld_get_image_name/usr/lib/libSystem.B.dylib
0000000000026878__dyld_image_count/usr/lib/libSystem.B.dylib
0000000000026880_access/usr/lib/libSystem.B.dylib
0000000000026888_chdir/usr/lib/libSystem.B.dylib
0000000000026890_chroot/usr/lib/libSystem.B.dylib
0000000000026898_creat/usr/lib/libSystem.B.dylib
00000000000268A0_csops/usr/lib/libSystem.B.dylib
00000000000268A8_dladdr/usr/lib/libSystem.B.dylib
00000000000268B0_dlopen/usr/lib/libSystem.B.dylib
00000000000268B8_dlopen_preflight/usr/lib/libSystem.B.dylib
00000000000268C0_dlsym/usr/lib/libSystem.B.dylib
00000000000268C8_faccessat/usr/lib/libSystem.B.dylib
00000000000268D0_fchdir/usr/lib/libSystem.B.dylib
00000000000268D8_fopen/usr/lib/libSystem.B.dylib
00000000000268E0_fork/usr/lib/libSystem.B.dylib
00000000000268E8_freopen/usr/lib/libSystem.B.dylib
00000000000268F0_fstat/usr/lib/libSystem.B.dylib
00000000000268F8_fstatat/usr/lib/libSystem.B.dylib
0000000000026900_fstatfs/usr/lib/libSystem.B.dylib
0000000000026908_getegid/usr/lib/libSystem.B.dylib
0000000000026910_getenv/usr/lib/libSystem.B.dylib
0000000000026918_geteuid/usr/lib/libSystem.B.dylib
0000000000026920_getgid/usr/lib/libSystem.B.dylib
0000000000026928_getppid/usr/lib/libSystem.B.dylib
0000000000026930_getuid/usr/lib/libSystem.B.dylib
0000000000026938_link/usr/lib/libSystem.B.dylib
0000000000026940_lstat/usr/lib/libSystem.B.dylib
0000000000026948_open/usr/lib/libSystem.B.dylib
0000000000026950_openat/usr/lib/libSystem.B.dylib
0000000000026958_opendir/usr/lib/libSystem.B.dylib
0000000000026960_popen/usr/lib/libSystem.B.dylib
0000000000026968_posix_spawn/usr/lib/libSystem.B.dylib
0000000000026970_posix_spawnp/usr/lib/libSystem.B.dylib
0000000000026978_readdir/usr/lib/libSystem.B.dylib
0000000000026980_readlink/usr/lib/libSystem.B.dylib
0000000000026988_readlinkat/usr/lib/libSystem.B.dylib
0000000000026990_realpath$DARWIN_EXTSN/usr/lib/libSystem.B.dylib
0000000000026998_remove/usr/lib/libSystem.B.dylib
00000000000269A0_rename/usr/lib/libSystem.B.dylib
00000000000269A8_rmdir/usr/lib/libSystem.B.dylib
00000000000269B0_setegid/usr/lib/libSystem.B.dylib
00000000000269B8_seteuid/usr/lib/libSystem.B.dylib
00000000000269C0_setgid/usr/lib/libSystem.B.dylib
00000000000269C8_setregid/usr/lib/libSystem.B.dylib
00000000000269D0_setreuid/usr/lib/libSystem.B.dylib
00000000000269D8_setuid/usr/lib/libSystem.B.dylib
00000000000269E0_stat/usr/lib/libSystem.B.dylib
00000000000269E8_statfs/usr/lib/libSystem.B.dylib
00000000000269F0_symlink/usr/lib/libSystem.B.dylib
00000000000269F8_sysctl/usr/lib/libSystem.B.dylib
0000000000026A00_unlink/usr/lib/libSystem.B.dylib
0000000000026A08_unlinkat/usr/lib/libSystem.B.dylib
0000000000026A10_vfork/usr/lib/libSystem.B.dylib
0000000000026A18dyld_stub_binder/usr/lib/libSystem.B.dylib
0000000000026A20__Unwind_Resume/usr/lib/libSystem.B.dylib
0000000000026A28___error/usr/lib/libSystem.B.dylib
0000000000026A30___stack_chk_fail/usr/lib/libSystem.B.dylib
0000000000026A38__dyld_register_func_for_add_image/usr/lib/libSystem.B.dylib
0000000000026A40_dirfd/usr/lib/libSystem.B.dylib
0000000000026A48_dlclose/usr/lib/libSystem.B.dylib
0000000000026A50_fclose/usr/lib/libSystem.B.dylib
0000000000026A58_fcntl/usr/lib/libSystem.B.dylib
0000000000026A60_free/usr/lib/libSystem.B.dylib
0000000000026A68_getpid/usr/lib/libSystem.B.dylib
0000000000026A70_strcmp/usr/lib/libSystem.B.dylib
0000000000026A78_strlen/usr/lib/libSystem.B.dylib
0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib
0000000000026720_OBJC_CLASS_$_NSObject/usr/lib/libobjc.A.dylib
0000000000026728_OBJC_METACLASS_$_NSObject/usr/lib/libobjc.A.dylib
0000000000026730__objc_empty_cache/usr/lib/libobjc.A.dylib
0000000000026738_objc_copyClassNamesForImage/usr/lib/libobjc.A.dylib
0000000000026740_objc_copyImageNames/usr/lib/libobjc.A.dylib
0000000000026748_objc_autoreleaseReturnValue/usr/lib/libobjc.A.dylib
0000000000026750_objc_enumerationMutation/usr/lib/libobjc.A.dylib
0000000000026758_objc_getClass/usr/lib/libobjc.A.dylib
0000000000026760_objc_msgSend/usr/lib/libobjc.A.dylib
0000000000026768_objc_msgSendSuper2/usr/lib/libobjc.A.dylib
0000000000026770_objc_release/usr/lib/libobjc.A.dylib
0000000000026778_objc_retain/usr/lib/libobjc.A.dylib
0000000000026780_objc_retainAutorelease/usr/lib/libobjc.A.dylib
0000000000026788_objc_retainAutoreleasedReturnValue/usr/lib/libobjc.A.dylib
0000000000026790_objc_storeStrong/usr/lib/libobjc.A.dylib
0000000000026798_object_getClass/usr/lib/libobjc.A.dylib

可以看到,這個工具除了系統的框架外,只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate兩個框架

對這個導入項進行分析

0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei

_OBJC_CLASS_$_HBPreferences這個符號經過Name Mangling處理,實際上它是引入了HBPreferences這個類, 這個類是處理界面上配置。

只剩下這三個符號了

0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

同樣根據Name Mangling原則,這三個符號實際上是MSGetImageByName, MSHookFunction, MSHookMessageEx。

先分析一下MSGetImageByName,

從它的引用來看

DirectionTypeAddressText
UppInitFunc_0+64CBL              _MSGetImageByName

只有一處地方,就是InitFunc_0+64C。

在IDA操作,是從導入表選中這個符號,雙擊,進入這個符號所在代碼位置,在代碼位置選中這個符號,右鍵選中"Jump to xref to operand...",就可以得到所有引用了

看引用它的匯編

_text:000000000000C34C                 ADR             X0, aUsrLibLibsubst_2 ; "/usr/lib/libsubstitute.dylib"
__text:000000000000C350                 NOP
__text:000000000000C354                 STP             X19, X26, [SP,#0x210+var_210]
__text:000000000000C358                 STR             X23, [SP,#0x210+var_200]
__text:000000000000C35C                 BL              _MSGetImageByName
__text:000000000000C360                 MOV             X24, X0
__text:000000000000C364                 NOP
__text:000000000000C368                 LDR             X0, qword_26080 ; void *
__text:000000000000C36C                 NOP
__text:000000000000C370                 LDR             X20, =sel_setUseInjectCompatibilityMode_ ; "setUseInjectCompatibilityMode:"
__text:000000000000C374                 CBZ             X24, loc_C3A0
__text:000000000000C378                 MOV             W2, #0
__text:000000000000C37C                 MOV             X1, X20 ; char *
__text:000000000000C380                 BL              _objc_msgSend
__text:000000000000C384                 B               loc_C3AC

可見是加載/usr/lib/libsubstitute.dylib, 再把獲得的句柄判斷這個文件是否存在,再跳轉。

__text:000000000000C354STPX19,X26,[SP,#0x210+var_210]
__text:000000000000C358STRX23,[SP,#0x210+var_200]

這幾兩行指令其實沒多少用處,只是編譯器為了代碼優化做的亂序執行。其實和這個接口引用無關。

從這個句柄的處理匯編

__text:000000000000C3A0 loc_C3A0                                ; CODE XREF: InitFunc_0+664↑j
__text:000000000000C3A0                 MOV             W2, #1
__text:000000000000C3A4                 MOV             X1, X20 ; char *
__text:000000000000C3A8                 BL              _objc_msgSend
__text:000000000000C3AC
__text:000000000000C3AC loc_C3AC                                ; CODE XREF: InitFunc_0+674↑j
__text:000000000000C3AC                 LDR             X0, [SP,#0x210+var_1E0] ; void *
__text:000000000000C3B0                 MOV             X1, X28 ; char *
__text:000000000000C3B4                 LDR             X2, [SP,#0x210+var_1B8]
__text:000000000000C3B8                 BL              _objc_msgSend
__text:000000000000C3BC                 CBZ             W0, loc_C6A0
__text:000000000000C3C0                 NOP

無非就是和管理配置通信,可以忽略。

MSHookFunction是對API掛鉤,而MSHookMessageEx則對類的成員函數掛鉤。

鉤子點分析

先看MSHookFunction,獲取它所有的引用點,一共57處。

DirectionTypeAddressText
UppInitFunc_0+6C8BL              _MSHookFunction
UppInitFunc_0+6E4BL              _MSHookFunction
UppInitFunc_0+700BL              _MSHookFunction
UppInitFunc_0+71CBL              _MSHookFunction
UppInitFunc_0+8DCBL              _MSHookFunction
UppInitFunc_0+8F8BL              _MSHookFunction
UppInitFunc_0+9C4BL              _MSHookFunction
UppInitFunc_0+9E0BL              _MSHookFunction
UppInitFunc_0+A9CBL              _MSHookFunction
UppInitFunc_0+1124BL              _MSHookFunction
UppInitFunc_0+1140BL              _MSHookFunction
UppInitFunc_0+115CBL              _MSHookFunction
UppInitFunc_0+1178BL              _MSHookFunction
UppInitFunc_0+1194BL              _MSHookFunction
UppInitFunc_0+11B0BL              _MSHookFunction
UppInitFunc_0+11CCBL              _MSHookFunction
UppInitFunc_0+11E8BL              _MSHookFunction
UppInitFunc_0+1204BL              _MSHookFunction
UppInitFunc_0+1220BL              _MSHookFunction
UppInitFunc_0+123CBL              _MSHookFunction
UppInitFunc_0+1258BL              _MSHookFunction
UppInitFunc_0+1274BL              _MSHookFunction
UppInitFunc_0+1290BL              _MSHookFunction
UppInitFunc_0+12ACBL              _MSHookFunction
UppInitFunc_0+12C8BL              _MSHookFunction
UppInitFunc_0+12E4BL              _MSHookFunction
UppInitFunc_0+1300BL              _MSHookFunction
UppInitFunc_0+131CBL              _MSHookFunction
UppInitFunc_0+1338BL              _MSHookFunction
UppInitFunc_0+1354BL              _MSHookFunction
UppInitFunc_0+1370BL              _MSHookFunction
UppInitFunc_0+138CBL              _MSHookFunction
UppInitFunc_0+13A8BL              _MSHookFunction
UppInitFunc_0+13C4BL              _MSHookFunction
UppInitFunc_0+196CBL              _MSHookFunction
UppInitFunc_0+1988BL              _MSHookFunction
UppInitFunc_0+1E84BL              _MSHookFunction
UppInitFunc_0+1EA0BL              _MSHookFunction
UppInitFunc_0+1EBCBL              _MSHookFunction
UppInitFunc_0+1ED8BL              _MSHookFunction
UppInitFunc_0+2168BL              _MSHookFunction
UppInitFunc_0+2184BL              _MSHookFunction
UppInitFunc_0+21A0BL              _MSHookFunction
UppInitFunc_0+21BCBL              _MSHookFunction
UppInitFunc_0+21D8BL              _MSHookFunction
UppInitFunc_0+21F4BL              _MSHookFunction
UppInitFunc_0+2210BL              _MSHookFunction
UppInitFunc_0+222CBL              _MSHookFunction
UppInitFunc_0+2248BL              _MSHookFunction
UppInitFunc_0+2264BL              _MSHookFunction
UppInitFunc_0+2280BL              _MSHookFunction
UppInitFunc_0+229CBL              _MSHookFunction
UppInitFunc_0+22B8BL              _MSHookFunction
UppInitFunc_0+22D4BL              _MSHookFunction
UppInitFunc_0+2354BL              _MSHookFunction
UppInitFunc_0+2370BL              _MSHookFunction
UppInitFunc_0+23A0BL              _MSHookFunction

先看第一處

UppInitFunc_0+6C8BL_MSHookFunction

按照MSHookFunction的原型

voidMSHookFunction(void*symbol,void*hook,void**old);

是找到某個symbol對應的函數,把hook掛在上面,并用old保存原函數地址。

根據InitFunc的位置

__text:000000000000BD10 InitFunc_0

InitFunc_0+6C8就是000000000000C3D8:

__text:000000000000C3C4                 LDR             X0, =_fstat
__text:000000000000C3C8                 ADR             X1, sub_E590
__text:000000000000C3CC                 NOP
__text:000000000000C3D0                 ADR             X2, qword_260A8
__text:000000000000C3D4                 NOP
__text:000000000000C3D8                 BL              _MSHookFunction

可見,這處是用sub_E590對fstat進行掛鉤,并把fstat函數地址保存在qword_260A8。那么分析一下sub_E590

__text:000000000000E590 sub_E590                                ; DATA XREF: InitFunc_0+6B8↑o
__text:000000000000E590
__text:000000000000E590 var_440         = -0x440
__text:000000000000E590 var_438         = -0x438
__text:000000000000E590 var_38          = -0x38
__text:000000000000E590 var_30          = -0x30
__text:000000000000E590 var_20          = -0x20
__text:000000000000E590 var_10          = -0x10
__text:000000000000E590 var_s0          =  0
__text:000000000000E590
__text:000000000000E590                 STP             X28, X27, [SP,#-0x10+var_30]!
__text:000000000000E594                 STP             X22, X21, [SP,#0x30+var_20]
__text:000000000000E598                 STP             X20, X19, [SP,#0x30+var_10]
__text:000000000000E59C                 STP             X29, X30, [SP,#0x30+var_s0]
__text:000000000000E5A0                 ADD             X29, SP, #0x30
__text:000000000000E5A4                 SUB             SP, SP, #0x410
__text:000000000000E5A8                 MOV             X19, X1
__text:000000000000E5AC                 MOV             X20, X0
__text:000000000000E5B0                 NOP
__text:000000000000E5B4                 LDR             X8, =___stack_chk_guard
__text:000000000000E5B8                 LDR             X8, [X8]
__text:000000000000E5BC                 STUR            X8, [X29,#var_38]
__text:000000000000E5C0                 ADD             X8, SP, #0x440+var_438
__text:000000000000E5C4                 STR             X8, [SP,#0x440+var_440]
__text:000000000000E5C8                 MOV             W1, #0x32 ; int
__text:000000000000E5CC                 BL              _fcntl
__text:000000000000E5D0                 CMN             W0, #1
__text:000000000000E5D4                 B.EQ            loc_E6C0
__text:000000000000E5D8                 NOP
__text:000000000000E5DC                 LDR             X0, =_OBJC_CLASS_$_NSFileManager ; void *
__text:000000000000E5E0                 NOP
__text:000000000000E5E4                 LDR             X1, =sel_defaultManager ; "defaultManager"
__text:000000000000E5E8                 BL              _objc_msgSend
__text:000000000000E5EC                 MOV             X29, X29
__text:000000000000E5F0                 BL              _objc_retainAutoreleasedReturnValue
__text:000000000000E5F4                 MOV             X22, X0
__text:000000000000E5F8                 ADD             X0, SP, #0x440+var_438 ; char *
__text:000000000000E5FC                 BL              _strlen
__text:000000000000E600                 MOV             X3, X0
__text:000000000000E604                 NOP
__text:000000000000E608                 LDR             X1, =sel_stringWithFileSystemRepresentation_length_ ; "stringWithFileSystemRepresentation:leng"...
__text:000000000000E60C                 ADD             X2, SP, #0x440+var_438
__text:000000000000E610                 MOV             X0, X22 ; void *
__text:000000000000E614                 BL              _objc_msgSend
__text:000000000000E618                 MOV             X29, X29
__text:000000000000E61C                 BL              _objc_retainAutoreleasedReturnValue
__text:000000000000E620                 MOV             X21, X0
__text:000000000000E624                 MOV             X0, X22
__text:000000000000E628                 BL              _objc_release
__text:000000000000E62C                 NOP
__text:000000000000E630                 LDR             X0, qword_26080 ; void *
__text:000000000000E634                 NOP
__text:000000000000E638                 LDR             X1, =sel_isPathRestricted_ ; "isPathRestricted:"
__text:000000000000E63C                 MOV             X2, X21
__text:000000000000E640                 BL              _objc_msgSend
__text:000000000000E644                 CBZ             W0, loc_E664
__text:000000000000E648                 BL              ___error
__text:000000000000E64C                 MOV             W8, #9
__text:000000000000E650                 STR             W8, [X0]
__text:000000000000E654                 MOV             W20, #0xFFFFFFFF
__text:000000000000E658
__text:000000000000E658 loc_E658                                ; CODE XREF: sub_E590+124↓j
__text:000000000000E658                 MOV             X0, X21
__text:000000000000E65C                 BL              _objc_release
__text:000000000000E660                 B               loc_E6D8
__text:000000000000E664 ; ---------------------------------------------------------------------------
__text:000000000000E664
__text:000000000000E664 loc_E664                                ; CODE XREF: sub_E590+B4↑j
__text:000000000000E664                 CBZ             X19, loc_E6B8
__text:000000000000E668                 NOP
__text:000000000000E66C                 LDR             X1, =sel_isEqualToString_ ; "isEqualToString:"
__text:000000000000E670                 ADR             X2, cfstr_Bin ; "/bin"
__text:000000000000E674                 NOP
__text:000000000000E678                 MOV             X0, X21 ; void *
__text:000000000000E67C                 BL              _objc_msgSend
__text:000000000000E680                 CBZ             W0, loc_E6B8
__text:000000000000E684                 NOP
__text:000000000000E688                 LDR             X8, qword_260A8
__text:000000000000E68C                 MOV             X0, X20
__text:000000000000E690                 MOV             X1, X19
__text:000000000000E694                 BLR             X8
__text:000000000000E698                 CBNZ            W0, loc_E6B8
__text:000000000000E69C                 LDR             X8, [X19,#0x60]
__text:000000000000E6A0                 CMP             X8, #0x80
__text:000000000000E6A4                 B.LE            loc_E6B8
__text:000000000000E6A8                 MOV             W20, #0
__text:000000000000E6AC                 MOV             W8, #0x80
__text:000000000000E6B0                 STR             X8, [X19,#0x60]
__text:000000000000E6B4                 B               loc_E658
__text:000000000000E6B8 ; ---------------------------------------------------------------------------
__text:000000000000E6B8
__text:000000000000E6B8 loc_E6B8                                ; CODE XREF: sub_E590:loc_E664↑j
__text:000000000000E6B8                                         ; sub_E590+F0↑j ...
__text:000000000000E6B8                 MOV             X0, X21
__text:000000000000E6BC                 BL              _objc_release
__text:000000000000E6C0
__text:000000000000E6C0 loc_E6C0                                ; CODE XREF: sub_E590+44↑j
__text:000000000000E6C0                 NOP
__text:000000000000E6C4                 LDR             X8, qword_260A8
__text:000000000000E6C8                 MOV             X0, X20
__text:000000000000E6CC                 MOV             X1, X19
__text:000000000000E6D0                 BLR             X8
__text:000000000000E6D4                 MOV             X20, X0
__text:000000000000E6D8
__text:000000000000E6D8 loc_E6D8                                ; CODE XREF: sub_E590+D0↑j
__text:000000000000E6D8                 LDUR            X8, [X29,#var_38]
__text:000000000000E6DC                 NOP
__text:000000000000E6E0                 LDR             X9, =___stack_chk_guard
__text:000000000000E6E4                 LDR             X9, [X9]
__text:000000000000E6E8                 CMP             X9, X8
__text:000000000000E6EC                 B.NE            loc_E70C
__text:000000000000E6F0                 MOV             X0, X20
__text:000000000000E6F4                 ADD             SP, SP, #0x410
__text:000000000000E6F8                 LDP             X29, X30, [SP,#0x30+var_s0]
__text:000000000000E6FC                 LDP             X20, X19, [SP,#0x30+var_10]
__text:000000000000E700                 LDP             X22, X21, [SP,#0x30+var_20]
__text:000000000000E704                 LDP             X28, X27, [SP+0x30+var_30],#0x40
__text:000000000000E708                 RET
__text:000000000000E70C ; ---------------------------------------------------------------------------
__text:000000000000E70C
__text:000000000000E70C loc_E70C                                ; CODE XREF: sub_E590+15C↑j
__text:000000000000E70C                 BL              ___stack_chk_fail
__text:000000000000E70C ; End of function sub_E590

看起來很復雜,其實這個函數是對任何調用fstat的路徑判斷是否是在指定限制目錄或/bin下,如果是就繞過,否則就繼續調用qword_260A8(fstat原地址)處理。

按照同樣思路分析,可以得到這個表格

原函數 鉤子函數作用
fstat 繞過指定限制目錄或/bin/下文件
dlopen 繞過指定限制鏡像
open 繞過指定限制目錄的文件
openat 繞過指定限制目錄的文件
NSVersionOfRunTimeLibrary 繞過指定限制鏡像
NSVersionOfLinkTimeLibrary 繞過指定限制鏡像
opendir 繞過指定限制目錄
readdir 繞過指定限制目錄
csops 對getpid結果處理
access 指定限制目錄或前綴為/Library/MobileSubstrate繞過
getenv 對DYLD_INSERT_LIBRARIES,_MSSafeMode,_SafeMode繞過
fopen 繞過指定限制目錄的文件
freopen 繞過指定限制目錄的文件
stat 繞過指定限制目錄或/bin/下文件
lstat 繞過指定限制目錄或/bin/,
/Applications,
/usr/share,
/usr/libexec,
/usr/include,
/Library/Ringtones,
/Library/Wallpaper下文件
fstatfs 指定限制目錄或前綴為/var, /private/var繞過
statfs 指定限制目錄或前綴為/var, /private/var繞過
posix_spawn 繞過指定限制目錄的文件
posix_spawnp 繞過指定限制目錄的文件
realpath 繞過指定限制目錄的路徑
symlink 繞過指定限制目錄的路徑
rename 繞過指定限制目錄的路徑
rename 繞過指定限制目錄的路徑
unlink 繞過指定限制目錄的路徑
unlinkat 繞過指定限制目錄的路徑
rmdir 繞過指定限制目錄的目錄
chdir 繞過指定限制目錄的目錄
fchdir 繞過指定限制目錄的目錄
link 繞過指定限制目錄的路徑
fstatat 繞過指定限制目錄的路徑
faccessat 繞過指定限制目錄的路徑
chroot 繞過指定限制目錄的路徑
sysctl 從內核里獲取所有進程,對當前進程比對,并獲取當前進程是否被調試
getppid 指定限制目錄的文件繞過
readlink 繞過指定限制目錄的路徑
readlinkat 繞過指定限制目錄的路徑
_dyld_image_count 繞過指定限制鏡像
_dyld_get_image_name 繞過指定限制鏡像
dlopen_preflight 繞過指定限制鏡像
dladdr 繞過指定限制鏡像
creat 繞過指定限制目錄的文件
vfork 直接返回-1,禁止創建進程
fork 直接返回-1,禁止創建進程
popen 直接返回0
setgid,setuid,setegid,seteuid,setreuid,setregid 直接返回-1
getuid,getgid,geteuid,getegid 返回0x1F5
objc_copyImageNames 獲取鏡像名稱和某個庫一樣,就返回0
objc_copyClassNamesForImage 繞過指定限制鏡像
dlsym 對符號前綴為MS,Sub,PS,LM,rocketbootstrap,
substitute_,_logos返回0,繞過

再看MSHookMessageEx,它的調用點有149處。它的原型如下

voidMSHookMessageEx(Class_class,SELmessage,IMPhook,IMP*old);

是找到某個類_class對應的成員函數message,把hook掛在上面,并用old保存原成員函數地址。

像MSHookFunction的方式分析,得到下表

鉤子函數作用
SpringBoard 返回和黑名單列表匹配的結果
NSData,UIApplication,
NSFileManager,NSFileWrapper,
NSFileVersion,NSFileHandle,
NSURL,NSMutableArray,
NSArray,NSMutableDictionary,
NSDictionary,NSString,
繞過指定限制目錄指定限制URL的路徑
NSBundle 防止獲取SignerIdentity, 繞過指定限制目錄指定限制URL的路徑
NSProcessInfo,UIImage 繞過指定限制目錄的路徑
NSDirectoryEnumerator 繞過特定類限制目錄限制URL
UIDevice 掛鉤以下方法isJailbroken,isJailBreak,isJailBroken,均返回0
JailbreakDetectionVC, DTTJailbreakDetection,
GBDeviceInfo,CPWRDeviceInfo,
CPWRSessionInfo,KSSystemInfo,
FCRSystemMetadata,OneSignalJailbreakDetection
掛鉤isJailbroken,返回0
ANSMetadata 掛鉤computeIsJailbroken,isJailbroken,返回0
AppsFlyerUtils 掛鉤isJailBreakon,返回0
CMARAppRestrictionsDelegate 掛鉤isDeviceNonCompliant,返回0
ADYSecurityCheck 掛鉤isDeviceJailbroken,返回0
UBReportMetadataDevice 掛鉤is_rooted,返回0
UtilitySystem,GemaltoConfiguration 掛鉤isJailbreak,返回0
EMDSKPPConfiguration 掛鉤jailBroken,返回0
EnrollParameters 掛鉤jailbroken,返回0
EMDskppConfigurationBuilder 掛鉤jailbreakStatus,返回0
v_VDMap 掛鉤isJailBrokenDetectedByVOS,isDFPHookedDetecedByVOS,
isCodeInjectionDetectedByVOS,isDebuggerCheckDetectedByVOS,
isAppSignerCheckDetectedByVOS,v_checkAModified,返回0
SDMUtils 掛鉤isJailBroken,返回0
DigiPassHandler 掛鉤rootedDeviceTestResult,返回0
AWMyDeviceGeneralInfo 掛鉤isCompliant,返回1

其中限制目錄,URL或鏡像都是取這些目錄或以這些目錄為前綴

/
/.HFS
/.Trashes
/.ba
/.file
/.mb
/Applications
/Applications/AXUIViewService.app
/Applications/AccountAuthenticationDialog.app
/Applications/ActivityMessagesApp.app
/Applications/AdPlatformsDiagnostics.app
/Applications/AppStore.app
/Applications/AskPermissionUI.app
/Applications/BusinessExtensionsWrapper.app
/Applications/CTCarrierSpaceAuth.app
/Applications/Camera.app
/Applications/CheckerBoard.app
/Applications/CompassCalibrationViewService.app
/Applications/ContinuityCamera.app
/Applications/CoreAuthUI.app
/Applications/DDActionsService.app
/Applications/DNDBuddy.app
/Applications/DataActivation.app
/Applications/DemoApp.app
/Applications/Diagnostics.app
/Applications/DiagnosticsService.app
/Applications/FTMInternal-4.app
/Applications/Family.app
/Applications/Feedback
/Applications/FieldTest.app
/Applications/FindMyiPhone.app
/Applications/FunCameraShapes.app
/Applications/FunCameraText.app
/Applications/GameCenterUIService.app
/Applications/HashtagImages.app
/Applications/Health.app
/Applications/HealthPrivacyService.app
/Applications/HomeUIService.app
/Applications/InCallService.app
/Applications/Magnifier.app
/Applications/MailCompositionService.app
/Applications/MessagesViewService.app
/Applications/MobilePhone.app
/Applications/MobileSMS.app
/Applications/MobileSafari.app
/Applications/MobileSlideShow.app
/Applications/MobileTimer.app
/Applications/MusicUIService.app
/Applications/Passbook.app
/Applications/PassbookUIService.app
/Applications/PhotosViewService.app
/Applications/PreBoard.app
/Applications/Preferences.app
/Applications/Print
/Applications/SIMSetupUIService.app
/Applications/SLGoogleAuth.app
/Applications/SLYahooAuth.app
/Applications/SafariViewService.app
/Applications/ScreenSharingViewService.app
/Applications/ScreenshotServicesService.app
/Applications/Setup.app
/Applications/SharedWebCredentialViewService.app
/Applications/SharingViewService.app
/Applications/SiriViewService.app
/Applications/SoftwareUpdateUIService.app
/Applications/StoreDemoViewService.app
/Applications/StoreKitUIService.app
/Applications/TrustMe.app
/Applications/Utilities
/Applications/VideoSubscriberAccountViewService.app
/Applications/WLAccessService.app
/Applications/Web.app
/Applications/WebApp1.app
/Applications/WebContentAnalysisUI.app
/Applications/WebSheet.app
/Applications/iAdOptOut.app
/Applications/iCloud.app
/Developer
/Library
/Library/Application
/Library/Application
/Library/Application
/Library/Audio
/Library/Caches
/Library/Caches/cy-
/Library/Filesystems
/Library/Frameworks
/Library/Frameworks/Cephei.framework/Cephei
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
/Library/Internet
/Library/Keychains
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Logs
/Library/Managed
/Library/MobileDevice
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib
/Library/MusicUISupport
/Library/PreferenceBundles
/Library/Preferences
/Library/Printers
/Library/Ringtones
/Library/SnowBoard
/Library/Themes
/Library/TweakInject
/Library/Updates
/Library/Wallpaper
/System
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
/System/Library/Frameworks/Foundation.framework/Foundation
/System/Library/PreferenceBundles/AppList.bundle
/User/Library/Preferences
/bin
/bin/df
/bin/ps
/cores
/dev
/dev/dlci.
/dev/kmem
/dev/mem
/dev/vn0
/dev/vn1
/etc
/etc/asl
/etc/asl.conf
/etc/fstab
/etc/group
/etc/hosts
/etc/hosts.equiv
/etc/master.passwd
/etc/networks
/etc/notify.conf
/etc/passwd
/etc/ppp
/etc/protocols
/etc/racoon
/etc/services
/etc/ttys
/lib
/mnt
/private
/private/etc
/private/system_data
/private/var
/private/var/containers/Bundle/Application
/private/var/mobile/Containers/Bundle/Application
/private/xarts
/sbin
/sbin/fsck
/sbin/launchd
/sbin/mount
/sbin/pfctl
/tmp
/tmp/Substrate
/tmp/amfid_payload.alive
/tmp/amfidebilitate.out
/tmp/com.apple
/tmp/cydia.log
/tmp/jailbreakd.pid
/tmp/org.coolstar
/tmp/slide.txt
/tmp/substrate
/tmp/syslog
/usr
/usr/bin
/usr/bin/DumpBasebandCrash
/usr/bin/PerfPowerServicesExtended
/usr/bin/abmlite
/usr/bin/brctl
/usr/bin/footprint
/usr/bin/hidutil
/usr/bin/hpmdiagnose
/usr/bin/kbdebug
/usr/bin/powerlogHelperd
/usr/bin/sysdiagnose
/usr/bin/tailspin
/usr/bin/taskinfo
/usr/bin/vm_stat
/usr/bin/zprint
/usr/include
/usr/lib
/usr/lib/FDRSealingMap.plist
/usr/lib/TweakInject
/usr/lib/apt
/usr/lib/bash
/usr/lib/bbmasks
/usr/lib/cycript
/usr/lib/dyld
/usr/lib/lib%@.dylib
/usr/lib/libCRFSuite
/usr/lib/libDHCPServer
/usr/lib/libMatch
/usr/lib/libSubstitrate
/usr/lib/libSystem
/usr/lib/libSystem.B.dylib
/usr/lib/libarchive
/usr/lib/libbsm
/usr/lib/libbz2
/usr/lib/libc
/usr/lib/libc++
/usr/lib/libc++.1.dylib
/usr/lib/libcharset
/usr/lib/libcurses
/usr/lib/libdbm
/usr/lib/libdl
/usr/lib/libeasyperf
/usr/lib/libedit
/usr/lib/libexslt
/usr/lib/libextension
/usr/lib/libform
/usr/lib/libiconv
/usr/lib/libicucore
/usr/lib/libinfo
/usr/lib/libipsec
/usr/lib/liblzma
/usr/lib/libm
/usr/lib/libmecab
/usr/lib/libmis.dylib
/usr/lib/libncurses
/usr/lib/libobjc
/usr/lib/libobjc.A.dylib
/usr/lib/libpcap
/usr/lib/libperfcheck
/usr/lib/libpmsample
/usr/lib/libpoll
/usr/lib/libproc
/usr/lib/libpthread
/usr/lib/libresolv
/usr/lib/librpcsvc
/usr/lib/libsandbox
/usr/lib/libsqlite3
/usr/lib/libstdc++
/usr/lib/libsubstitute
/usr/lib/libsubstitute.dylib
/usr/lib/libsubstrate
/usr/lib/libtidy
/usr/lib/libutil
/usr/lib/libxml2
/usr/lib/libxslt
/usr/lib/libz
/usr/lib/log
/usr/lib/substrate
/usr/lib/system
/usr/lib/tweaks
/usr/lib/updaters
/usr/lib/xpc
/usr/libexec
/usr/libexec/BackupAgent
/usr/libexec/BackupAgent2
/usr/libexec/CrashHousekeeping
/usr/libexec/DataDetectorsSourceAccess
/usr/libexec/FSTaskScheduler
/usr/libexec/FinishRestoreFromBackup
/usr/libexec/IOAccelMemoryInfoCollector
/usr/libexec/IOMFB_bics_daemon
/usr/libexec/Library
/usr/libexec/MobileGestaltHelper
/usr/libexec/MobileStorageMounter
/usr/libexec/NANDTaskScheduler
/usr/libexec/OTATaskingAgent
/usr/libexec/PowerUIAgent
/usr/libexec/PreboardService
/usr/libexec/ProxiedCrashCopier
/usr/libexec/PurpleReverseProxy
/usr/libexec/ReportMemoryException
/usr/libexec/SafariCloudHistoryPushAgent
/usr/libexec/SidecarRelay
/usr/libexec/SyncAgent
/usr/libexec/UserEventAgent
/usr/libexec/addressbooksyncd
/usr/libexec/adid
/usr/libexec/adprivacyd
/usr/libexec/adservicesd
/usr/libexec/afcd
/usr/libexec/airtunesd
/usr/libexec/amfid
/usr/libexec/asd
/usr/libexec/assertiond
/usr/libexec/atc
/usr/libexec/atwakeup
/usr/libexec/backboardd
/usr/libexec/biometrickitd
/usr/libexec/bootpd
/usr/libexec/bulletindistributord
/usr/libexec/captiveagent
/usr/libexec/cc_fips_test
/usr/libexec/checkpointd
/usr/libexec/cloudpaird
/usr/libexec/com.apple.automation.defaultslockdownserviced
/usr/libexec/companion_proxy
/usr/libexec/configd
/usr/libexec/corecaptured
/usr/libexec/coreduetd
/usr/libexec/crash_mover
/usr/libexec/dasd
/usr/libexec/demod
/usr/libexec/demod_helper
/usr/libexec/dhcpd
/usr/libexec/diagnosticd
/usr/libexec/diagnosticextensionsd
/usr/libexec/dmd
/usr/libexec/dprivacyd
/usr/libexec/dtrace
/usr/libexec/duetexpertd
/usr/libexec/eventkitsyncd
/usr/libexec/fdrhelper
/usr/libexec/findmydeviced
/usr/libexec/finish_demo_restore
/usr/libexec/fmfd
/usr/libexec/fmflocatord
/usr/libexec/fseventsd
/usr/libexec/ftp-proxy
/usr/libexec/gamecontrollerd
/usr/libexec/gamed
/usr/libexec/gpsd
/usr/libexec/hangreporter
/usr/libexec/hangtracerd
/usr/libexec/heartbeatd
/usr/libexec/hostapd
/usr/libexec/idamd
/usr/libexec/init_data_protection
/usr/libexec/installd
/usr/libexec/ioupsd
/usr/libexec/keybagd
/usr/libexec/languageassetd
/usr/libexec/locationd
/usr/libexec/lockdownd
/usr/libexec/logd
/usr/libexec/lsd
/usr/libexec/lskdd
/usr/libexec/lskdmsed
/usr/libexec/magicswitchd
/usr/libexec/mc_mobile_tunnel
/usr/libexec/microstackshot
/usr/libexec/misagent
/usr/libexec/misd
/usr/libexec/mmaintenanced
/usr/libexec/mobile_assertion_agent
/usr/libexec/mobile_diagnostics_relay
/usr/libexec/mobile_house_arrest
/usr/libexec/mobile_installation_proxy
/usr/libexec/mobile_obliterator
/usr/libexec/mobile_storage_proxy
/usr/libexec/mobileactivationd
/usr/libexec/mobileassetd
/usr/libexec/mobilewatchdog
/usr/libexec/mtmergeprops
/usr/libexec/nanomediaremotelinkagent
/usr/libexec/nanoregistryd
/usr/libexec/nanoregistrylaunchd
/usr/libexec/neagent
/usr/libexec/nehelper
/usr/libexec/nesessionmanager
/usr/libexec/networkserviceproxy
/usr/libexec/nfcd
/usr/libexec/nfrestore_service
/usr/libexec/nlcd
/usr/libexec/notification_proxy
/usr/libexec/nptocompaniond
/usr/libexec/nsurlsessiond
/usr/libexec/nsurlstoraged
/usr/libexec/online-auth-agent
/usr/libexec/oscard
/usr/libexec/pcapd
/usr/libexec/pcsstatus
/usr/libexec/pfd
/usr/libexec/pipelined
/usr/libexec/pkd
/usr/libexec/pkreporter
/usr/libexec/ptpd
/usr/libexec/rapportd
/usr/libexec/replayd
/usr/libexec/resourcegrabberd
/usr/libexec/rolld
/usr/libexec/routined
/usr/libexec/rtbuddyd
/usr/libexec/rtcreportingd
/usr/libexec/safarifetcherd
/usr/libexec/screenshotsyncd
/usr/libexec/security-sysdiagnose
/usr/libexec/securityd
/usr/libexec/securityuploadd
/usr/libexec/seld
/usr/libexec/seputil
/usr/libexec/sharingd
/usr/libexec/signpost_reporter
/usr/libexec/silhouette
/usr/libexec/siriknowledged
/usr/libexec/smcDiagnose
/usr/libexec/splashboardd
/usr/libexec/springboardservicesrelay
/usr/libexec/streaming_zip_conduit
/usr/libexec/swcd
/usr/libexec/symptomsd
/usr/libexec/symptomsd-helper
/usr/libexec/sysdiagnose_helper
/usr/libexec/sysstatuscheck
/usr/libexec/tailspind
/usr/libexec/timed
/usr/libexec/tipsd
/usr/libexec/topicsmap.db
/usr/libexec/transitd
/usr/libexec/trustd
/usr/libexec/tursd
/usr/libexec/tzd
/usr/libexec/tzinit
/usr/libexec/tzlinkd
/usr/libexec/videosubscriptionsd
/usr/libexec/wapic
/usr/libexec/wcd
/usr/libexec/webbookmarksd
/usr/libexec/webinspectord
/usr/libexec/wifiFirmwareLoader
/usr/libexec/wifivelocityd
/usr/libexec/xpcproxy
/usr/libexec/xpcroleaccountd
/usr/local
/usr/local/bin
/usr/local/lib
/usr/local/standalone
/usr/sbin
/usr/sbin/BTAvrcp
/usr/sbin/BTLEServer
/usr/sbin/BTMap
/usr/sbin/BTPbap
/usr/sbin/BlueTool
/usr/sbin/WiFiNetworkStoreModel.momd
/usr/sbin/WirelessRadioManagerd
/usr/sbin/absd
/usr/sbin/addNetworkInterface
/usr/sbin/applecamerad
/usr/sbin/aslmanager
/usr/sbin/bluetoothd
/usr/sbin/cfprefsd
/usr/sbin/ckksctl
/usr/sbin/distnoted
/usr/sbin/fairplayd.H2
/usr/sbin/filecoordinationd
/usr/sbin/ioreg
/usr/sbin/ipconfig
/usr/sbin/mDNSResponder
/usr/sbin/mDNSResponderHelper
/usr/sbin/mediaserverd
/usr/sbin/notifyd
/usr/sbin/nvram
/usr/sbin/pppd
/usr/sbin/racoon
/usr/sbin/rtadvd
/usr/sbin/scutil
/usr/sbin/spindump
/usr/sbin/syslogd
/usr/sbin/wifid
/usr/sbin/wirelessproxd
/usr/share
/usr/share/CSI
/usr/share/com.apple.languageassetd
/usr/share/firmware
/usr/share/icu
/usr/share/langid
/usr/share/locale
/usr/share/mecabra
/usr/share/misc
/usr/share/progressui
/usr/share/tokenizer
/usr/share/zoneinfo
/usr/share/zoneinfo.default
/usr/standalone
/var
/var/.DocumentRevisions
/var/.fseventsd
/var/.overprovisioning_file
/var/Keychains
/var/Managed
/var/MobileAsset
/var/MobileDevice
/var/MobileSoftwareUpdate
/var/audit
/var/backups
/var/buddy
/var/containers
/var/containers/Bundle
/var/containers/Bundle/Application
/var/containers/Bundle/Framework
/var/containers/Bundle/PluginKitPlugin
/var/containers/Bundle/VPNPlugin
/var/containers/Bundle/dylibs
/var/containers/Bundle/tweaksupport
/var/cores
/var/db
/var/db/stash
/var/ea
/var/empty
/var/folders
/var/hardware
/var/installd
/var/internal
/var/keybags
/var/lib
/var/lib/dpkg/info
/var/local
/var/lock
/var/log
/var/log/asl
/var/log/com.apple.xpc.launchd
/var/log/corecaptured.log
/var/log/ppp
/var/log/ppp.log
/var/log/racoon.log
/var/log/sa
/var/logs
/var/mobile
/var/mobile/Applications
/var/mobile/Containers
/var/mobile/Containers/Bundle/Application
/var/mobile/Containers/Data
/var/mobile/Containers/Data/Application
/var/mobile/Containers/Data/InternalDaemon
/var/mobile/Containers/Data/PluginKitPlugin
/var/mobile/Containers/Data/TempDir
/var/mobile/Containers/Data/VPNPlugin
/var/mobile/Containers/Data/XPCService
/var/mobile/Containers/Shared
/var/mobile/Containers/Shared/AppGroup
/var/mobile/Documents
/var/mobile/Downloads
/var/mobile/Library
/var/mobile/Library/Caches
/var/mobile/Library/Caches/.com.apple
/var/mobile/Library/Caches/ACMigrationLock
/var/mobile/Library/Caches/AccountMigrationInProgress
/var/mobile/Library/Caches/AdMob
/var/mobile/Library/Caches/BTAvrcp
/var/mobile/Library/Caches/Checkpoint.plist
/var/mobile/Library/Caches/CloudKit
/var/mobile/Library/Caches/DateFormats.plist
/var/mobile/Library/Caches/FamilyCircle
/var/mobile/Library/Caches/GameKit
/var/mobile/Library/Caches/GeoServices
/var/mobile/Library/Caches/MappedImageCache
/var/mobile/Library/Caches/OTACrashCopier
/var/mobile/Library/Caches/PassKit
/var/mobile/Library/Caches/Snapshots
/var/mobile/Library/Caches/Snapshots/com.apple
/var/mobile/Library/Caches/TelephonyUI
/var/mobile/Library/Caches/Weather
/var/mobile/Library/Caches/cache
/var/mobile/Library/Caches/ckkeyrolld
/var/mobile/Library/Caches/com.apple
/var/mobile/Library/Caches/rtcreportingd
/var/mobile/Library/Caches/sharedCaches
/var/mobile/Library/ControlCenter
/var/mobile/Library/ControlCenter/ModuleConfiguration.plist
/var/mobile/Library/Cydia
/var/mobile/Library/Logs/Cydia
/var/mobile/Library/Preferences
/var/mobile/Library/Preferences/.GlobalPreferences.plist
/var/mobile/Library/Preferences/UITextInputContextIdentifiers.plist
/var/mobile/Library/Preferences/Wallpaper.png
/var/mobile/Library/Preferences/ckkeyrolld.plist
/var/mobile/Library/Preferences/com.apple.
/var/mobile/Library/Preferences/nfcd.plist
/var/mobile/Library/SBSettings
/var/mobile/Library/Sileo
/var/mobile/Media
/var/mobile/MobileSoftwareUpdate
/var/msgs
/var/networkd
/var/preferences
/var/root
/var/run
/var/run/asl_input
/var/run/configd.pid
/var/run/fudinit
/var/run/lockbot
/var/run/lockdown
/var/run/lockdown.sock
/var/run/lockdown_first_run
/var/run/mDNSResponder
/var/run/pppconfd
/var/run/printd
/var/run/syslog
/var/run/syslog.pid
/var/run/utmpx
/var/run/vpncontrol.sock
/var/spool
/var/staged_system_apps
/var/tmp
/var/vm
/var/wireless

除了上面目錄,還對這些路徑匹配繞過

list
firmware-sbin.list
gsc.firmware-sbin.list

同時對包含這些字段的路徑繞過

Substrate
substrate
substitute
Substitrate
TweakInject
jailbreak
cycript
SBInject
pspawn
rocketbootstrap
bfdecrypt

對URL包含這種模式繞過

cydia
sileo

檢測

從上面來看,這個越獄工具從目錄和系統API上做了很多繞過措施,但還是有地方囊括不夠的。

對比在基本思路里的幾條,基本如下

保護環境變量的訪問 ---- 有部分

禁止某些命令的執行 --- 沒有

禁止某些路徑訪問 ---- 有

禁止某些系統參數訪問 -- 有部分

掛鉤某些系統調用 --- 有部分

那么檢測方案可以這樣:

沒有掛鉤mkdir,考慮使用mkdir在正常情況下禁止訪問的目錄下創建子目錄,如果OK,就說明是被越獄。

沒有掛鉤execve,可以考慮執行一個正常情況下禁止執行的程序,如果成功,說明被越獄。

沒有掛鉤ptrace,可以使用它進行自身調試,如果成功,說明被越獄

創建一個庫,里面定義一些函數是MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos為前綴的,如果調用dlsym返回失敗,說明被越獄

只對sysctl掛鉤了,但對sysctlbyname,sysctlnametomib沒有掛鉤,可以調用這兩個函數來獲取進程信息。同時sysctl也并不是所有情況都處理了,比如獲取硬件信息就沒有。這三個系統調用可以獲取一些高權限信息,說明被越獄

不引入其它檢測越獄的庫,但自己實現一個同名的類和方法,比如SDMUtils和方法isJailBroken,這個方法只返回一個結果,就是1。如果調用這個方法,返回值為0,那么說明被越獄

還有很多,不過,本人對iOS不熟悉,對它的系統調用也不熟悉,只能給出這些。







審核編輯:劉清

聲明:本文內容及配圖由入駐作者撰寫或者入駐合作網站授權轉載。文章觀點僅代表作者本人,不代表電子發燒友網立場。文章及其配圖僅供工程師學習之用,如有內容侵權或者其他違規問題,請聯系本站處理。 舉報投訴
  • MOV
    MOV
    +關注

    關注

    0

    文章

    63

    瀏覽量

    13659
  • iOS
    iOS
    +關注

    關注

    8

    文章

    3395

    瀏覽量

    150566
  • 編譯器
    +關注

    關注

    1

    文章

    1623

    瀏覽量

    49108
  • PHP
    PHP
    +關注

    關注

    0

    文章

    452

    瀏覽量

    26678

原文標題:iOS有反檢測能力的越獄工具shadow的分析和檢測

文章出處:【微信號:哆啦安全,微信公眾號:哆啦安全】歡迎添加關注!文章轉載請注明出處。

收藏 人收藏

    評論

    相關推薦

    進程執法官

    ,并能對進程進行各種操作。 3、提供進程的豐富資料。可以查看進程的基本信息、版本信息、進程關聯服務、可能的啟動項、線程、
    發表于 09-04 23:12

    進程模型的設計思路

    進程模型的設計思路[ 問題 ]zhang_44:現在有兩個狀態 1,2。如果要在1 中得到一個流中斷,對得到的包進行判斷,如果該包是所要的,則進入狀態2。若發現該包不是所要的,保持在1 不變(不能
    發表于 06-14 18:05

    通過Jenkins提供的啟動參數禁用殺死子進程的方法

    【Jenkins】execute shell啟動進程在結束的時候被殺死
    發表于 05-10 16:18

    iOS快速搭建方法

    iOS 的視圖 View ?文件, LaunchScreen.storyboard 是系統默認的啟動?面。我們從控件窗?拖動?個 Label 進?啟動 View, 并選中 Label 在屬性窗口設置為
    發表于 09-17 09:05

    android--系統啟動--init進程啟動過程如何

    android--系統啟動--init進程啟動過程
    發表于 05-29 10:35

    OpenHarmony恢復啟動子系統init進程啟動FD代持服務

    FD代持是按需啟動的一個輔助擴展機制,按需啟動進程可以保持退出前的fd狀態句柄不丟失。按需啟動進程退出前可將fd發送給init代持,再次
    發表于 09-14 09:11

    Stage模型深入解讀

    應用只能創建一個Render進程用于運行WebView的渲染引擎。這個Render進程也是由系統負責創建和銷毀。 3、線程模型 HarmonyOS的原生應用開發語言為ArkTS。在應用進程
    發表于 03-15 10:32

    OpenHarmony應用模型的構成要素分析

    。 OpenHarmony應用模型的構成要素包括:應用組件、應用進程模型、應用線程模型、應用任務管理模型、應用配置文件五個部分。 1.應用
    發表于 04-24 10:26

    英創信息技術C#啟動和關閉外部進程的方法介紹

    許多用戶在程序開發過程中需要使用C#啟動一個外部程序(進程),在使用完畢該外部程序后,又希望能將其關閉。我們特在此對C#啟動和關閉外部進程的方法進行一個簡單的介紹。 C#
    的頭像 發表于 01-14 14:36 ?1232次閱讀

    如何雙啟動64位iOS設備

    現如今,在已經有了合適的 Linux 內核可以啟動的條件下,相信我們很快就可以在 iOS 設備中看到 Linux 雙啟動支持。距離使用 iOS、Android 和 Ubuntu Tou
    的頭像 發表于 05-20 09:24 ?2542次閱讀

    解析基于ARM64的init用戶進程究竟如何啟動

    [導讀] 前面的文章有提到linux啟動的第一個進程為init,那么該進程究竟是如何從內核啟動入口一步一步運行起來的,而該進程又有些什么作.
    發表于 01-26 17:05 ?2次下載
    解析基于ARM64的init用戶<b class='flag-5'>進程</b>究竟如何<b class='flag-5'>啟動</b>?

    進程模型轉換成線程模型的優缺點

    面向進程模型是一種數據庫系統的架構模型,核心思想是將不同的數據庫服務分配給不同的進程,每個進程獨立運行,相互之間通過
    的頭像 發表于 06-25 10:12 ?449次閱讀

    聯明電源啟動IPO進程

    證監會近日披露了深圳市聯明電源股份有限公司(簡稱:聯明電源)首次公開發行股票并上市的輔導備案報告,標志著該公司正式啟動了IPO進程。據悉,聯明電源此次選擇的輔導機構為知名券商國泰君安證券。
    的頭像 發表于 03-12 13:55 ?1161次閱讀

    鴻蒙開發:【進程模型

    應用中(同一Bundle名稱)的所有UIAbility、ServiceExtensionAbility和DataShareExtensionAbility均是運行在同一個獨立進程(主進程)中,如下圖中綠色部分的“Main Process”。
    的頭像 發表于 06-13 09:53 ?277次閱讀
    鴻蒙開發:【<b class='flag-5'>進程</b><b class='flag-5'>模型</b>】

    鴻蒙開發Ability Kit程序框架服務:FA模型啟動Stage模型UIAbility

    本文介紹FA模型的三種應用組件如何啟動Stage模型的UIAbility組件。
    的頭像 發表于 06-25 16:00 ?359次閱讀
    鴻蒙開發Ability Kit程序框架服務:FA<b class='flag-5'>模型</b><b class='flag-5'>啟動</b>Stage<b class='flag-5'>模型</b>UIAbility
    主站蜘蛛池模板: 视频一区亚洲中文字幕| 免费人成网站永久| 两性午夜刺激爽爽视频| 天天影视香色欲综合网| 扒开屁股眼往里面夹东西| 美女被触手注入精子强制受孕漫画 | 国产自拍视频在线一区| 日韩无码在线| 成人高清网站| 色欲人妻无码AV专区| 波多久久亚洲精品AV无码| 欧美亚洲精品真实在线| 506070老熟肥妇bbwxx视频| 久久青青草原综合伊人| 长篇高h肉爽文丝袜| 美女搜查官被高难度黑人在线播放| 一本道色播| 美女拉开腿让男生桶到爽| 99精品网站| 欧洲美女高清一级毛片| 高清不卡伦理电影在线观看| 天美传媒麻豆精品| 国产一级做a爰片久久毛片男| 亚洲欧美国产视频| 精品国产乱码久久久久久下载| 在线观看亚洲 日韩 国产| 久久这里只有是精品23| 99re8久久热在线视频| 日本大片免a费观看视频| 国产爱豆果冻传媒在线观看| 亚洲国产精麻豆| 恋夜秀场支持安卓版全部视频国产| 97人人碰免费视频公开| 日本另类xxxx| 国产色婷亚洲99精品AV在线| 一级片mp4| 日本高清不卡一区久久精品| 国产三级在线观看免费| 竹菊精品久久久久久久99蜜桃| 琪琪色在线播放| 国产美女又黄又爽又色视频网站|