iOS进程启动模型

哆啦安全 2023-02-23 2518

描述

分析工具：IDA 7.0

基本思路

在分析越狱工具shadow之前，所有越狱工具都是对进程进行注入挂钩来实现。注入从作用范围来看，分为两类：

用户态注入，通过动态库

内核态注入，通过驱动

在苹果系统开发驱动，需要苹果授权，所以，越狱工具是没办法走这条路，只可能进行用户态注入。

那么，分析它就需要对进程启动时如何加载动态库了解，这就涉及到iOS进程启动模型。

本文的思路如下：

iOS进程启动模型

依赖分析

钩子点分析

检测

iOS进程启动模型

iOS也是Unix族的衍生类。在Unix族里，进程启动模型的都大致如下：

加载执行文件：从绝对路径或相对路径或从环境变量指定搜索的路径搜索出来

根据执行文件依赖（导入表）来加载动态库文件：从绝对路径或相对路径或从环境变量和系统配置指定的搜索路径搜索出来

完成所有符号匹配，启动进程

进程处理输入参数和相应配置文件

从上面来看，只有1，2两步才可能进行注入。

在Unix族里，和执行文件加载相关的环境变量一般是**PATH** ,它一般是执行路径的列表，如/bin, /usr/bin, 和/usr/local/bin等，这个环境变量一般可以设置。搜索顺序是按照列表元素先后顺序进行，一旦找到，立马停止搜索。假设这个环境变量设置是这样的

PATH=/bin:/usr/bin:/usr/local/bin

这些路径都有一个ls执行文件，当执行ls时，只会执行/bin/ls。

如果越狱工具要在这一步注入，它必须构建一个沙箱，接管所有程序执行。这种方式，所有用户态进程都可以变成它的子进程，这个沙箱可以任意更改子进程的环境变量，完成静态注入，甚至可以通过ptrace之类的系统调用来进行动态注入。这种方式可以非常好地绕过各种越狱检测工具的检测。

在Unix族，和动态库加载相关的环境变量和系统配置，就各有各的不同。

从上面可以看到iOS依次对下面这些环境变量包含的路径列表按照先后顺序遍历，一旦找到相应动态库，立马停止该次遍历，查找下一个：

DYLD_INSERT_LIBRARIES

DYLD_VERSIONED_FRAMEWORK_PATH

DYLD_FRAMEWORK_PATH

DYLD_LIBRARY_PATH

DYLD_FALLBACK_FRAMEWORK_PATH

DYLD_FALLBACK_LIBRARY_PATH

目前不少APP检测iOS是否越狱，都是做下列动作：

访问root才能够访问的目录和文件，执行读或写

执行root才能够执行的命令

访问或更改root才能够访问的环境变量

调用root才能够调用的系统调用

访问root才能够访问的系统参数

根据上面进程启动模型分析，越狱工具要具有反检测的能力，必须要做这样事情：

保护环境变量的访问

禁止某些命令的执行

禁止某些路径访问

禁止某些系统参数访问

挂钩某些系统调用

依赖分析

根据上面的探究后，我们实际上看一下这个越狱工具是怎样的。

把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解压的目录大致如下

PS D:Library> Get-ChildItem -Recurse


    目录: D:Library


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                MobileSubstrate                                                                                                       
d-----         2019/8/2      1:59                PreferenceBundles                                                                                                     
d-----         2019/8/2      1:59                PreferenceLoader                                                                                                      


    目录: D:LibraryMobileSubstrate


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                DynamicLibraries                                                                                                      


    目录: D:LibraryMobileSubstrateDynamicLibraries


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59         728432 0Shadow.dylib                                                                                                         
-a----         2019/8/2      1:59             87 0Shadow.plist                                                                                                         


    目录: D:LibraryPreferenceBundles


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                ShadowPreferences.bundle                                                                                              


    目录: D:LibraryPreferenceBundlesShadowPreferences.bundle


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----        2019/7/14      1:29                en.lproj                                                                                                              
-a---l        2021/4/10      0:27              0 Base.lproj                                                                                                            
-a----         2019/8/2      1:59            751 Icon-Small.png                                                                                                        
-a----         2019/8/2      1:59           1610 Icon-Small@2x.png                                                                                                     
-a----         2019/8/2      1:59           2693 Icon-Small@3x.png                                                                                                     
-a----         2019/8/2      1:59            404 Info.plist                                                                                                            
-a----         2019/8/2      1:59           3123 Root.plist                                                                                                            
-a----        2019/7/29      4:37         265808 ShadowPreferences                                                                                                     


    目录: D:LibraryPreferenceBundlesShadowPreferences.bundleen.lproj


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59           3915 Root.strings                                                                                                          


    目录: D:LibraryPreferenceLoader


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
d-----         2019/8/2      1:59                Preferences                                                                                                           


    目录: D:LibraryPreferenceLoaderPreferences


Mode                LastWriteTime         Length Name                                                                                                                  
----                -------------         ------ ----                                                                                                                  
-a----         2019/8/2      1:59            199 ShadowPreferences.plist

从大小来看，只有D:LibraryMobileSubstrateDynamicLibraries�Shadow.dylib值得分析，用IDA打开一看，看一下导入表

AddressOrdinalNameLibrary
0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei
0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026800_OBJC_CLASS_$_NSArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026808_OBJC_CLASS_$_NSDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026810_OBJC_CLASS_$_NSMutableArray/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026818_OBJC_CLASS_$_NSMutableDictionary/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026820_OBJC_CLASS_$_NSURL/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026828___CFConstantStringClassReference/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
00000000000267A0_NSCocoaErrorDomain/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267A8_NSLocalizedDescriptionKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B0_NSLocalizedFailureReasonErrorKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B8_NSLocalizedRecoverySuggestionErrorKey/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C0_OBJC_CLASS_$_NSBundle/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C8_OBJC_CLASS_$_NSCharacterSet/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D0_OBJC_CLASS_$_NSError/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D8_OBJC_CLASS_$_NSFileManager/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E0_OBJC_CLASS_$_NSNumber/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E8_OBJC_CLASS_$_NSProcessInfo/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F0_OBJC_CLASS_$_NSString/System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F8_OBJC_CLASS_$_NSValue/System/Library/Frameworks/Foundation.framework/Foundation
0000000000026858_NSVersionOfLinkTimeLibrary/usr/lib/libSystem.B.dylib
0000000000026860_NSVersionOfRunTimeLibrary/usr/lib/libSystem.B.dylib
0000000000026868___stack_chk_guard/usr/lib/libSystem.B.dylib
0000000000026870__dyld_get_image_name/usr/lib/libSystem.B.dylib
0000000000026878__dyld_image_count/usr/lib/libSystem.B.dylib
0000000000026880_access/usr/lib/libSystem.B.dylib
0000000000026888_chdir/usr/lib/libSystem.B.dylib
0000000000026890_chroot/usr/lib/libSystem.B.dylib
0000000000026898_creat/usr/lib/libSystem.B.dylib
00000000000268A0_csops/usr/lib/libSystem.B.dylib
00000000000268A8_dladdr/usr/lib/libSystem.B.dylib
00000000000268B0_dlopen/usr/lib/libSystem.B.dylib
00000000000268B8_dlopen_preflight/usr/lib/libSystem.B.dylib
00000000000268C0_dlsym/usr/lib/libSystem.B.dylib
00000000000268C8_faccessat/usr/lib/libSystem.B.dylib
00000000000268D0_fchdir/usr/lib/libSystem.B.dylib
00000000000268D8_fopen/usr/lib/libSystem.B.dylib
00000000000268E0_fork/usr/lib/libSystem.B.dylib
00000000000268E8_freopen/usr/lib/libSystem.B.dylib
00000000000268F0_fstat/usr/lib/libSystem.B.dylib
00000000000268F8_fstatat/usr/lib/libSystem.B.dylib
0000000000026900_fstatfs/usr/lib/libSystem.B.dylib
0000000000026908_getegid/usr/lib/libSystem.B.dylib
0000000000026910_getenv/usr/lib/libSystem.B.dylib
0000000000026918_geteuid/usr/lib/libSystem.B.dylib
0000000000026920_getgid/usr/lib/libSystem.B.dylib
0000000000026928_getppid/usr/lib/libSystem.B.dylib
0000000000026930_getuid/usr/lib/libSystem.B.dylib
0000000000026938_link/usr/lib/libSystem.B.dylib
0000000000026940_lstat/usr/lib/libSystem.B.dylib
0000000000026948_open/usr/lib/libSystem.B.dylib
0000000000026950_openat/usr/lib/libSystem.B.dylib
0000000000026958_opendir/usr/lib/libSystem.B.dylib
0000000000026960_popen/usr/lib/libSystem.B.dylib
0000000000026968_posix_spawn/usr/lib/libSystem.B.dylib
0000000000026970_posix_spawnp/usr/lib/libSystem.B.dylib
0000000000026978_readdir/usr/lib/libSystem.B.dylib
0000000000026980_readlink/usr/lib/libSystem.B.dylib
0000000000026988_readlinkat/usr/lib/libSystem.B.dylib
0000000000026990_realpath$DARWIN_EXTSN/usr/lib/libSystem.B.dylib
0000000000026998_remove/usr/lib/libSystem.B.dylib
00000000000269A0_rename/usr/lib/libSystem.B.dylib
00000000000269A8_rmdir/usr/lib/libSystem.B.dylib
00000000000269B0_setegid/usr/lib/libSystem.B.dylib
00000000000269B8_seteuid/usr/lib/libSystem.B.dylib
00000000000269C0_setgid/usr/lib/libSystem.B.dylib
00000000000269C8_setregid/usr/lib/libSystem.B.dylib
00000000000269D0_setreuid/usr/lib/libSystem.B.dylib
00000000000269D8_setuid/usr/lib/libSystem.B.dylib
00000000000269E0_stat/usr/lib/libSystem.B.dylib
00000000000269E8_statfs/usr/lib/libSystem.B.dylib
00000000000269F0_symlink/usr/lib/libSystem.B.dylib
00000000000269F8_sysctl/usr/lib/libSystem.B.dylib
0000000000026A00_unlink/usr/lib/libSystem.B.dylib
0000000000026A08_unlinkat/usr/lib/libSystem.B.dylib
0000000000026A10_vfork/usr/lib/libSystem.B.dylib
0000000000026A18dyld_stub_binder/usr/lib/libSystem.B.dylib
0000000000026A20__Unwind_Resume/usr/lib/libSystem.B.dylib
0000000000026A28___error/usr/lib/libSystem.B.dylib
0000000000026A30___stack_chk_fail/usr/lib/libSystem.B.dylib
0000000000026A38__dyld_register_func_for_add_image/usr/lib/libSystem.B.dylib
0000000000026A40_dirfd/usr/lib/libSystem.B.dylib
0000000000026A48_dlclose/usr/lib/libSystem.B.dylib
0000000000026A50_fclose/usr/lib/libSystem.B.dylib
0000000000026A58_fcntl/usr/lib/libSystem.B.dylib
0000000000026A60_free/usr/lib/libSystem.B.dylib
0000000000026A68_getpid/usr/lib/libSystem.B.dylib
0000000000026A70_strcmp/usr/lib/libSystem.B.dylib
0000000000026A78_strlen/usr/lib/libSystem.B.dylib
0000000000026850___gxx_personality_v0/usr/lib/libc++.1.dylib
0000000000026720_OBJC_CLASS_$_NSObject/usr/lib/libobjc.A.dylib
0000000000026728_OBJC_METACLASS_$_NSObject/usr/lib/libobjc.A.dylib
0000000000026730__objc_empty_cache/usr/lib/libobjc.A.dylib
0000000000026738_objc_copyClassNamesForImage/usr/lib/libobjc.A.dylib
0000000000026740_objc_copyImageNames/usr/lib/libobjc.A.dylib
0000000000026748_objc_autoreleaseReturnValue/usr/lib/libobjc.A.dylib
0000000000026750_objc_enumerationMutation/usr/lib/libobjc.A.dylib
0000000000026758_objc_getClass/usr/lib/libobjc.A.dylib
0000000000026760_objc_msgSend/usr/lib/libobjc.A.dylib
0000000000026768_objc_msgSendSuper2/usr/lib/libobjc.A.dylib
0000000000026770_objc_release/usr/lib/libobjc.A.dylib
0000000000026778_objc_retain/usr/lib/libobjc.A.dylib
0000000000026780_objc_retainAutorelease/usr/lib/libobjc.A.dylib
0000000000026788_objc_retainAutoreleasedReturnValue/usr/lib/libobjc.A.dylib
0000000000026790_objc_storeStrong/usr/lib/libobjc.A.dylib
0000000000026798_object_getClass/usr/lib/libobjc.A.dylib

可以看到，这个工具除了系统的框架外，只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate两个框架

对这个导入项进行分析

0000000000026830_OBJC_CLASS_$_HBPreferences/Library/Frameworks/Cephei.framework/Cephei

_OBJC_CLASS_$_HBPreferences这个符号经过Name Mangling处理，实际上它是引入了HBPreferences这个类，这个类是处理界面上配置。

只剩下这三个符号了

0000000000026838_MSGetImageByName/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840_MSHookFunction/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848_MSHookMessageEx/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

同样根据Name Mangling原则，这三个符号实际上是MSGetImageByName, MSHookFunction, MSHookMessageEx。

先分析一下MSGetImageByName,

从它的引用来看

DirectionTypeAddressText
UppInitFunc_0+64CBL              _MSGetImageByName

只有一处地方，就是InitFunc_0+64C。

在IDA操作，是从导入表选中这个符号，双击，进入这个符号所在代码位置，在代码位置选中这个符号，右键选中"Jump to xref to operand..."，就可以得到所有引用了

看引用它的汇编

_text:000000000000C34C                 ADR             X0, aUsrLibLibsubst_2 ; "/usr/lib/libsubstitute.dylib"
__text:000000000000C350                 NOP
__text:000000000000C354                 STP             X19, X26, [SP,#0x210+var_210]
__text:000000000000C358                 STR             X23, [SP,#0x210+var_200]
__text:000000000000C35C                 BL              _MSGetImageByName
__text:000000000000C360                 MOV             X24, X0
__text:000000000000C364                 NOP
__text:000000000000C368                 LDR             X0, qword_26080 ; void *
__text:000000000000C36C                 NOP
__text:000000000000C370                 LDR             X20, =sel_setUseInjectCompatibilityMode_ ; "setUseInjectCompatibilityMode:"
__text:000000000000C374                 CBZ             X24, loc_C3A0
__text:000000000000C378                 MOV             W2, #0
__text:000000000000C37C                 MOV             X1, X20 ; char *
__text:000000000000C380                 BL              _objc_msgSend
__text:000000000000C384                 B               loc_C3AC

可见是加载/usr/lib/libsubstitute.dylib, 再把获得的句柄判断这个文件是否存在，再跳转。

__text:000000000000C354                 STP             X19, X26, [SP,#0x210+var_210]
__text:000000000000C358                 STR             X23, [SP,#0x210+var_200]

这几两行指令其实没多少用处，只是编译器为了代码优化做的乱序执行。其实和这个接口引用无关。

从这个句柄的处理汇编

__text:000000000000C3A0 loc_C3A0                                ; CODE XREF: InitFunc_0+664↑j
__text:000000000000C3A0                 MOV             W2, #1
__text:000000000000C3A4                 MOV             X1, X20 ; char *
__text:000000000000C3A8                 BL              _objc_msgSend
__text:000000000000C3AC
__text:000000000000C3AC loc_C3AC                                ; CODE XREF: InitFunc_0+674↑j
__text:000000000000C3AC                 LDR             X0, [SP,#0x210+var_1E0] ; void *
__text:000000000000C3B0                 MOV             X1, X28 ; char *
__text:000000000000C3B4                 LDR             X2, [SP,#0x210+var_1B8]
__text:000000000000C3B8                 BL              _objc_msgSend
__text:000000000000C3BC                 CBZ             W0, loc_C6A0
__text:000000000000C3C0                 NOP

无非就是和管理配置通信，可以忽略。

MSHookFunction是对API挂钩，而MSHookMessageEx则对类的成员函数挂钩。

钩子点分析

先看MSHookFunction,获取它所有的引用点，一共57处。

DirectionTypeAddressText
UppInitFunc_0+6C8BL              _MSHookFunction
UppInitFunc_0+6E4BL              _MSHookFunction
UppInitFunc_0+700BL              _MSHookFunction
UppInitFunc_0+71CBL              _MSHookFunction
UppInitFunc_0+8DCBL              _MSHookFunction
UppInitFunc_0+8F8BL              _MSHookFunction
UppInitFunc_0+9C4BL              _MSHookFunction
UppInitFunc_0+9E0BL              _MSHookFunction
UppInitFunc_0+A9CBL              _MSHookFunction
UppInitFunc_0+1124BL              _MSHookFunction
UppInitFunc_0+1140BL              _MSHookFunction
UppInitFunc_0+115CBL              _MSHookFunction
UppInitFunc_0+1178BL              _MSHookFunction
UppInitFunc_0+1194BL              _MSHookFunction
UppInitFunc_0+11B0BL              _MSHookFunction
UppInitFunc_0+11CCBL              _MSHookFunction
UppInitFunc_0+11E8BL              _MSHookFunction
UppInitFunc_0+1204BL              _MSHookFunction
UppInitFunc_0+1220BL              _MSHookFunction
UppInitFunc_0+123CBL              _MSHookFunction
UppInitFunc_0+1258BL              _MSHookFunction
UppInitFunc_0+1274BL              _MSHookFunction
UppInitFunc_0+1290BL              _MSHookFunction
UppInitFunc_0+12ACBL              _MSHookFunction
UppInitFunc_0+12C8BL              _MSHookFunction
UppInitFunc_0+12E4BL              _MSHookFunction
UppInitFunc_0+1300BL              _MSHookFunction
UppInitFunc_0+131CBL              _MSHookFunction
UppInitFunc_0+1338BL              _MSHookFunction
UppInitFunc_0+1354BL              _MSHookFunction
UppInitFunc_0+1370BL              _MSHookFunction
UppInitFunc_0+138CBL              _MSHookFunction
UppInitFunc_0+13A8BL              _MSHookFunction
UppInitFunc_0+13C4BL              _MSHookFunction
UppInitFunc_0+196CBL              _MSHookFunction
UppInitFunc_0+1988BL              _MSHookFunction
UppInitFunc_0+1E84BL              _MSHookFunction
UppInitFunc_0+1EA0BL              _MSHookFunction
UppInitFunc_0+1EBCBL              _MSHookFunction
UppInitFunc_0+1ED8BL              _MSHookFunction
UppInitFunc_0+2168BL              _MSHookFunction
UppInitFunc_0+2184BL              _MSHookFunction
UppInitFunc_0+21A0BL              _MSHookFunction
UppInitFunc_0+21BCBL              _MSHookFunction
UppInitFunc_0+21D8BL              _MSHookFunction
UppInitFunc_0+21F4BL              _MSHookFunction
UppInitFunc_0+2210BL              _MSHookFunction
UppInitFunc_0+222CBL              _MSHookFunction
UppInitFunc_0+2248BL              _MSHookFunction
UppInitFunc_0+2264BL              _MSHookFunction
UppInitFunc_0+2280BL              _MSHookFunction
UppInitFunc_0+229CBL              _MSHookFunction
UppInitFunc_0+22B8BL              _MSHookFunction
UppInitFunc_0+22D4BL              _MSHookFunction
UppInitFunc_0+2354BL              _MSHookFunction
UppInitFunc_0+2370BL              _MSHookFunction
UppInitFunc_0+23A0BL              _MSHookFunction

先看第一处

Up p InitFunc_0+6C8 BL              _MSHookFunction

按照MSHookFunction的原型

void MSHookFunction(void *symbol, void *hook, void **old);

是找到某个symbol对应的函数，把hook挂在上面，并用old保存原函数地址。

根据InitFunc的位置

__text:000000000000BD10 InitFunc_0

InitFunc_0+6C8就是000000000000C3D8:

__text:000000000000C3C4                 LDR             X0, =_fstat
__text:000000000000C3C8                 ADR             X1, sub_E590
__text:000000000000C3CC                 NOP
__text:000000000000C3D0                 ADR             X2, qword_260A8
__text:000000000000C3D4                 NOP
__text:000000000000C3D8                 BL              _MSHookFunction

可见，这处是用sub_E590对fstat进行挂钩，并把fstat函数地址保存在qword_260A8。那么分析一下sub_E590

__text:000000000000E590 sub_E590                                ; DATA XREF: InitFunc_0+6B8↑o
__text:000000000000E590
__text:000000000000E590 var_440         = -0x440
__text:000000000000E590 var_438         = -0x438
__text:000000000000E590 var_38          = -0x38
__text:000000000000E590 var_30          = -0x30
__text:000000000000E590 var_20          = -0x20
__text:000000000000E590 var_10          = -0x10
__text:000000000000E590 var_s0          =  0
__text:000000000000E590
__text:000000000000E590                 STP             X28, X27, [SP,#-0x10+var_30]!
__text:000000000000E594                 STP             X22, X21, [SP,#0x30+var_20]
__text:000000000000E598                 STP             X20, X19, [SP,#0x30+var_10]
__text:000000000000E59C                 STP             X29, X30, [SP,#0x30+var_s0]
__text:000000000000E5A0                 ADD             X29, SP, #0x30
__text:000000000000E5A4                 SUB             SP, SP, #0x410
__text:000000000000E5A8                 MOV             X19, X1
__text:000000000000E5AC                 MOV             X20, X0
__text:000000000000E5B0                 NOP
__text:000000000000E5B4                 LDR             X8, =___stack_chk_guard
__text:000000000000E5B8                 LDR             X8, [X8]
__text:000000000000E5BC                 STUR            X8, [X29,#var_38]
__text:000000000000E5C0                 ADD             X8, SP, #0x440+var_438
__text:000000000000E5C4                 STR             X8, [SP,#0x440+var_440]
__text:000000000000E5C8                 MOV             W1, #0x32 ; int
__text:000000000000E5CC                 BL              _fcntl
__text:000000000000E5D0                 CMN             W0, #1
__text:000000000000E5D4                 B.EQ            loc_E6C0
__text:000000000000E5D8                 NOP
__text:000000000000E5DC                 LDR             X0, =_OBJC_CLASS_$_NSFileManager ; void *
__text:000000000000E5E0                 NOP
__text:000000000000E5E4                 LDR             X1, =sel_defaultManager ; "defaultManager"
__text:000000000000E5E8                 BL              _objc_msgSend
__text:000000000000E5EC                 MOV             X29, X29
__text:000000000000E5F0                 BL              _objc_retainAutoreleasedReturnValue
__text:000000000000E5F4                 MOV             X22, X0
__text:000000000000E5F8                 ADD             X0, SP, #0x440+var_438 ; char *
__text:000000000000E5FC                 BL              _strlen
__text:000000000000E600                 MOV             X3, X0
__text:000000000000E604                 NOP
__text:000000000000E608                 LDR             X1, =sel_stringWithFileSystemRepresentation_length_ ; "stringWithFileSystemRepresentation:leng"...
__text:000000000000E60C                 ADD             X2, SP, #0x440+var_438
__text:000000000000E610                 MOV             X0, X22 ; void *
__text:000000000000E614                 BL              _objc_msgSend
__text:000000000000E618                 MOV             X29, X29
__text:000000000000E61C                 BL              _objc_retainAutoreleasedReturnValue
__text:000000000000E620                 MOV             X21, X0
__text:000000000000E624                 MOV             X0, X22
__text:000000000000E628                 BL              _objc_release
__text:000000000000E62C                 NOP
__text:000000000000E630                 LDR             X0, qword_26080 ; void *
__text:000000000000E634                 NOP
__text:000000000000E638                 LDR             X1, =sel_isPathRestricted_ ; "isPathRestricted:"
__text:000000000000E63C                 MOV             X2, X21
__text:000000000000E640                 BL              _objc_msgSend
__text:000000000000E644                 CBZ             W0, loc_E664
__text:000000000000E648                 BL              ___error
__text:000000000000E64C                 MOV             W8, #9
__text:000000000000E650                 STR             W8, [X0]
__text:000000000000E654                 MOV             W20, #0xFFFFFFFF
__text:000000000000E658
__text:000000000000E658 loc_E658                                ; CODE XREF: sub_E590+124↓j
__text:000000000000E658                 MOV             X0, X21
__text:000000000000E65C                 BL              _objc_release
__text:000000000000E660                 B               loc_E6D8
__text:000000000000E664 ; ---------------------------------------------------------------------------
__text:000000000000E664
__text:000000000000E664 loc_E664                                ; CODE XREF: sub_E590+B4↑j
__text:000000000000E664                 CBZ             X19, loc_E6B8
__text:000000000000E668                 NOP
__text:000000000000E66C                 LDR             X1, =sel_isEqualToString_ ; "isEqualToString:"
__text:000000000000E670                 ADR             X2, cfstr_Bin ; "/bin"
__text:000000000000E674                 NOP
__text:000000000000E678                 MOV             X0, X21 ; void *
__text:000000000000E67C                 BL              _objc_msgSend
__text:000000000000E680                 CBZ             W0, loc_E6B8
__text:000000000000E684                 NOP
__text:000000000000E688                 LDR             X8, qword_260A8
__text:000000000000E68C                 MOV             X0, X20
__text:000000000000E690                 MOV             X1, X19
__text:000000000000E694                 BLR             X8
__text:000000000000E698                 CBNZ            W0, loc_E6B8
__text:000000000000E69C                 LDR             X8, [X19,#0x60]
__text:000000000000E6A0                 CMP             X8, #0x80
__text:000000000000E6A4                 B.LE            loc_E6B8
__text:000000000000E6A8                 MOV             W20, #0
__text:000000000000E6AC                 MOV             W8, #0x80
__text:000000000000E6B0                 STR             X8, [X19,#0x60]
__text:000000000000E6B4                 B               loc_E658
__text:000000000000E6B8 ; ---------------------------------------------------------------------------
__text:000000000000E6B8
__text:000000000000E6B8 loc_E6B8                                ; CODE XREF: sub_E590:loc_E664↑j
__text:000000000000E6B8                                         ; sub_E590+F0↑j ...
__text:000000000000E6B8                 MOV             X0, X21
__text:000000000000E6BC                 BL              _objc_release
__text:000000000000E6C0
__text:000000000000E6C0 loc_E6C0                                ; CODE XREF: sub_E590+44↑j
__text:000000000000E6C0                 NOP
__text:000000000000E6C4                 LDR             X8, qword_260A8
__text:000000000000E6C8                 MOV             X0, X20
__text:000000000000E6CC                 MOV             X1, X19
__text:000000000000E6D0                 BLR             X8
__text:000000000000E6D4                 MOV             X20, X0
__text:000000000000E6D8
__text:000000000000E6D8 loc_E6D8                                ; CODE XREF: sub_E590+D0↑j
__text:000000000000E6D8                 LDUR            X8, [X29,#var_38]
__text:000000000000E6DC                 NOP
__text:000000000000E6E0                 LDR             X9, =___stack_chk_guard
__text:000000000000E6E4                 LDR             X9, [X9]
__text:000000000000E6E8                 CMP             X9, X8
__text:000000000000E6EC                 B.NE            loc_E70C
__text:000000000000E6F0                 MOV             X0, X20
__text:000000000000E6F4                 ADD             SP, SP, #0x410
__text:000000000000E6F8                 LDP             X29, X30, [SP,#0x30+var_s0]
__text:000000000000E6FC                 LDP             X20, X19, [SP,#0x30+var_10]
__text:000000000000E700                 LDP             X22, X21, [SP,#0x30+var_20]
__text:000000000000E704                 LDP             X28, X27, [SP+0x30+var_30],#0x40
__text:000000000000E708                 RET
__text:000000000000E70C ; ---------------------------------------------------------------------------
__text:000000000000E70C
__text:000000000000E70C loc_E70C                                ; CODE XREF: sub_E590+15C↑j
__text:000000000000E70C                 BL              ___stack_chk_fail
__text:000000000000E70C ; End of function sub_E590

看起来很复杂，其实这个函数是对任何调用fstat的路径判断是否是在指定限制目录或/bin下，如果是就绕过，否则就继续调用qword_260A8(fstat原地址)处理。

按照同样思路分析，可以得到这个表格

原函数	钩子函数作用
fstat	绕过指定限制目录或/bin/下文件
dlopen	绕过指定限制镜像
open	绕过指定限制目录的文件
openat	绕过指定限制目录的文件
NSVersionOfRunTimeLibrary	绕过指定限制镜像
NSVersionOfLinkTimeLibrary	绕过指定限制镜像
opendir	绕过指定限制目录
readdir	绕过指定限制目录
csops	对getpid结果处理
access	对指定限制目录或前缀为/Library/MobileSubstrate绕过
getenv	对DYLD_INSERT_LIBRARIES,_MSSafeMode,_SafeMode绕过
fopen	绕过指定限制目录的文件
freopen	绕过指定限制目录的文件
stat	绕过指定限制目录或/bin/下文件
lstat	绕过指定限制目录或/bin/, /Applications, /usr/share, /usr/libexec, /usr/include, /Library/Ringtones, /Library/Wallpaper下文件
fstatfs	对指定限制目录或前缀为/var, /private/var绕过
statfs	对指定限制目录或前缀为/var, /private/var绕过
posix_spawn	绕过指定限制目录的文件
posix_spawnp	绕过指定限制目录的文件
realpath	绕过指定限制目录的路径
symlink	绕过指定限制目录的路径
rename	绕过指定限制目录的路径
rename	绕过指定限制目录的路径
unlink	绕过指定限制目录的路径
unlinkat	绕过指定限制目录的路径
rmdir	绕过指定限制目录的目录
chdir	绕过指定限制目录的目录
fchdir	绕过指定限制目录的目录
link	绕过指定限制目录的路径
fstatat	绕过指定限制目录的路径
faccessat	绕过指定限制目录的路径
chroot	绕过指定限制目录的路径
sysctl	从内核里获取所有进程，对当前进程比对，并获取当前进程是否被调试
getppid	对指定限制目录的文件绕过
readlink	绕过指定限制目录的路径
readlinkat	绕过指定限制目录的路径
_dyld_image_count	绕过指定限制镜像
_dyld_get_image_name	绕过指定限制镜像
dlopen_preflight	绕过指定限制镜像
dladdr	绕过指定限制镜像
creat	绕过指定限制目录的文件
vfork	直接返回-1，禁止创建进程
fork	直接返回-1，禁止创建进程
popen	直接返回0
setgid,setuid,setegid,seteuid,setreuid,setregid	直接返回-1
getuid，getgid,geteuid,getegid	返回0x1F5
objc_copyImageNames	获取镜像名称和某个库一样，就返回0
objc_copyClassNamesForImage	绕过指定限制镜像
dlsym	对符号前缀为MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos返回0，绕过

再看MSHookMessageEx，它的调用点有149处。它的原型如下

void MSHookMessageEx(Class _class, SEL message, IMP hook, IMP *old);

是找到某个类_class对应的成员函数message，把hook挂在上面，并用old保存原成员函数地址。

像MSHookFunction的方式分析，得到下表

类	钩子函数作用
SpringBoard	返回和黑名单列表匹配的结果
NSData，UIApplication， NSFileManager,NSFileWrapper, NSFileVersion,NSFileHandle, NSURL,NSMutableArray, NSArray,NSMutableDictionary, NSDictionary,NSString,	绕过指定限制目录或指定限制URL的路径
NSBundle	防止获取SignerIdentity, 绕过指定限制目录或指定限制URL的路径
NSProcessInfo,UIImage	绕过指定限制目录的路径
NSDirectoryEnumerator	绕过特定类和限制目录和限制URL
UIDevice	挂钩以下方法isJailbroken,isJailBreak,isJailBroken，均返回0
JailbreakDetectionVC, DTTJailbreakDetection, GBDeviceInfo,CPWRDeviceInfo, CPWRSessionInfo,KSSystemInfo, FCRSystemMetadata,OneSignalJailbreakDetection	挂钩isJailbroken，返回0
ANSMetadata	挂钩computeIsJailbroken,isJailbroken，返回0
AppsFlyerUtils	挂钩isJailBreakon,返回0
CMARAppRestrictionsDelegate	挂钩isDeviceNonCompliant，返回0
ADYSecurityCheck	挂钩isDeviceJailbroken,返回0
UBReportMetadataDevice	挂钩is_rooted,返回0
UtilitySystem,GemaltoConfiguration	挂钩isJailbreak,返回0
EMDSKPPConfiguration	挂钩jailBroken,返回0
EnrollParameters	挂钩jailbroken，返回0
EMDskppConfigurationBuilder	挂钩jailbreakStatus，返回0
v_VDMap	挂钩isJailBrokenDetectedByVOS,isDFPHookedDetecedByVOS, isCodeInjectionDetectedByVOS,isDebuggerCheckDetectedByVOS, isAppSignerCheckDetectedByVOS,v_checkAModified，返回0
SDMUtils	挂钩isJailBroken，返回0
DigiPassHandler	挂钩rootedDeviceTestResult，返回0
AWMyDeviceGeneralInfo	挂钩isCompliant，返回1

其中限制目录，URL或镜像都是取这些目录或以这些目录为前缀

/
/.HFS
/.Trashes
/.ba
/.file
/.mb
/Applications
/Applications/AXUIViewService.app
/Applications/AccountAuthenticationDialog.app
/Applications/ActivityMessagesApp.app
/Applications/AdPlatformsDiagnostics.app
/Applications/AppStore.app
/Applications/AskPermissionUI.app
/Applications/BusinessExtensionsWrapper.app
/Applications/CTCarrierSpaceAuth.app
/Applications/Camera.app
/Applications/CheckerBoard.app
/Applications/CompassCalibrationViewService.app
/Applications/ContinuityCamera.app
/Applications/CoreAuthUI.app
/Applications/DDActionsService.app
/Applications/DNDBuddy.app
/Applications/DataActivation.app
/Applications/DemoApp.app
/Applications/Diagnostics.app
/Applications/DiagnosticsService.app
/Applications/FTMInternal-4.app
/Applications/Family.app
/Applications/Feedback
/Applications/FieldTest.app
/Applications/FindMyiPhone.app
/Applications/FunCameraShapes.app
/Applications/FunCameraText.app
/Applications/GameCenterUIService.app
/Applications/HashtagImages.app
/Applications/Health.app
/Applications/HealthPrivacyService.app
/Applications/HomeUIService.app
/Applications/InCallService.app
/Applications/Magnifier.app
/Applications/MailCompositionService.app
/Applications/MessagesViewService.app
/Applications/MobilePhone.app
/Applications/MobileSMS.app
/Applications/MobileSafari.app
/Applications/MobileSlideShow.app
/Applications/MobileTimer.app
/Applications/MusicUIService.app
/Applications/Passbook.app
/Applications/PassbookUIService.app
/Applications/PhotosViewService.app
/Applications/PreBoard.app
/Applications/Preferences.app
/Applications/Print
/Applications/SIMSetupUIService.app
/Applications/SLGoogleAuth.app
/Applications/SLYahooAuth.app
/Applications/SafariViewService.app
/Applications/ScreenSharingViewService.app
/Applications/ScreenshotServicesService.app
/Applications/Setup.app
/Applications/SharedWebCredentialViewService.app
/Applications/SharingViewService.app
/Applications/SiriViewService.app
/Applications/SoftwareUpdateUIService.app
/Applications/StoreDemoViewService.app
/Applications/StoreKitUIService.app
/Applications/TrustMe.app
/Applications/Utilities
/Applications/VideoSubscriberAccountViewService.app
/Applications/WLAccessService.app
/Applications/Web.app
/Applications/WebApp1.app
/Applications/WebContentAnalysisUI.app
/Applications/WebSheet.app
/Applications/iAdOptOut.app
/Applications/iCloud.app
/Developer
/Library
/Library/Application
/Library/Application
/Library/Application
/Library/Audio
/Library/Caches
/Library/Caches/cy-
/Library/Filesystems
/Library/Frameworks
/Library/Frameworks/Cephei.framework/Cephei
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
/Library/Internet
/Library/Keychains
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Logs
/Library/Managed
/Library/MobileDevice
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib
/Library/MusicUISupport
/Library/PreferenceBundles
/Library/Preferences
/Library/Printers
/Library/Ringtones
/Library/SnowBoard
/Library/Themes
/Library/TweakInject
/Library/Updates
/Library/Wallpaper
/System
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
/System/Library/Frameworks/Foundation.framework/Foundation
/System/Library/PreferenceBundles/AppList.bundle
/User/Library/Preferences
/bin
/bin/df
/bin/ps
/cores
/dev
/dev/dlci.
/dev/kmem
/dev/mem
/dev/vn0
/dev/vn1
/etc
/etc/asl
/etc/asl.conf
/etc/fstab
/etc/group
/etc/hosts
/etc/hosts.equiv
/etc/master.passwd
/etc/networks
/etc/notify.conf
/etc/passwd
/etc/ppp
/etc/protocols
/etc/racoon
/etc/services
/etc/ttys
/lib
/mnt
/private
/private/etc
/private/system_data
/private/var
/private/var/containers/Bundle/Application
/private/var/mobile/Containers/Bundle/Application
/private/xarts
/sbin
/sbin/fsck
/sbin/launchd
/sbin/mount
/sbin/pfctl
/tmp
/tmp/Substrate
/tmp/amfid_payload.alive
/tmp/amfidebilitate.out
/tmp/com.apple
/tmp/cydia.log
/tmp/jailbreakd.pid
/tmp/org.coolstar
/tmp/slide.txt
/tmp/substrate
/tmp/syslog
/usr
/usr/bin
/usr/bin/DumpBasebandCrash
/usr/bin/PerfPowerServicesExtended
/usr/bin/abmlite
/usr/bin/brctl
/usr/bin/footprint
/usr/bin/hidutil
/usr/bin/hpmdiagnose
/usr/bin/kbdebug
/usr/bin/powerlogHelperd
/usr/bin/sysdiagnose
/usr/bin/tailspin
/usr/bin/taskinfo
/usr/bin/vm_stat
/usr/bin/zprint
/usr/include
/usr/lib
/usr/lib/FDRSealingMap.plist
/usr/lib/TweakInject
/usr/lib/apt
/usr/lib/bash
/usr/lib/bbmasks
/usr/lib/cycript
/usr/lib/dyld
/usr/lib/lib%@.dylib
/usr/lib/libCRFSuite
/usr/lib/libDHCPServer
/usr/lib/libMatch
/usr/lib/libSubstitrate
/usr/lib/libSystem
/usr/lib/libSystem.B.dylib
/usr/lib/libarchive
/usr/lib/libbsm
/usr/lib/libbz2
/usr/lib/libc
/usr/lib/libc++
/usr/lib/libc++.1.dylib
/usr/lib/libcharset
/usr/lib/libcurses
/usr/lib/libdbm
/usr/lib/libdl
/usr/lib/libeasyperf
/usr/lib/libedit
/usr/lib/libexslt
/usr/lib/libextension
/usr/lib/libform
/usr/lib/libiconv
/usr/lib/libicucore
/usr/lib/libinfo
/usr/lib/libipsec
/usr/lib/liblzma
/usr/lib/libm
/usr/lib/libmecab
/usr/lib/libmis.dylib
/usr/lib/libncurses
/usr/lib/libobjc
/usr/lib/libobjc.A.dylib
/usr/lib/libpcap
/usr/lib/libperfcheck
/usr/lib/libpmsample
/usr/lib/libpoll
/usr/lib/libproc
/usr/lib/libpthread
/usr/lib/libresolv
/usr/lib/librpcsvc
/usr/lib/libsandbox
/usr/lib/libsqlite3
/usr/lib/libstdc++
/usr/lib/libsubstitute
/usr/lib/libsubstitute.dylib
/usr/lib/libsubstrate
/usr/lib/libtidy
/usr/lib/libutil
/usr/lib/libxml2
/usr/lib/libxslt
/usr/lib/libz
/usr/lib/log
/usr/lib/substrate
/usr/lib/system
/usr/lib/tweaks
/usr/lib/updaters
/usr/lib/xpc
/usr/libexec
/usr/libexec/BackupAgent
/usr/libexec/BackupAgent2
/usr/libexec/CrashHousekeeping
/usr/libexec/DataDetectorsSourceAccess
/usr/libexec/FSTaskScheduler
/usr/libexec/FinishRestoreFromBackup
/usr/libexec/IOAccelMemoryInfoCollector
/usr/libexec/IOMFB_bics_daemon
/usr/libexec/Library
/usr/libexec/MobileGestaltHelper
/usr/libexec/MobileStorageMounter
/usr/libexec/NANDTaskScheduler
/usr/libexec/OTATaskingAgent
/usr/libexec/PowerUIAgent
/usr/libexec/PreboardService
/usr/libexec/ProxiedCrashCopier
/usr/libexec/PurpleReverseProxy
/usr/libexec/ReportMemoryException
/usr/libexec/SafariCloudHistoryPushAgent
/usr/libexec/SidecarRelay
/usr/libexec/SyncAgent
/usr/libexec/UserEventAgent
/usr/libexec/addressbooksyncd
/usr/libexec/adid
/usr/libexec/adprivacyd
/usr/libexec/adservicesd
/usr/libexec/afcd
/usr/libexec/airtunesd
/usr/libexec/amfid
/usr/libexec/asd
/usr/libexec/assertiond
/usr/libexec/atc
/usr/libexec/atwakeup
/usr/libexec/backboardd
/usr/libexec/biometrickitd
/usr/libexec/bootpd
/usr/libexec/bulletindistributord
/usr/libexec/captiveagent
/usr/libexec/cc_fips_test
/usr/libexec/checkpointd
/usr/libexec/cloudpaird
/usr/libexec/com.apple.automation.defaultslockdownserviced
/usr/libexec/companion_proxy
/usr/libexec/configd
/usr/libexec/corecaptured
/usr/libexec/coreduetd
/usr/libexec/crash_mover
/usr/libexec/dasd
/usr/libexec/demod
/usr/libexec/demod_helper
/usr/libexec/dhcpd
/usr/libexec/diagnosticd
/usr/libexec/diagnosticextensionsd
/usr/libexec/dmd
/usr/libexec/dprivacyd
/usr/libexec/dtrace
/usr/libexec/duetexpertd
/usr/libexec/eventkitsyncd
/usr/libexec/fdrhelper
/usr/libexec/findmydeviced
/usr/libexec/finish_demo_restore
/usr/libexec/fmfd
/usr/libexec/fmflocatord
/usr/libexec/fseventsd
/usr/libexec/ftp-proxy
/usr/libexec/gamecontrollerd
/usr/libexec/gamed
/usr/libexec/gpsd
/usr/libexec/hangreporter
/usr/libexec/hangtracerd
/usr/libexec/heartbeatd
/usr/libexec/hostapd
/usr/libexec/idamd
/usr/libexec/init_data_protection
/usr/libexec/installd
/usr/libexec/ioupsd
/usr/libexec/keybagd
/usr/libexec/languageassetd
/usr/libexec/locationd
/usr/libexec/lockdownd
/usr/libexec/logd
/usr/libexec/lsd
/usr/libexec/lskdd
/usr/libexec/lskdmsed
/usr/libexec/magicswitchd
/usr/libexec/mc_mobile_tunnel
/usr/libexec/microstackshot
/usr/libexec/misagent
/usr/libexec/misd
/usr/libexec/mmaintenanced
/usr/libexec/mobile_assertion_agent
/usr/libexec/mobile_diagnostics_relay
/usr/libexec/mobile_house_arrest
/usr/libexec/mobile_installation_proxy
/usr/libexec/mobile_obliterator
/usr/libexec/mobile_storage_proxy
/usr/libexec/mobileactivationd
/usr/libexec/mobileassetd
/usr/libexec/mobilewatchdog
/usr/libexec/mtmergeprops
/usr/libexec/nanomediaremotelinkagent
/usr/libexec/nanoregistryd
/usr/libexec/nanoregistrylaunchd
/usr/libexec/neagent
/usr/libexec/nehelper
/usr/libexec/nesessionmanager
/usr/libexec/networkserviceproxy
/usr/libexec/nfcd
/usr/libexec/nfrestore_service
/usr/libexec/nlcd
/usr/libexec/notification_proxy
/usr/libexec/nptocompaniond
/usr/libexec/nsurlsessiond
/usr/libexec/nsurlstoraged
/usr/libexec/online-auth-agent
/usr/libexec/oscard
/usr/libexec/pcapd
/usr/libexec/pcsstatus
/usr/libexec/pfd
/usr/libexec/pipelined
/usr/libexec/pkd
/usr/libexec/pkreporter
/usr/libexec/ptpd
/usr/libexec/rapportd
/usr/libexec/replayd
/usr/libexec/resourcegrabberd
/usr/libexec/rolld
/usr/libexec/routined
/usr/libexec/rtbuddyd
/usr/libexec/rtcreportingd
/usr/libexec/safarifetcherd
/usr/libexec/screenshotsyncd
/usr/libexec/security-sysdiagnose
/usr/libexec/securityd
/usr/libexec/securityuploadd
/usr/libexec/seld
/usr/libexec/seputil
/usr/libexec/sharingd
/usr/libexec/signpost_reporter
/usr/libexec/silhouette
/usr/libexec/siriknowledged
/usr/libexec/smcDiagnose
/usr/libexec/splashboardd
/usr/libexec/springboardservicesrelay
/usr/libexec/streaming_zip_conduit
/usr/libexec/swcd
/usr/libexec/symptomsd
/usr/libexec/symptomsd-helper
/usr/libexec/sysdiagnose_helper
/usr/libexec/sysstatuscheck
/usr/libexec/tailspind
/usr/libexec/timed
/usr/libexec/tipsd
/usr/libexec/topicsmap.db
/usr/libexec/transitd
/usr/libexec/trustd
/usr/libexec/tursd
/usr/libexec/tzd
/usr/libexec/tzinit
/usr/libexec/tzlinkd
/usr/libexec/videosubscriptionsd
/usr/libexec/wapic
/usr/libexec/wcd
/usr/libexec/webbookmarksd
/usr/libexec/webinspectord
/usr/libexec/wifiFirmwareLoader
/usr/libexec/wifivelocityd
/usr/libexec/xpcproxy
/usr/libexec/xpcroleaccountd
/usr/local
/usr/local/bin
/usr/local/lib
/usr/local/standalone
/usr/sbin
/usr/sbin/BTAvrcp
/usr/sbin/BTLEServer
/usr/sbin/BTMap
/usr/sbin/BTPbap
/usr/sbin/BlueTool
/usr/sbin/WiFiNetworkStoreModel.momd
/usr/sbin/WirelessRadioManagerd
/usr/sbin/absd
/usr/sbin/addNetworkInterface
/usr/sbin/applecamerad
/usr/sbin/aslmanager
/usr/sbin/bluetoothd
/usr/sbin/cfprefsd
/usr/sbin/ckksctl
/usr/sbin/distnoted
/usr/sbin/fairplayd.H2
/usr/sbin/filecoordinationd
/usr/sbin/ioreg
/usr/sbin/ipconfig
/usr/sbin/mDNSResponder
/usr/sbin/mDNSResponderHelper
/usr/sbin/mediaserverd
/usr/sbin/notifyd
/usr/sbin/nvram
/usr/sbin/pppd
/usr/sbin/racoon
/usr/sbin/rtadvd
/usr/sbin/scutil
/usr/sbin/spindump
/usr/sbin/syslogd
/usr/sbin/wifid
/usr/sbin/wirelessproxd
/usr/share
/usr/share/CSI
/usr/share/com.apple.languageassetd
/usr/share/firmware
/usr/share/icu
/usr/share/langid
/usr/share/locale
/usr/share/mecabra
/usr/share/misc
/usr/share/progressui
/usr/share/tokenizer
/usr/share/zoneinfo
/usr/share/zoneinfo.default
/usr/standalone
/var
/var/.DocumentRevisions
/var/.fseventsd
/var/.overprovisioning_file
/var/Keychains
/var/Managed
/var/MobileAsset
/var/MobileDevice
/var/MobileSoftwareUpdate
/var/audit
/var/backups
/var/buddy
/var/containers
/var/containers/Bundle
/var/containers/Bundle/Application
/var/containers/Bundle/Framework
/var/containers/Bundle/PluginKitPlugin
/var/containers/Bundle/VPNPlugin
/var/containers/Bundle/dylibs
/var/containers/Bundle/tweaksupport
/var/cores
/var/db
/var/db/stash
/var/ea
/var/empty
/var/folders
/var/hardware
/var/installd
/var/internal
/var/keybags
/var/lib
/var/lib/dpkg/info
/var/local
/var/lock
/var/log
/var/log/asl
/var/log/com.apple.xpc.launchd
/var/log/corecaptured.log
/var/log/ppp
/var/log/ppp.log
/var/log/racoon.log
/var/log/sa
/var/logs
/var/mobile
/var/mobile/Applications
/var/mobile/Containers
/var/mobile/Containers/Bundle/Application
/var/mobile/Containers/Data
/var/mobile/Containers/Data/Application
/var/mobile/Containers/Data/InternalDaemon
/var/mobile/Containers/Data/PluginKitPlugin
/var/mobile/Containers/Data/TempDir
/var/mobile/Containers/Data/VPNPlugin
/var/mobile/Containers/Data/XPCService
/var/mobile/Containers/Shared
/var/mobile/Containers/Shared/AppGroup
/var/mobile/Documents
/var/mobile/Downloads
/var/mobile/Library
/var/mobile/Library/Caches
/var/mobile/Library/Caches/.com.apple
/var/mobile/Library/Caches/ACMigrationLock
/var/mobile/Library/Caches/AccountMigrationInProgress
/var/mobile/Library/Caches/AdMob
/var/mobile/Library/Caches/BTAvrcp
/var/mobile/Library/Caches/Checkpoint.plist
/var/mobile/Library/Caches/CloudKit
/var/mobile/Library/Caches/DateFormats.plist
/var/mobile/Library/Caches/FamilyCircle
/var/mobile/Library/Caches/GameKit
/var/mobile/Library/Caches/GeoServices
/var/mobile/Library/Caches/MappedImageCache
/var/mobile/Library/Caches/OTACrashCopier
/var/mobile/Library/Caches/PassKit
/var/mobile/Library/Caches/Snapshots
/var/mobile/Library/Caches/Snapshots/com.apple
/var/mobile/Library/Caches/TelephonyUI
/var/mobile/Library/Caches/Weather
/var/mobile/Library/Caches/cache
/var/mobile/Library/Caches/ckkeyrolld
/var/mobile/Library/Caches/com.apple
/var/mobile/Library/Caches/rtcreportingd
/var/mobile/Library/Caches/sharedCaches
/var/mobile/Library/ControlCenter
/var/mobile/Library/ControlCenter/ModuleConfiguration.plist
/var/mobile/Library/Cydia
/var/mobile/Library/Logs/Cydia
/var/mobile/Library/Preferences
/var/mobile/Library/Preferences/.GlobalPreferences.plist
/var/mobile/Library/Preferences/UITextInputContextIdentifiers.plist
/var/mobile/Library/Preferences/Wallpaper.png
/var/mobile/Library/Preferences/ckkeyrolld.plist
/var/mobile/Library/Preferences/com.apple.
/var/mobile/Library/Preferences/nfcd.plist
/var/mobile/Library/SBSettings
/var/mobile/Library/Sileo
/var/mobile/Media
/var/mobile/MobileSoftwareUpdate
/var/msgs
/var/networkd
/var/preferences
/var/root
/var/run
/var/run/asl_input
/var/run/configd.pid
/var/run/fudinit
/var/run/lockbot
/var/run/lockdown
/var/run/lockdown.sock
/var/run/lockdown_first_run
/var/run/mDNSResponder
/var/run/pppconfd
/var/run/printd
/var/run/syslog
/var/run/syslog.pid
/var/run/utmpx
/var/run/vpncontrol.sock
/var/spool
/var/staged_system_apps
/var/tmp
/var/vm
/var/wireless

除了上面目录，还对这些路径匹配绕过

list
firmware-sbin.list
gsc.firmware-sbin.list

同时对包含这些字段的路径绕过

Substrate
substrate
substitute
Substitrate
TweakInject
jailbreak
cycript
SBInject
pspawn
rocketbootstrap
bfdecrypt

对URL包含这种模式绕过

cydia
sileo

检测

从上面来看，这个越狱工具从目录和系统API上做了很多绕过措施，但还是有地方囊括不够的。

对比在基本思路里的几条，基本如下

保护环境变量的访问 ---- 有部分

禁止某些命令的执行 --- 没有

禁止某些路径访问 ---- 有

禁止某些系统参数访问 -- 有部分

挂钩某些系统调用 --- 有部分

那么检测方案可以这样：

没有挂钩mkdir，考虑使用mkdir在正常情况下禁止访问的目录下创建子目录，如果OK，就说明是被越狱。

没有挂钩execve，可以考虑执行一个正常情况下禁止执行的程序，如果成功，说明被越狱。

没有挂钩ptrace，可以使用它进行自身调试，如果成功，说明被越狱

创建一个库，里面定义一些函数是MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos为前缀的，如果调用dlsym返回失败，说明被越狱

只对sysctl挂钩了，但对sysctlbyname,sysctlnametomib没有挂钩，可以调用这两个函数来获取进程信息。同时sysctl也并不是所有情况都处理了，比如获取硬件信息就没有。这三个系统调用可以获取一些高权限信息，说明被越狱

不引入其它检测越狱的库，但自己实现一个同名的类和方法，比如SDMUtils和方法isJailBroken，这个方法只返回一个结果，就是1。如果调用这个方法，返回值为0，那么说明被越狱

还有很多，不过，本人对iOS不熟悉，对它的系统调用也不熟悉，只能给出这些。

审核编辑：刘清

打开APP阅读更多精彩内容