分析工具:IDA 7.0
基本思路
在分析越狱工具shadow之前,所有越狱工具都是对进程进行注入挂钩来实现。注入从作用范围来看,分为两类:
用户态注入,通过动态库
内核态注入,通过驱动
在苹果系统开发驱动,需要苹果授权,所以,越狱工具是没办法走这条路,只可能进行用户态注入。
那么,分析它就需要对进程启动时如何加载动态库了解,这就涉及到iOS进程启动模型。
本文的思路如下:
iOS进程启动模型
依赖分析
钩子点分析
检测
iOS进程启动模型
iOS也是Unix族的衍生类。在Unix族里,进程启动模型的都大致如下:
加载执行文件:从绝对路径或相对路径或从环境变量指定搜索的路径搜索出来
根据执行文件依赖(导入表)来加载动态库文件:从绝对路径或相对路径或从环境变量和系统配置指定的搜索路径搜索出来
完成所有符号匹配,启动进程
进程处理输入参数和相应配置文件
从上面来看,只有1,2两步才可能进行注入。
在Unix族里,和执行文件加载相关的环境变量一般是**PATH** ,它一般是执行路径的列表,如/bin, /usr/bin, 和/usr/local/bin等,这个环境变量一般可以设置。搜索顺序是按照列表元素先后顺序进行,一旦找到,立马停止搜索。假设这个环境变量设置是这样的
PATH=/bin:/usr/bin:/usr/local/bin
这些路径都有一个ls执行文件,当执行ls时,只会执行/bin/ls。
如果越狱工具要在这一步注入,它必须构建一个沙箱,接管所有程序执行。这种方式,所有用户态进程都可以变成它的子进程,这个沙箱可以任意更改子进程的环境变量,完成静态注入,甚至可以通过ptrace之类的系统调用来进行动态注入。这种方式可以非常好地绕过各种越狱检测工具的检测。
在Unix族,和动态库加载相关的环境变量和系统配置,就各有各的不同。
从上面可以看到iOS依次对下面这些环境变量包含的路径列表按照先后顺序遍历,一旦找到相应动态库,立马停止该次遍历,查找下一个:
DYLD_INSERT_LIBRARIES
DYLD_VERSIONED_FRAMEWORK_PATH
DYLD_FRAMEWORK_PATH
DYLD_LIBRARY_PATH
DYLD_FALLBACK_FRAMEWORK_PATH
DYLD_FALLBACK_LIBRARY_PATH
目前不少APP检测iOS是否越狱,都是做下列动作:
访问root才能够访问的目录和文件,执行读或写
执行root才能够执行的命令
访问或更改root才能够访问的环境变量
调用root才能够调用的系统调用
访问root才能够访问的系统参数
根据上面进程启动模型分析,越狱工具要具有反检测的能力,必须要做这样事情:
保护环境变量的访问
禁止某些命令的执行
禁止某些路径访问
禁止某些系统参数访问
挂钩某些系统调用
依赖分析
根据上面的探究后,我们实际上看一下这个越狱工具是怎样的。
把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解压的目录大致如下
PS D:Library> Get-ChildItem -Recurse 目录: D:Library Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 MobileSubstrate d----- 2019/8/2 1:59 PreferenceBundles d----- 2019/8/2 1:59 PreferenceLoader 目录: D:LibraryMobileSubstrate Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 DynamicLibraries 目录: D:LibraryMobileSubstrateDynamicLibraries Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 728432 0Shadow.dylib -a---- 2019/8/2 1:59 87 0Shadow.plist 目录: D:LibraryPreferenceBundles Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 ShadowPreferences.bundle 目录: D:LibraryPreferenceBundlesShadowPreferences.bundle Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/7/14 1:29 en.lproj -a---l 2021/4/10 0:27 0 Base.lproj -a---- 2019/8/2 1:59 751 Icon-Small.png -a---- 2019/8/2 1:59 1610 Icon-Small@2x.png -a---- 2019/8/2 1:59 2693 Icon-Small@3x.png -a---- 2019/8/2 1:59 404 Info.plist -a---- 2019/8/2 1:59 3123 Root.plist -a---- 2019/7/29 4:37 265808 ShadowPreferences 目录: D:LibraryPreferenceBundlesShadowPreferences.bundleen.lproj Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 3915 Root.strings 目录: D:LibraryPreferenceLoader Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2019/8/2 1:59 Preferences 目录: D:LibraryPreferenceLoaderPreferences Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2019/8/2 1:59 199 ShadowPreferences.plist
从大小来看,只有D:LibraryMobileSubstrateDynamicLibraries�Shadow.dylib值得分析,用IDA打开一看,看一下导入表
AddressOrdinalNameLibrary 0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei 0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026800_OBJC_CLASS_$_NSArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026808_OBJC_CLASS_$_NSDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026810_OBJC_CLASS_$_NSMutableArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026818_OBJC_CLASS_$_NSMutableDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026820_OBJC_CLASS_$_NSURL/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0000000000026828___CFConstantStringClassReference/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 00000000000267A0_NSCocoaErrorDomain/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267A8_NSLocalizedDescriptionKey/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267B0_NSLocalizedFailureReasonErrorKey/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267B8_NSLocalizedRecoverySuggestionErrorKey/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267C0_OBJC_CLASS_$_NSBundle/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267C8_OBJC_CLASS_$_NSCharacterSet/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267D0_OBJC_CLASS_$_NSError/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267D8_OBJC_CLASS_$_NSFileManager/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267E0_OBJC_CLASS_$_NSNumber/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267E8_OBJC_CLASS_$_NSProcessInfo/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267F0_OBJC_CLASS_$_NSString/System/Library/Frameworks/Foundation.framework/Foundation 00000000000267F8_OBJC_CLASS_$_NSValue/System/Library/Frameworks/Foundation.framework/Foundation 0000000000026858_NSVersionOfLinkTimeLibrary/usr/lib/libSystem.B.dylib 0000000000026860_NSVersionOfRunTimeLibrary/usr/lib/libSystem.B.dylib 0000000000026868___stack_chk_guard/usr/lib/libSystem.B.dylib 0000000000026870__dyld_get_image_name/usr/lib/libSystem.B.dylib 0000000000026878__dyld_image_count/usr/lib/libSystem.B.dylib 0000000000026880_access/usr/lib/libSystem.B.dylib 0000000000026888_chdir/usr/lib/libSystem.B.dylib 0000000000026890_chroot/usr/lib/libSystem.B.dylib 0000000000026898_creat/usr/lib/libSystem.B.dylib 00000000000268A0_csops/usr/lib/libSystem.B.dylib 00000000000268A8_dladdr/usr/lib/libSystem.B.dylib 00000000000268B0_dlopen/usr/lib/libSystem.B.dylib 00000000000268B8_dlopen_preflight/usr/lib/libSystem.B.dylib 00000000000268C0_dlsym/usr/lib/libSystem.B.dylib 00000000000268C8_faccessat/usr/lib/libSystem.B.dylib 00000000000268D0_fchdir/usr/lib/libSystem.B.dylib 00000000000268D8_fopen/usr/lib/libSystem.B.dylib 00000000000268E0_fork/usr/lib/libSystem.B.dylib 00000000000268E8_freopen/usr/lib/libSystem.B.dylib 00000000000268F0_fstat/usr/lib/libSystem.B.dylib 00000000000268F8_fstatat/usr/lib/libSystem.B.dylib 0000000000026900_fstatfs/usr/lib/libSystem.B.dylib 0000000000026908_getegid/usr/lib/libSystem.B.dylib 0000000000026910_getenv/usr/lib/libSystem.B.dylib 0000000000026918_geteuid/usr/lib/libSystem.B.dylib 0000000000026920_getgid/usr/lib/libSystem.B.dylib 0000000000026928_getppid/usr/lib/libSystem.B.dylib 0000000000026930_getuid/usr/lib/libSystem.B.dylib 0000000000026938_link/usr/lib/libSystem.B.dylib 0000000000026940_lstat/usr/lib/libSystem.B.dylib 0000000000026948_open/usr/lib/libSystem.B.dylib 0000000000026950_openat/usr/lib/libSystem.B.dylib 0000000000026958_opendir/usr/lib/libSystem.B.dylib 0000000000026960_popen/usr/lib/libSystem.B.dylib 0000000000026968_posix_spawn/usr/lib/libSystem.B.dylib 0000000000026970_posix_spawnp/usr/lib/libSystem.B.dylib 0000000000026978_readdir/usr/lib/libSystem.B.dylib 0000000000026980_readlink/usr/lib/libSystem.B.dylib 0000000000026988_readlinkat/usr/lib/libSystem.B.dylib 0000000000026990_realpath$DARWIN_EXTSN/usr/lib/libSystem.B.dylib 0000000000026998_remove/usr/lib/libSystem.B.dylib 00000000000269A0_rename/usr/lib/libSystem.B.dylib 00000000000269A8_rmdir/usr/lib/libSystem.B.dylib 00000000000269B0_setegid/usr/lib/libSystem.B.dylib 00000000000269B8_seteuid/usr/lib/libSystem.B.dylib 00000000000269C0_setgid/usr/lib/libSystem.B.dylib 00000000000269C8_setregid/usr/lib/libSystem.B.dylib 00000000000269D0_setreuid/usr/lib/libSystem.B.dylib 00000000000269D8_setuid/usr/lib/libSystem.B.dylib 00000000000269E0_stat/usr/lib/libSystem.B.dylib 00000000000269E8_statfs/usr/lib/libSystem.B.dylib 00000000000269F0_symlink/usr/lib/libSystem.B.dylib 00000000000269F8_sysctl/usr/lib/libSystem.B.dylib 0000000000026A00_unlink/usr/lib/libSystem.B.dylib 0000000000026A08_unlinkat/usr/lib/libSystem.B.dylib 0000000000026A10_vfork/usr/lib/libSystem.B.dylib 0000000000026A18dyld_stub_binder/usr/lib/libSystem.B.dylib 0000000000026A20__Unwind_Resume/usr/lib/libSystem.B.dylib 0000000000026A28___error/usr/lib/libSystem.B.dylib 0000000000026A30___stack_chk_fail/usr/lib/libSystem.B.dylib 0000000000026A38__dyld_register_func_for_add_image/usr/lib/libSystem.B.dylib 0000000000026A40_dirfd/usr/lib/libSystem.B.dylib 0000000000026A48_dlclose/usr/lib/libSystem.B.dylib 0000000000026A50_fclose/usr/lib/libSystem.B.dylib 0000000000026A58_fcntl/usr/lib/libSystem.B.dylib 0000000000026A60_free/usr/lib/libSystem.B.dylib 0000000000026A68_getpid/usr/lib/libSystem.B.dylib 0000000000026A70_strcmp/usr/lib/libSystem.B.dylib 0000000000026A78_strlen/usr/lib/libSystem.B.dylib 0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib 0000000000026720_OBJC_CLASS_$_NSObject/usr/lib/libobjc.A.dylib 0000000000026728_OBJC_METACLASS_$_NSObject/usr/lib/libobjc.A.dylib 0000000000026730__objc_empty_cache/usr/lib/libobjc.A.dylib 0000000000026738_objc_copyClassNamesForImage/usr/lib/libobjc.A.dylib 0000000000026740_objc_copyImageNames/usr/lib/libobjc.A.dylib 0000000000026748_objc_autoreleaseReturnValue/usr/lib/libobjc.A.dylib 0000000000026750_objc_enumerationMutation/usr/lib/libobjc.A.dylib 0000000000026758_objc_getClass/usr/lib/libobjc.A.dylib 0000000000026760_objc_msgSend/usr/lib/libobjc.A.dylib 0000000000026768_objc_msgSendSuper2/usr/lib/libobjc.A.dylib 0000000000026770_objc_release/usr/lib/libobjc.A.dylib 0000000000026778_objc_retain/usr/lib/libobjc.A.dylib 0000000000026780_objc_retainAutorelease/usr/lib/libobjc.A.dylib 0000000000026788_objc_retainAutoreleasedReturnValue/usr/lib/libobjc.A.dylib 0000000000026790_objc_storeStrong/usr/lib/libobjc.A.dylib 0000000000026798_object_getClass/usr/lib/libobjc.A.dylib
可以看到,这个工具除了系统的框架外,只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate两个框架
对这个导入项进行分析
0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei
_OBJC_CLASS_$_HBPreferences这个符号经过Name Mangling处理,实际上它是引入了HBPreferences这个类, 这个类是处理界面上配置。
只剩下这三个符号了
0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate 0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
同样根据Name Mangling原则,这三个符号实际上是MSGetImageByName, MSHookFunction, MSHookMessageEx。
先分析一下MSGetImageByName,
从它的引用来看
DirectionTypeAddressText UppInitFunc_0+64CBL _MSGetImageByName
只有一处地方,就是InitFunc_0+64C。
在IDA操作,是从导入表选中这个符号,双击,进入这个符号所在代码位置,在代码位置选中这个符号,右键选中"Jump to xref to operand...",就可以得到所有引用了
看引用它的汇编
_text:000000000000C34C ADR X0, aUsrLibLibsubst_2 ; "/usr/lib/libsubstitute.dylib" __text:000000000000C350 NOP __text:000000000000C354 STP X19, X26, [SP,#0x210+var_210] __text:000000000000C358 STR X23, [SP,#0x210+var_200] __text:000000000000C35C BL _MSGetImageByName __text:000000000000C360 MOV X24, X0 __text:000000000000C364 NOP __text:000000000000C368 LDR X0, qword_26080 ; void * __text:000000000000C36C NOP __text:000000000000C370 LDR X20, =sel_setUseInjectCompatibilityMode_ ; "setUseInjectCompatibilityMode:" __text:000000000000C374 CBZ X24, loc_C3A0 __text:000000000000C378 MOV W2, #0 __text:000000000000C37C MOV X1, X20 ; char * __text:000000000000C380 BL _objc_msgSend __text:000000000000C384 B loc_C3AC
可见是加载/usr/lib/libsubstitute.dylib, 再把获得的句柄判断这个文件是否存在,再跳转。
__text:000000000000C354 STP X19, X26, [SP,#0x210+var_210] __text:000000000000C358 STR X23, [SP,#0x210+var_200]
这几两行指令其实没多少用处,只是编译器为了代码优化做的乱序执行。其实和这个接口引用无关。
从这个句柄的处理汇编
__text:000000000000C3A0 loc_C3A0 ; CODE XREF: InitFunc_0+664↑j __text:000000000000C3A0 MOV W2, #1 __text:000000000000C3A4 MOV X1, X20 ; char * __text:000000000000C3A8 BL _objc_msgSend __text:000000000000C3AC __text:000000000000C3AC loc_C3AC ; CODE XREF: InitFunc_0+674↑j __text:000000000000C3AC LDR X0, [SP,#0x210+var_1E0] ; void * __text:000000000000C3B0 MOV X1, X28 ; char * __text:000000000000C3B4 LDR X2, [SP,#0x210+var_1B8] __text:000000000000C3B8 BL _objc_msgSend __text:000000000000C3BC CBZ W0, loc_C6A0 __text:000000000000C3C0 NOP
无非就是和管理配置通信,可以忽略。
MSHookFunction是对API挂钩,而MSHookMessageEx则对类的成员函数挂钩。
钩子点分析
先看MSHookFunction,获取它所有的引用点,一共57处。
DirectionTypeAddressText UppInitFunc_0+6C8BL _MSHookFunction UppInitFunc_0+6E4BL _MSHookFunction UppInitFunc_0+700BL _MSHookFunction UppInitFunc_0+71CBL _MSHookFunction UppInitFunc_0+8DCBL _MSHookFunction UppInitFunc_0+8F8BL _MSHookFunction UppInitFunc_0+9C4BL _MSHookFunction UppInitFunc_0+9E0BL _MSHookFunction UppInitFunc_0+A9CBL _MSHookFunction UppInitFunc_0+1124BL _MSHookFunction UppInitFunc_0+1140BL _MSHookFunction UppInitFunc_0+115CBL _MSHookFunction UppInitFunc_0+1178BL _MSHookFunction UppInitFunc_0+1194BL _MSHookFunction UppInitFunc_0+11B0BL _MSHookFunction UppInitFunc_0+11CCBL _MSHookFunction UppInitFunc_0+11E8BL _MSHookFunction UppInitFunc_0+1204BL _MSHookFunction UppInitFunc_0+1220BL _MSHookFunction UppInitFunc_0+123CBL _MSHookFunction UppInitFunc_0+1258BL _MSHookFunction UppInitFunc_0+1274BL _MSHookFunction UppInitFunc_0+1290BL _MSHookFunction UppInitFunc_0+12ACBL _MSHookFunction UppInitFunc_0+12C8BL _MSHookFunction UppInitFunc_0+12E4BL _MSHookFunction UppInitFunc_0+1300BL _MSHookFunction UppInitFunc_0+131CBL _MSHookFunction UppInitFunc_0+1338BL _MSHookFunction UppInitFunc_0+1354BL _MSHookFunction UppInitFunc_0+1370BL _MSHookFunction UppInitFunc_0+138CBL _MSHookFunction UppInitFunc_0+13A8BL _MSHookFunction UppInitFunc_0+13C4BL _MSHookFunction UppInitFunc_0+196CBL _MSHookFunction UppInitFunc_0+1988BL _MSHookFunction UppInitFunc_0+1E84BL _MSHookFunction UppInitFunc_0+1EA0BL _MSHookFunction UppInitFunc_0+1EBCBL _MSHookFunction UppInitFunc_0+1ED8BL _MSHookFunction UppInitFunc_0+2168BL _MSHookFunction UppInitFunc_0+2184BL _MSHookFunction UppInitFunc_0+21A0BL _MSHookFunction UppInitFunc_0+21BCBL _MSHookFunction UppInitFunc_0+21D8BL _MSHookFunction UppInitFunc_0+21F4BL _MSHookFunction UppInitFunc_0+2210BL _MSHookFunction UppInitFunc_0+222CBL _MSHookFunction UppInitFunc_0+2248BL _MSHookFunction UppInitFunc_0+2264BL _MSHookFunction UppInitFunc_0+2280BL _MSHookFunction UppInitFunc_0+229CBL _MSHookFunction UppInitFunc_0+22B8BL _MSHookFunction UppInitFunc_0+22D4BL _MSHookFunction UppInitFunc_0+2354BL _MSHookFunction UppInitFunc_0+2370BL _MSHookFunction UppInitFunc_0+23A0BL _MSHookFunction
先看第一处
Up p InitFunc_0+6C8 BL _MSHookFunction
按照MSHookFunction的原型
void MSHookFunction(void *symbol, void *hook, void **old);
是找到某个symbol对应的函数,把hook挂在上面,并用old保存原函数地址。
根据InitFunc的位置
__text:000000000000BD10 InitFunc_0
InitFunc_0+6C8就是000000000000C3D8:
__text:000000000000C3C4 LDR X0, =_fstat __text:000000000000C3C8 ADR X1, sub_E590 __text:000000000000C3CC NOP __text:000000000000C3D0 ADR X2, qword_260A8 __text:000000000000C3D4 NOP __text:000000000000C3D8 BL _MSHookFunction
可见,这处是用sub_E590对fstat进行挂钩,并把fstat函数地址保存在qword_260A8。那么分析一下sub_E590
__text:000000000000E590 sub_E590 ; DATA XREF: InitFunc_0+6B8↑o __text:000000000000E590 __text:000000000000E590 var_440 = -0x440 __text:000000000000E590 var_438 = -0x438 __text:000000000000E590 var_38 = -0x38 __text:000000000000E590 var_30 = -0x30 __text:000000000000E590 var_20 = -0x20 __text:000000000000E590 var_10 = -0x10 __text:000000000000E590 var_s0 = 0 __text:000000000000E590 __text:000000000000E590 STP X28, X27, [SP,#-0x10+var_30]! __text:000000000000E594 STP X22, X21, [SP,#0x30+var_20] __text:000000000000E598 STP X20, X19, [SP,#0x30+var_10] __text:000000000000E59C STP X29, X30, [SP,#0x30+var_s0] __text:000000000000E5A0 ADD X29, SP, #0x30 __text:000000000000E5A4 SUB SP, SP, #0x410 __text:000000000000E5A8 MOV X19, X1 __text:000000000000E5AC MOV X20, X0 __text:000000000000E5B0 NOP __text:000000000000E5B4 LDR X8, =___stack_chk_guard __text:000000000000E5B8 LDR X8, [X8] __text:000000000000E5BC STUR X8, [X29,#var_38] __text:000000000000E5C0 ADD X8, SP, #0x440+var_438 __text:000000000000E5C4 STR X8, [SP,#0x440+var_440] __text:000000000000E5C8 MOV W1, #0x32 ; int __text:000000000000E5CC BL _fcntl __text:000000000000E5D0 CMN W0, #1 __text:000000000000E5D4 B.EQ loc_E6C0 __text:000000000000E5D8 NOP __text:000000000000E5DC LDR X0, =_OBJC_CLASS_$_NSFileManager ; void * __text:000000000000E5E0 NOP __text:000000000000E5E4 LDR X1, =sel_defaultManager ; "defaultManager" __text:000000000000E5E8 BL _objc_msgSend __text:000000000000E5EC MOV X29, X29 __text:000000000000E5F0 BL _objc_retainAutoreleasedReturnValue __text:000000000000E5F4 MOV X22, X0 __text:000000000000E5F8 ADD X0, SP, #0x440+var_438 ; char * __text:000000000000E5FC BL _strlen __text:000000000000E600 MOV X3, X0 __text:000000000000E604 NOP __text:000000000000E608 LDR X1, =sel_stringWithFileSystemRepresentation_length_ ; "stringWithFileSystemRepresentation:leng"... __text:000000000000E60C ADD X2, SP, #0x440+var_438 __text:000000000000E610 MOV X0, X22 ; void * __text:000000000000E614 BL _objc_msgSend __text:000000000000E618 MOV X29, X29 __text:000000000000E61C BL _objc_retainAutoreleasedReturnValue __text:000000000000E620 MOV X21, X0 __text:000000000000E624 MOV X0, X22 __text:000000000000E628 BL _objc_release __text:000000000000E62C NOP __text:000000000000E630 LDR X0, qword_26080 ; void * __text:000000000000E634 NOP __text:000000000000E638 LDR X1, =sel_isPathRestricted_ ; "isPathRestricted:" __text:000000000000E63C MOV X2, X21 __text:000000000000E640 BL _objc_msgSend __text:000000000000E644 CBZ W0, loc_E664 __text:000000000000E648 BL ___error __text:000000000000E64C MOV W8, #9 __text:000000000000E650 STR W8, [X0] __text:000000000000E654 MOV W20, #0xFFFFFFFF __text:000000000000E658 __text:000000000000E658 loc_E658 ; CODE XREF: sub_E590+124↓j __text:000000000000E658 MOV X0, X21 __text:000000000000E65C BL _objc_release __text:000000000000E660 B loc_E6D8 __text:000000000000E664 ; --------------------------------------------------------------------------- __text:000000000000E664 __text:000000000000E664 loc_E664 ; CODE XREF: sub_E590+B4↑j __text:000000000000E664 CBZ X19, loc_E6B8 __text:000000000000E668 NOP __text:000000000000E66C LDR X1, =sel_isEqualToString_ ; "isEqualToString:" __text:000000000000E670 ADR X2, cfstr_Bin ; "/bin" __text:000000000000E674 NOP __text:000000000000E678 MOV X0, X21 ; void * __text:000000000000E67C BL _objc_msgSend __text:000000000000E680 CBZ W0, loc_E6B8 __text:000000000000E684 NOP __text:000000000000E688 LDR X8, qword_260A8 __text:000000000000E68C MOV X0, X20 __text:000000000000E690 MOV X1, X19 __text:000000000000E694 BLR X8 __text:000000000000E698 CBNZ W0, loc_E6B8 __text:000000000000E69C LDR X8, [X19,#0x60] __text:000000000000E6A0 CMP X8, #0x80 __text:000000000000E6A4 B.LE loc_E6B8 __text:000000000000E6A8 MOV W20, #0 __text:000000000000E6AC MOV W8, #0x80 __text:000000000000E6B0 STR X8, [X19,#0x60] __text:000000000000E6B4 B loc_E658 __text:000000000000E6B8 ; --------------------------------------------------------------------------- __text:000000000000E6B8 __text:000000000000E6B8 loc_E6B8 ; CODE XREF: sub_E590:loc_E664↑j __text:000000000000E6B8 ; sub_E590+F0↑j ... __text:000000000000E6B8 MOV X0, X21 __text:000000000000E6BC BL _objc_release __text:000000000000E6C0 __text:000000000000E6C0 loc_E6C0 ; CODE XREF: sub_E590+44↑j __text:000000000000E6C0 NOP __text:000000000000E6C4 LDR X8, qword_260A8 __text:000000000000E6C8 MOV X0, X20 __text:000000000000E6CC MOV X1, X19 __text:000000000000E6D0 BLR X8 __text:000000000000E6D4 MOV X20, X0 __text:000000000000E6D8 __text:000000000000E6D8 loc_E6D8 ; CODE XREF: sub_E590+D0↑j __text:000000000000E6D8 LDUR X8, [X29,#var_38] __text:000000000000E6DC NOP __text:000000000000E6E0 LDR X9, =___stack_chk_guard __text:000000000000E6E4 LDR X9, [X9] __text:000000000000E6E8 CMP X9, X8 __text:000000000000E6EC B.NE loc_E70C __text:000000000000E6F0 MOV X0, X20 __text:000000000000E6F4 ADD SP, SP, #0x410 __text:000000000000E6F8 LDP X29, X30, [SP,#0x30+var_s0] __text:000000000000E6FC LDP X20, X19, [SP,#0x30+var_10] __text:000000000000E700 LDP X22, X21, [SP,#0x30+var_20] __text:000000000000E704 LDP X28, X27, [SP+0x30+var_30],#0x40 __text:000000000000E708 RET __text:000000000000E70C ; --------------------------------------------------------------------------- __text:000000000000E70C __text:000000000000E70C loc_E70C ; CODE XREF: sub_E590+15C↑j __text:000000000000E70C BL ___stack_chk_fail __text:000000000000E70C ; End of function sub_E590
看起来很复杂,其实这个函数是对任何调用fstat的路径判断是否是在指定限制目录或/bin下,如果是就绕过,否则就继续调用qword_260A8(fstat原地址)处理。
按照同样思路分析,可以得到这个表格
原函数 | 钩子函数作用 |
---|---|
fstat | 绕过指定限制目录或/bin/下文件 |
dlopen | 绕过指定限制镜像 |
open | 绕过指定限制目录的文件 |
openat | 绕过指定限制目录的文件 |
NSVersionOfRunTimeLibrary | 绕过指定限制镜像 |
NSVersionOfLinkTimeLibrary | 绕过指定限制镜像 |
opendir | 绕过指定限制目录 |
readdir | 绕过指定限制目录 |
csops | 对getpid结果处理 |
access | 对指定限制目录或前缀为/Library/MobileSubstrate绕过 |
getenv | 对DYLD_INSERT_LIBRARIES,_MSSafeMode,_SafeMode绕过 |
fopen | 绕过指定限制目录的文件 |
freopen | 绕过指定限制目录的文件 |
stat | 绕过指定限制目录或/bin/下文件 |
lstat |
绕过指定限制目录或/bin/, /Applications, /usr/share, /usr/libexec, /usr/include, /Library/Ringtones, /Library/Wallpaper下文件 |
fstatfs | 对指定限制目录或前缀为/var, /private/var绕过 |
statfs | 对指定限制目录或前缀为/var, /private/var绕过 |
posix_spawn | 绕过指定限制目录的文件 |
posix_spawnp | 绕过指定限制目录的文件 |
realpath | 绕过指定限制目录的路径 |
symlink | 绕过指定限制目录的路径 |
rename | 绕过指定限制目录的路径 |
rename | 绕过指定限制目录的路径 |
unlink | 绕过指定限制目录的路径 |
unlinkat | 绕过指定限制目录的路径 |
rmdir | 绕过指定限制目录的目录 |
chdir | 绕过指定限制目录的目录 |
fchdir | 绕过指定限制目录的目录 |
link | 绕过指定限制目录的路径 |
fstatat | 绕过指定限制目录的路径 |
faccessat | 绕过指定限制目录的路径 |
chroot | 绕过指定限制目录的路径 |
sysctl | 从内核里获取所有进程,对当前进程比对,并获取当前进程是否被调试 |
getppid | 对指定限制目录的文件绕过 |
readlink | 绕过指定限制目录的路径 |
readlinkat | 绕过指定限制目录的路径 |
_dyld_image_count | 绕过指定限制镜像 |
_dyld_get_image_name | 绕过指定限制镜像 |
dlopen_preflight | 绕过指定限制镜像 |
dladdr | 绕过指定限制镜像 |
creat | 绕过指定限制目录的文件 |
vfork | 直接返回-1,禁止创建进程 |
fork | 直接返回-1,禁止创建进程 |
popen | 直接返回0 |
setgid,setuid,setegid,seteuid,setreuid,setregid | 直接返回-1 |
getuid,getgid,geteuid,getegid | 返回0x1F5 |
objc_copyImageNames | 获取镜像名称和某个库一样,就返回0 |
objc_copyClassNamesForImage | 绕过指定限制镜像 |
dlsym |
对符号前缀为MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos返回0,绕过 |
再看MSHookMessageEx,它的调用点有149处。它的原型如下
void MSHookMessageEx(Class _class, SEL message, IMP hook, IMP *old);
是找到某个类_class对应的成员函数message,把hook挂在上面,并用old保存原成员函数地址。
像MSHookFunction的方式分析,得到下表
类 | 钩子函数作用 |
---|---|
SpringBoard | 返回和黑名单列表匹配的结果 |
NSData,UIApplication, NSFileManager,NSFileWrapper, NSFileVersion,NSFileHandle, NSURL,NSMutableArray, NSArray,NSMutableDictionary, NSDictionary,NSString, |
绕过指定限制目录或指定限制URL的路径 |
NSBundle | 防止获取SignerIdentity, 绕过指定限制目录或指定限制URL的路径 |
NSProcessInfo,UIImage | 绕过指定限制目录的路径 |
NSDirectoryEnumerator | 绕过特定类和限制目录和限制URL |
UIDevice | 挂钩以下方法isJailbroken,isJailBreak,isJailBroken,均返回0 |
JailbreakDetectionVC, DTTJailbreakDetection, GBDeviceInfo,CPWRDeviceInfo, CPWRSessionInfo,KSSystemInfo, FCRSystemMetadata,OneSignalJailbreakDetection |
挂钩isJailbroken,返回0 |
ANSMetadata | 挂钩computeIsJailbroken,isJailbroken,返回0 |
AppsFlyerUtils | 挂钩isJailBreakon,返回0 |
CMARAppRestrictionsDelegate | 挂钩isDeviceNonCompliant,返回0 |
ADYSecurityCheck | 挂钩isDeviceJailbroken,返回0 |
UBReportMetadataDevice | 挂钩is_rooted,返回0 |
UtilitySystem,GemaltoConfiguration | 挂钩isJailbreak,返回0 |
EMDSKPPConfiguration | 挂钩jailBroken,返回0 |
EnrollParameters | 挂钩jailbroken,返回0 |
EMDskppConfigurationBuilder | 挂钩jailbreakStatus,返回0 |
v_VDMap |
挂钩isJailBrokenDetectedByVOS,isDFPHookedDetecedByVOS, isCodeInjectionDetectedByVOS,isDebuggerCheckDetectedByVOS, isAppSignerCheckDetectedByVOS,v_checkAModified,返回0 |
SDMUtils | 挂钩isJailBroken,返回0 |
DigiPassHandler | 挂钩rootedDeviceTestResult,返回0 |
AWMyDeviceGeneralInfo | 挂钩isCompliant,返回1 |
其中限制目录,URL或镜像都是取这些目录或以这些目录为前缀
/ /.HFS /.Trashes /.ba /.file /.mb /Applications /Applications/AXUIViewService.app /Applications/AccountAuthenticationDialog.app /Applications/ActivityMessagesApp.app /Applications/AdPlatformsDiagnostics.app /Applications/AppStore.app /Applications/AskPermissionUI.app /Applications/BusinessExtensionsWrapper.app /Applications/CTCarrierSpaceAuth.app /Applications/Camera.app /Applications/CheckerBoard.app /Applications/CompassCalibrationViewService.app /Applications/ContinuityCamera.app /Applications/CoreAuthUI.app /Applications/DDActionsService.app /Applications/DNDBuddy.app /Applications/DataActivation.app /Applications/DemoApp.app /Applications/Diagnostics.app /Applications/DiagnosticsService.app /Applications/FTMInternal-4.app /Applications/Family.app /Applications/Feedback /Applications/FieldTest.app /Applications/FindMyiPhone.app /Applications/FunCameraShapes.app /Applications/FunCameraText.app /Applications/GameCenterUIService.app /Applications/HashtagImages.app /Applications/Health.app /Applications/HealthPrivacyService.app /Applications/HomeUIService.app /Applications/InCallService.app /Applications/Magnifier.app /Applications/MailCompositionService.app /Applications/MessagesViewService.app /Applications/MobilePhone.app /Applications/MobileSMS.app /Applications/MobileSafari.app /Applications/MobileSlideShow.app /Applications/MobileTimer.app /Applications/MusicUIService.app /Applications/Passbook.app /Applications/PassbookUIService.app /Applications/PhotosViewService.app /Applications/PreBoard.app /Applications/Preferences.app /Applications/Print /Applications/SIMSetupUIService.app /Applications/SLGoogleAuth.app /Applications/SLYahooAuth.app /Applications/SafariViewService.app /Applications/ScreenSharingViewService.app /Applications/ScreenshotServicesService.app /Applications/Setup.app /Applications/SharedWebCredentialViewService.app /Applications/SharingViewService.app /Applications/SiriViewService.app /Applications/SoftwareUpdateUIService.app /Applications/StoreDemoViewService.app /Applications/StoreKitUIService.app /Applications/TrustMe.app /Applications/Utilities /Applications/VideoSubscriberAccountViewService.app /Applications/WLAccessService.app /Applications/Web.app /Applications/WebApp1.app /Applications/WebContentAnalysisUI.app /Applications/WebSheet.app /Applications/iAdOptOut.app /Applications/iCloud.app /Developer /Library /Library/Application /Library/Application /Library/Application /Library/Audio /Library/Caches /Library/Caches/cy- /Library/Filesystems /Library/Frameworks /Library/Frameworks/Cephei.framework/Cephei /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate /Library/Internet /Library/Keychains /Library/LaunchAgents /Library/LaunchDaemons /Library/Logs /Library/Managed /Library/MobileDevice /Library/MobileSubstrate /Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib /Library/MusicUISupport /Library/PreferenceBundles /Library/Preferences /Library/Printers /Library/Ringtones /Library/SnowBoard /Library/Themes /Library/TweakInject /Library/Updates /Library/Wallpaper /System /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation /System/Library/Frameworks/Foundation.framework/Foundation /System/Library/PreferenceBundles/AppList.bundle /User/Library/Preferences /bin /bin/df /bin/ps /cores /dev /dev/dlci. /dev/kmem /dev/mem /dev/vn0 /dev/vn1 /etc /etc/asl /etc/asl.conf /etc/fstab /etc/group /etc/hosts /etc/hosts.equiv /etc/master.passwd /etc/networks /etc/notify.conf /etc/passwd /etc/ppp /etc/protocols /etc/racoon /etc/services /etc/ttys /lib /mnt /private /private/etc /private/system_data /private/var /private/var/containers/Bundle/Application /private/var/mobile/Containers/Bundle/Application /private/xarts /sbin /sbin/fsck /sbin/launchd /sbin/mount /sbin/pfctl /tmp /tmp/Substrate /tmp/amfid_payload.alive /tmp/amfidebilitate.out /tmp/com.apple /tmp/cydia.log /tmp/jailbreakd.pid /tmp/org.coolstar /tmp/slide.txt /tmp/substrate /tmp/syslog /usr /usr/bin /usr/bin/DumpBasebandCrash /usr/bin/PerfPowerServicesExtended /usr/bin/abmlite /usr/bin/brctl /usr/bin/footprint /usr/bin/hidutil /usr/bin/hpmdiagnose /usr/bin/kbdebug /usr/bin/powerlogHelperd /usr/bin/sysdiagnose /usr/bin/tailspin /usr/bin/taskinfo /usr/bin/vm_stat /usr/bin/zprint /usr/include /usr/lib /usr/lib/FDRSealingMap.plist /usr/lib/TweakInject /usr/lib/apt /usr/lib/bash /usr/lib/bbmasks /usr/lib/cycript /usr/lib/dyld /usr/lib/lib%@.dylib /usr/lib/libCRFSuite /usr/lib/libDHCPServer /usr/lib/libMatch /usr/lib/libSubstitrate /usr/lib/libSystem /usr/lib/libSystem.B.dylib /usr/lib/libarchive /usr/lib/libbsm /usr/lib/libbz2 /usr/lib/libc /usr/lib/libc++ /usr/lib/libc++.1.dylib /usr/lib/libcharset /usr/lib/libcurses /usr/lib/libdbm /usr/lib/libdl /usr/lib/libeasyperf /usr/lib/libedit /usr/lib/libexslt /usr/lib/libextension /usr/lib/libform /usr/lib/libiconv /usr/lib/libicucore /usr/lib/libinfo /usr/lib/libipsec /usr/lib/liblzma /usr/lib/libm /usr/lib/libmecab /usr/lib/libmis.dylib /usr/lib/libncurses /usr/lib/libobjc /usr/lib/libobjc.A.dylib /usr/lib/libpcap /usr/lib/libperfcheck /usr/lib/libpmsample /usr/lib/libpoll /usr/lib/libproc /usr/lib/libpthread /usr/lib/libresolv /usr/lib/librpcsvc /usr/lib/libsandbox /usr/lib/libsqlite3 /usr/lib/libstdc++ /usr/lib/libsubstitute /usr/lib/libsubstitute.dylib /usr/lib/libsubstrate /usr/lib/libtidy /usr/lib/libutil /usr/lib/libxml2 /usr/lib/libxslt /usr/lib/libz /usr/lib/log /usr/lib/substrate /usr/lib/system /usr/lib/tweaks /usr/lib/updaters /usr/lib/xpc /usr/libexec /usr/libexec/BackupAgent /usr/libexec/BackupAgent2 /usr/libexec/CrashHousekeeping /usr/libexec/DataDetectorsSourceAccess /usr/libexec/FSTaskScheduler /usr/libexec/FinishRestoreFromBackup /usr/libexec/IOAccelMemoryInfoCollector /usr/libexec/IOMFB_bics_daemon /usr/libexec/Library /usr/libexec/MobileGestaltHelper /usr/libexec/MobileStorageMounter /usr/libexec/NANDTaskScheduler /usr/libexec/OTATaskingAgent /usr/libexec/PowerUIAgent /usr/libexec/PreboardService /usr/libexec/ProxiedCrashCopier /usr/libexec/PurpleReverseProxy /usr/libexec/ReportMemoryException /usr/libexec/SafariCloudHistoryPushAgent /usr/libexec/SidecarRelay /usr/libexec/SyncAgent /usr/libexec/UserEventAgent /usr/libexec/addressbooksyncd /usr/libexec/adid /usr/libexec/adprivacyd /usr/libexec/adservicesd /usr/libexec/afcd /usr/libexec/airtunesd /usr/libexec/amfid /usr/libexec/asd /usr/libexec/assertiond /usr/libexec/atc /usr/libexec/atwakeup /usr/libexec/backboardd /usr/libexec/biometrickitd /usr/libexec/bootpd /usr/libexec/bulletindistributord /usr/libexec/captiveagent /usr/libexec/cc_fips_test /usr/libexec/checkpointd /usr/libexec/cloudpaird /usr/libexec/com.apple.automation.defaultslockdownserviced /usr/libexec/companion_proxy /usr/libexec/configd /usr/libexec/corecaptured /usr/libexec/coreduetd /usr/libexec/crash_mover /usr/libexec/dasd /usr/libexec/demod /usr/libexec/demod_helper /usr/libexec/dhcpd /usr/libexec/diagnosticd /usr/libexec/diagnosticextensionsd /usr/libexec/dmd /usr/libexec/dprivacyd /usr/libexec/dtrace /usr/libexec/duetexpertd /usr/libexec/eventkitsyncd /usr/libexec/fdrhelper /usr/libexec/findmydeviced /usr/libexec/finish_demo_restore /usr/libexec/fmfd /usr/libexec/fmflocatord /usr/libexec/fseventsd /usr/libexec/ftp-proxy /usr/libexec/gamecontrollerd /usr/libexec/gamed /usr/libexec/gpsd /usr/libexec/hangreporter /usr/libexec/hangtracerd /usr/libexec/heartbeatd /usr/libexec/hostapd /usr/libexec/idamd /usr/libexec/init_data_protection /usr/libexec/installd /usr/libexec/ioupsd /usr/libexec/keybagd /usr/libexec/languageassetd /usr/libexec/locationd /usr/libexec/lockdownd /usr/libexec/logd /usr/libexec/lsd /usr/libexec/lskdd /usr/libexec/lskdmsed /usr/libexec/magicswitchd /usr/libexec/mc_mobile_tunnel /usr/libexec/microstackshot /usr/libexec/misagent /usr/libexec/misd /usr/libexec/mmaintenanced /usr/libexec/mobile_assertion_agent /usr/libexec/mobile_diagnostics_relay /usr/libexec/mobile_house_arrest /usr/libexec/mobile_installation_proxy /usr/libexec/mobile_obliterator /usr/libexec/mobile_storage_proxy /usr/libexec/mobileactivationd /usr/libexec/mobileassetd /usr/libexec/mobilewatchdog /usr/libexec/mtmergeprops /usr/libexec/nanomediaremotelinkagent /usr/libexec/nanoregistryd /usr/libexec/nanoregistrylaunchd /usr/libexec/neagent /usr/libexec/nehelper /usr/libexec/nesessionmanager /usr/libexec/networkserviceproxy /usr/libexec/nfcd /usr/libexec/nfrestore_service /usr/libexec/nlcd /usr/libexec/notification_proxy /usr/libexec/nptocompaniond /usr/libexec/nsurlsessiond /usr/libexec/nsurlstoraged /usr/libexec/online-auth-agent /usr/libexec/oscard /usr/libexec/pcapd /usr/libexec/pcsstatus /usr/libexec/pfd /usr/libexec/pipelined /usr/libexec/pkd /usr/libexec/pkreporter /usr/libexec/ptpd /usr/libexec/rapportd /usr/libexec/replayd /usr/libexec/resourcegrabberd /usr/libexec/rolld /usr/libexec/routined /usr/libexec/rtbuddyd /usr/libexec/rtcreportingd /usr/libexec/safarifetcherd /usr/libexec/screenshotsyncd /usr/libexec/security-sysdiagnose /usr/libexec/securityd /usr/libexec/securityuploadd /usr/libexec/seld /usr/libexec/seputil /usr/libexec/sharingd /usr/libexec/signpost_reporter /usr/libexec/silhouette /usr/libexec/siriknowledged /usr/libexec/smcDiagnose /usr/libexec/splashboardd /usr/libexec/springboardservicesrelay /usr/libexec/streaming_zip_conduit /usr/libexec/swcd /usr/libexec/symptomsd /usr/libexec/symptomsd-helper /usr/libexec/sysdiagnose_helper /usr/libexec/sysstatuscheck /usr/libexec/tailspind /usr/libexec/timed /usr/libexec/tipsd /usr/libexec/topicsmap.db /usr/libexec/transitd /usr/libexec/trustd /usr/libexec/tursd /usr/libexec/tzd /usr/libexec/tzinit /usr/libexec/tzlinkd /usr/libexec/videosubscriptionsd /usr/libexec/wapic /usr/libexec/wcd /usr/libexec/webbookmarksd /usr/libexec/webinspectord /usr/libexec/wifiFirmwareLoader /usr/libexec/wifivelocityd /usr/libexec/xpcproxy /usr/libexec/xpcroleaccountd /usr/local /usr/local/bin /usr/local/lib /usr/local/standalone /usr/sbin /usr/sbin/BTAvrcp /usr/sbin/BTLEServer /usr/sbin/BTMap /usr/sbin/BTPbap /usr/sbin/BlueTool /usr/sbin/WiFiNetworkStoreModel.momd /usr/sbin/WirelessRadioManagerd /usr/sbin/absd /usr/sbin/addNetworkInterface /usr/sbin/applecamerad /usr/sbin/aslmanager /usr/sbin/bluetoothd /usr/sbin/cfprefsd /usr/sbin/ckksctl /usr/sbin/distnoted /usr/sbin/fairplayd.H2 /usr/sbin/filecoordinationd /usr/sbin/ioreg /usr/sbin/ipconfig /usr/sbin/mDNSResponder /usr/sbin/mDNSResponderHelper /usr/sbin/mediaserverd /usr/sbin/notifyd /usr/sbin/nvram /usr/sbin/pppd /usr/sbin/racoon /usr/sbin/rtadvd /usr/sbin/scutil /usr/sbin/spindump /usr/sbin/syslogd /usr/sbin/wifid /usr/sbin/wirelessproxd /usr/share /usr/share/CSI /usr/share/com.apple.languageassetd /usr/share/firmware /usr/share/icu /usr/share/langid /usr/share/locale /usr/share/mecabra /usr/share/misc /usr/share/progressui /usr/share/tokenizer /usr/share/zoneinfo /usr/share/zoneinfo.default /usr/standalone /var /var/.DocumentRevisions /var/.fseventsd /var/.overprovisioning_file /var/Keychains /var/Managed /var/MobileAsset /var/MobileDevice /var/MobileSoftwareUpdate /var/audit /var/backups /var/buddy /var/containers /var/containers/Bundle /var/containers/Bundle/Application /var/containers/Bundle/Framework /var/containers/Bundle/PluginKitPlugin /var/containers/Bundle/VPNPlugin /var/containers/Bundle/dylibs /var/containers/Bundle/tweaksupport /var/cores /var/db /var/db/stash /var/ea /var/empty /var/folders /var/hardware /var/installd /var/internal /var/keybags /var/lib /var/lib/dpkg/info /var/local /var/lock /var/log /var/log/asl /var/log/com.apple.xpc.launchd /var/log/corecaptured.log /var/log/ppp /var/log/ppp.log /var/log/racoon.log /var/log/sa /var/logs /var/mobile /var/mobile/Applications /var/mobile/Containers /var/mobile/Containers/Bundle/Application /var/mobile/Containers/Data /var/mobile/Containers/Data/Application /var/mobile/Containers/Data/InternalDaemon /var/mobile/Containers/Data/PluginKitPlugin /var/mobile/Containers/Data/TempDir /var/mobile/Containers/Data/VPNPlugin /var/mobile/Containers/Data/XPCService /var/mobile/Containers/Shared /var/mobile/Containers/Shared/AppGroup /var/mobile/Documents /var/mobile/Downloads /var/mobile/Library /var/mobile/Library/Caches /var/mobile/Library/Caches/.com.apple /var/mobile/Library/Caches/ACMigrationLock /var/mobile/Library/Caches/AccountMigrationInProgress /var/mobile/Library/Caches/AdMob /var/mobile/Library/Caches/BTAvrcp /var/mobile/Library/Caches/Checkpoint.plist /var/mobile/Library/Caches/CloudKit /var/mobile/Library/Caches/DateFormats.plist /var/mobile/Library/Caches/FamilyCircle /var/mobile/Library/Caches/GameKit /var/mobile/Library/Caches/GeoServices /var/mobile/Library/Caches/MappedImageCache /var/mobile/Library/Caches/OTACrashCopier /var/mobile/Library/Caches/PassKit /var/mobile/Library/Caches/Snapshots /var/mobile/Library/Caches/Snapshots/com.apple /var/mobile/Library/Caches/TelephonyUI /var/mobile/Library/Caches/Weather /var/mobile/Library/Caches/cache /var/mobile/Library/Caches/ckkeyrolld /var/mobile/Library/Caches/com.apple /var/mobile/Library/Caches/rtcreportingd /var/mobile/Library/Caches/sharedCaches /var/mobile/Library/ControlCenter /var/mobile/Library/ControlCenter/ModuleConfiguration.plist /var/mobile/Library/Cydia /var/mobile/Library/Logs/Cydia /var/mobile/Library/Preferences /var/mobile/Library/Preferences/.GlobalPreferences.plist /var/mobile/Library/Preferences/UITextInputContextIdentifiers.plist /var/mobile/Library/Preferences/Wallpaper.png /var/mobile/Library/Preferences/ckkeyrolld.plist /var/mobile/Library/Preferences/com.apple. /var/mobile/Library/Preferences/nfcd.plist /var/mobile/Library/SBSettings /var/mobile/Library/Sileo /var/mobile/Media /var/mobile/MobileSoftwareUpdate /var/msgs /var/networkd /var/preferences /var/root /var/run /var/run/asl_input /var/run/configd.pid /var/run/fudinit /var/run/lockbot /var/run/lockdown /var/run/lockdown.sock /var/run/lockdown_first_run /var/run/mDNSResponder /var/run/pppconfd /var/run/printd /var/run/syslog /var/run/syslog.pid /var/run/utmpx /var/run/vpncontrol.sock /var/spool /var/staged_system_apps /var/tmp /var/vm /var/wireless
除了上面目录,还对这些路径匹配绕过
list firmware-sbin.list gsc.firmware-sbin.list
同时对包含这些字段的路径绕过
Substrate substrate substitute Substitrate TweakInject jailbreak cycript SBInject pspawn rocketbootstrap bfdecrypt
对URL包含这种模式绕过
cydia sileo
检测
从上面来看,这个越狱工具从目录和系统API上做了很多绕过措施,但还是有地方囊括不够的。
对比在基本思路里的几条,基本如下
保护环境变量的访问 ---- 有部分
禁止某些命令的执行 --- 没有
禁止某些路径访问 ---- 有
禁止某些系统参数访问 -- 有部分
挂钩某些系统调用 --- 有部分
那么检测方案可以这样:
没有挂钩mkdir,考虑使用mkdir在正常情况下禁止访问的目录下创建子目录,如果OK,就说明是被越狱。
没有挂钩execve,可以考虑执行一个正常情况下禁止执行的程序,如果成功,说明被越狱。
没有挂钩ptrace,可以使用它进行自身调试,如果成功,说明被越狱
创建一个库,里面定义一些函数是MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos为前缀的,如果调用dlsym返回失败,说明被越狱
只对sysctl挂钩了,但对sysctlbyname,sysctlnametomib没有挂钩,可以调用这两个函数来获取进程信息。同时sysctl也并不是所有情况都处理了,比如获取硬件信息就没有。这三个系统调用可以获取一些高权限信息,说明被越狱
不引入其它检测越狱的库,但自己实现一个同名的类和方法,比如SDMUtils和方法isJailBroken,这个方法只返回一个结果,就是1。如果调用这个方法,返回值为0,那么说明被越狱
还有很多,不过,本人对iOS不熟悉,对它的系统调用也不熟悉,只能给出这些。
审核编辑:刘清
全部0条评论
快来发表一下你的评论吧 !