iOS-逆向25-越狱防护

《iOS底层原理文章汇总》
上一篇文章iOS-逆向24-越狱调试介绍了越狱调试和排除法验证Theos生成Tweak加载动态库是修改DYLD_INSERT_LILIBRARIES来进行动态注入的,本文介绍DYLD_INSERT_LILIBRARIES动态注入原理以及越狱防护。

图片.png

1.越狱的插件是通过DYLD_INSERT_LIBRARIES来进行注入的

若是受限进程processIsRestricted,越狱的插件就没法注入了,将自己的进程变为受限进程,可有效避开所有越狱插件,相对来说安全,也是一种防护手段

    if ( gLinkContext.processIsRestricted ) {
        pruneEnvironmentVariables(envp, &apple);
        // set again because envp and apple may have changed or moved
        setContext(mainExecutableMH, argc, argv, envp, apple);
    }

processIsRestricted这个值什么时候为真呢?

    // any processes with setuid or setgid bit set or with __RESTRICT segment is restricted
    if ( issetugid() || hasRestrictedSegment(mainExecutableMH) ) {
        gLinkContext.processIsRestricted = true;
    }
    bool usingSIP = (csr_check(CSR_ALLOW_TASK_FOR_PID) != 0);
    uint32_t flags;
    if ( csops(0, CS_OPS_STATUS, &flags, sizeof(flags)) != -1 ) {
        // On OS X CS_RESTRICT means the program was signed with entitlements
        if ( ((flags & CS_RESTRICT) == CS_RESTRICT) && usingSIP ) {
            gLinkContext.processIsRestricted = true;
        }
        // Library Validation loosens searching but requires everything to be code signed
        if ( flags & CS_REQUIRE_LV ) {
            gLinkContext.processIsRestricted = false;
            //gLinkContext.requireCodeSignature = true;
            gLinkContext.processUsingLibraryValidation = true;
            sSafeMode = usingSIP;
        }
    }
    
读取MachO文件,往下读取loadcommands,往下读取segment,segment左边是text段,右边是section
#if __MAC_OS_X_VERSION_MIN_REQUIRED
static bool hasRestrictedSegment(const macho_header* mh)
{
    const uint32_t cmd_count = mh->ncmds;
    const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(macho_header));
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        switch (cmd->cmd) {
            case LC_SEGMENT_COMMAND:
            {
                const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
                
                //dyld::log("seg name: %s\n", seg->segname);
                if (strcmp(seg->segname, "__RESTRICT") == 0) {
                    const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
                    const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
                    for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
                        if (strcmp(sect->sectname, "__restrict") == 0) 
                            return true;
                    }
                }
            }
            break;
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
        
    return false;
}
image

读取section,只有左边segname是__RESTRICT和右边section是__restrict时才会hasRestrictedSegment返回true,其他返回false

如何让自己的MachO中有__RESTRICT段和__restrict节?

2.Theos hook系统方法

#import "ViewController.h"

@interface ViewController ()

@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];
    // Do any additional setup after loading the view.
}
- (void)touchesBegan:(NSSet *)touches withEvent:(UIEvent *)event{
    //点击屏幕退出App
    exit(0);
}
@end

 Cloud@Mac  ~/Desktop/AntiTweak  nic.pl
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/activator_event
  [2.] iphone/activator_listener
  [3.] iphone/application_modern
  [4.] iphone/application_swift
  [5.] iphone/cydget
  [6.] iphone/flipswitch_switch
  [7.] iphone/framework
  [8.] iphone/library
  [9.] iphone/notification_center_widget
  [10.] iphone/notification_center_widget-7up
  [11.] iphone/preference_bundle_modern
  [12.] iphone/theme
  [13.] iphone/tool
  [14.] iphone/tool_swift
  [15.] iphone/tweak
  [16.] iphone/tweak_with_simple_preferences
  [17.] iphone/xpc_service
Choose a Template (required): 15
Project Name (required): AntiTweakDemo
Package Name [com.yourcompany.antitweakdemo]: com.cloud.antitweakdemo
Author/Maintainer Name [Cloud]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.cloud.AntiTweak
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in antitweakdemo/...
Done.
 Cloud@Mac  ~/Desktop/AntiTweak 

已经在.zshrc文件中配置过环境变量,无需再在Theos的Makefile文件中再做配置

export THEOS_DEVICE_IP=localhost
export THEOS_DEVICE_PORT=12345

#import 
%hook ViewController

- (void)touchesBegan:(NSSet *)touches withEvent:(UIEvent *)event{

    NSLog(@"破解成功!!!");
}
%end

make;make package;make install
重新运行工程,点击屏幕,打印破解成功!!!

3.如何进行防护呢?让外界破解不了呢?

I.Build settings中Other Linker Flags中添加-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

image

II.编译后查看MachO文件,存在Section64(__RESTRICT,__restrict)
image

III.根据dyld源码得知hasRestrictedSegment函数返回true,从而执行gLinkContext.processIsRestricted = true;,从而清空环境变量,DYLD_INSERT_LIBRIRIES就为false,无法进行动态库插入,动态库插件无法生效,起到了防护的作用
image

image

image

此时运行,点击屏幕,闪退,起到了防护的效果,虽然注入的antiTweakDemo插件还在,但是无法进行插入了
0

image

以上是在iPhone 6 iOS9.2.1的系统中
换一台iOS11.0的手机
重新执行make,make package;make install此时会报错中间人攻击,删除vim ~/.ssh/known_hosts中127.0.0.1那一项,重新make package;make install
图片.png

image

运行工程,点击屏幕,发现在iOS11.0的系统中还是没有防住,说明在build setting中设置的-Wl,-sectcreate,__RESTRICT,__restrict,/dev/nul没有意义,iOS11不会再去检查进程限制了,就防护不住了。
图片.png

早期的支付宝是采用上面的方法防护的,只在iOS10.0或之前的系统有效,DYLD_INSERT_LIBRIRIES只是控制插入的动态库,不会影响自己的和系统的,自己的库不存在所谓的插入的动态库

4.修改二进制破解

低版本(iOS10.0及以下)的越狱设备防住了,如果再次破解呢,可以利用二进制文件修改器,将MachO文件中的Section(__RESTRICT,__restrict)修改掉,改完之后重签,使-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null配置失效

image

图片.png

保存后重新查看MachO文件Section,发现Section变了
图片.png

image

image

修改后重签,再次运行,就破解了防护

5.既然修改了二进制,看是否能检测到修改了二进制呢?就是检测到有人破解防护了呢?

利用dyld的源码进行防护,若防护被修改了hasRestrictedSegment方法的值将为false,此时可以向服务器发出警告,通过修改Build Settings中的值-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null模拟防护被修改

#import "ViewController.h"

#import 
#import 

#if __LP64__
    #define macho_header              mach_header_64
    #define LC_SEGMENT_COMMAND        LC_SEGMENT_64
    #define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT
    #define LC_ENCRYPT_COMMAND        LC_ENCRYPTION_INFO
    #define macho_segment_command    segment_command_64
    #define macho_section            section_64
#else
    #define macho_header              mach_header
    #define LC_SEGMENT_COMMAND        LC_SEGMENT
    #define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT_64
    #define LC_ENCRYPT_COMMAND        LC_ENCRYPTION_INFO_64
    #define macho_segment_command    segment_command
    #define macho_section            section
#endif
@interface ViewController ()

@end

@implementation ViewController
+(void)load
{
    const struct macho_header * header = _dyld_get_image_header(0);
    if (hk_hasRestrictedSegment(header)) {
        NSLog(@"防止Tweak注入!");
    }else{
        NSLog(@"被修改了!");
        exit(0);//相当于这是一个记号! -- 给服务器发请求!
    }
}
- (void)viewDidLoad {
    [super viewDidLoad];
    NSLog(@"123");
    // Do any additional setup after loading the view.
}
- (void)touchesBegan:(NSSet *)touches withEvent:(UIEvent *)event{
    exit(0);
}
static bool hk_hasRestrictedSegment(const struct macho_header* mh)
{
    const uint32_t cmd_count = mh->ncmds;
    const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        switch (cmd->cmd) {
            case LC_SEGMENT_COMMAND:
            {
                const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
                printf("seg name: %s\n", seg->segname);
                //dyld::log("seg name: %s\n", seg->segname);
                if (strcmp(seg->segname, "__RESTRICT") == 0) {
                    const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
                    const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
                    for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
                        if (strcmp(sect->sectname, "__restrict") == 0)
                            return true;
                    }
                }
            }
            break;
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }

    return false;
}
@end
图片.png

图片.png

图片.png

5.新系统防护手段:白名单检测

判断该动态库是否是我们需要的动态库,imagelist白名单检测,在imagelist中的库都是自身需要的,除此之外的库有风险,imagelist中的第一个元素是程序本身可以除外无需检测

I.需要用到的动态库,通过Xcode在非越狱机器上打印出,若将此白名单写死在项目中,会出现在MachO文件中的data段字符串常量区,容易被修改添加,不升级,原来版本的应用在新系统中将无法使用,兼容性低,最好放在服务器,可以不断更新,不断修改

const char * libStrs = ".app/whitelistDemo/Developer/usr/lib/libBacktraceRecording.dylib/Developer/usr/lib/libMainThreadChecker.dylib/Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib/System/Library/Frameworks/Foundation.framework/Foundation/usr/lib/libobjc.A.dylib/usr/lib/libSystem.B.dylib/System/Library/Frameworks/UIKit.framework/UIKit/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation/usr/lib/libcompression.dylib/System/Library/Frameworks/CFNetwork.framework/CFNetwork/usr/lib/libarchive.2.dylib/usr/lib/libicucore.A.dylib/usr/lib/libxml2.2.dylib/usr/lib/libz.1.dylib/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit/usr/lib/libCRFSuite.dylib/usr/lib/liblangid.dylib/usr/lib/libc++abi.dylib/usr/lib/libc++.1.dylib/usr/lib/system/libcache.dylib/usr/lib/system/libcommonCrypto.dylib/usr/lib/system/libcompiler_rt.dylib/usr/lib/system/libcopyfile.dylib/usr/lib/system/libcorecrypto.dylib/usr/lib/system/introspection/libdispatch.dylib/usr/lib/system/libdyld.dylib/usr/lib/system/liblaunch.dylib/usr/lib/system/libmacho.dylib/usr/lib/system/libremovefile.dylib/usr/lib/system/libsystem_asl.dylib/usr/lib/system/libsystem_blocks.dylib/usr/lib/system/libsystem_c.dylib/usr/lib/system/libsystem_configuration.dylib/usr/lib/system/libsystem_containermanager.dylib/usr/lib/system/libsystem_coreservices.dylib/usr/lib/system/libsystem_darwin.dylib/usr/lib/system/libsystem_dnssd.dylib/usr/lib/system/libsystem_featureflags.dylib/usr/lib/system/libsystem_info.dylib/usr/lib/system/libsystem_m.dylib/usr/lib/system/libsystem_malloc.dylib/usr/lib/system/libsystem_networkextension.dylib/usr/lib/system/libsystem_notify.dylib/usr/lib/system/libsystem_sandbox.dylib/usr/lib/system/libsystem_kernel.dylib/usr/lib/system/libsystem_platform.dylib/usr/lib/system/libsystem_pthread.dylib/usr/lib/system/libsystem_symptoms.dylib/usr/lib/system/libsystem_trace.dylib/usr/lib/system/libunwind.dylib/usr/lib/system/libxpc.dylib/usr/lib/liblzma.5.dylib/usr/lib/libMobileGestalt.dylib/System/Library/Frameworks/Security.framework/Security/usr/lib/libsqlite3.dylib/usr/lib/libnetwork.dylib/usr/lib/libapple_nghttp2.dylib/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer/usr/lib/libbsm.0.dylib/usr/lib/libpcap.A.dylib/usr/lib/libcoretls.dylib/usr/lib/libcoretls_cfhelpers.dylib/usr/lib/libenergytrace.dylib/System/Library/Frameworks/IOSurface.framework/IOSurface/usr/lib/libbz2.1.0.dylib/usr/lib/libiconv.2.dylib/usr/lib/libcharset.1.dylib/System/Library/PrivateFrameworks/DocumentManager.framework/DocumentManager/System/Library/Frameworks/FileProvider.framework/FileProvider/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore/System/Library/PrivateFrameworks/ShareSheet.framework/ShareSheet/System/Library/PrivateFrameworks/MobileIcons.framework/MobileIcons/System/Library/Frameworks/QuartzCore.framework/QuartzCore/System/Library/Frameworks/CoreServices.framework/CoreServices/System/Library/Frameworks/Network.framework/Network/System/Library/PrivateFrameworks/DocumentManagerCore.framework/DocumentManagerCore/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics/System/Library/PrivateFrameworks/PlugInKit.framework/PlugInKit/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator/System/Library/Frameworks/CoreImage.framework/CoreImage/System/Library/PrivateFrameworks/CoreUI.framework/CoreUI/System/Library/Frameworks/ImageIO.framework/ImageIO/System/Library/PrivateFrameworks/MobileInstallation.framework/MobileInstallation/System/Library/PrivateFrameworks/CoreServicesStore.framework/CoreServicesStore/System/Library/PrivateFrameworks/MobileSystemServices.framework/MobileSystemServices/System/Library/PrivateFrameworks/AggregateDictionary.framework/AggregateDictionary/usr/lib/libFosl_dynamic.dylib/System/Library/PrivateFrameworks/ColorSync.framework/ColorSync/System/Library/Frameworks/CoreMedia.framework/CoreMedia/System/Library/Frameworks/VideoToolbox.framework/VideoToolbox/System/Library/PrivateFrameworks/GraphVisualizer.framework/GraphVisualizer/System/Library/Frameworks/CoreText.framework/CoreText/System/Library/Frameworks/Metal.framework/Metal/System/Library/Frameworks/MetalPerformanceShaders.framework/MetalPerformanceShaders/System/Library/Frameworks/OpenGLES.framework/OpenGLES/System/Library/Frameworks/Accelerate.framework/Accelerate/System/Library/Frameworks/CoreVideo.framework/CoreVideo/System/Library/PrivateFrameworks/FaceCore.framework/FaceCore/usr/lib/libncurses.5.4.dylib/System/Library/PrivateFrameworks/WatchdogClient.framework/WatchdogClient/System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport/System/Library/Frameworks/CoreAudio.framework/CoreAudio/System/Library/PrivateFrameworks/AppSupport.framework/AppSupport/System/Library/PrivateFrameworks/AssertionServices.framework/AssertionServices/System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices/System/Library/PrivateFrameworks/PowerLog.framework/PowerLog/usr/lib/libCTGreenTeaLogger.dylib/System/Library/PrivateFrameworks/ASEProcessing.framework/ASEProcessing/usr/lib/libtailspin.dylib/System/Library/PrivateFrameworks/libEDR.framework/libEDR/System/Library/PrivateFrameworks/BaseBoard.framework/BaseBoard/System/Library/PrivateFrameworks/RunningBoardServices.framework/RunningBoardServices/System/Library/PrivateFrameworks/PersistentConnection.framework/PersistentConnection/System/Library/PrivateFrameworks/ProtocolBuffer.framework/ProtocolBuffer/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony/System/Library/PrivateFrameworks/CommonUtilities.framework/CommonUtilities/usr/lib/libcupolicy.dylib/usr/lib/libTelephonyUtilDynamic.dylib/System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi/System/Library/PrivateFrameworks/Bom.framework/Bom/System/Library/PrivateFrameworks/MobileKeyBag.framework/MobileKeyBag/System/Library/PrivateFrameworks/CaptiveNetwork.framework/CaptiveNetwork/System/Library/PrivateFrameworks/EAP8021X.framework/EAP8021X/System/Library/PrivateFrameworks/CoreAnalytics.framework/CoreAnalytics/System/Library/PrivateFrameworks/APFS.framework/APFS/System/Library/PrivateFrameworks/AppleSauce.framework/AppleSauce/usr/lib/libutil.dylib/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib/System/Library/PrivateFrameworks/FontServices.framework/libhvf.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vImage.framework/vImage/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/vecLib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvMisc.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvDSP.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libBLAS.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLAPACK.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLinearAlgebra.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libSparseBLAS.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libQuadrature.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libBNNS.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libSparse.dylib/usr/lib/libate.dylib/System/Library/PrivateFrameworks/AppleJPEG.framework/AppleJPEG/System/Library/PrivateFrameworks/IOAccelerator.framework/IOAccelerator/System/Library/Frameworks/OpenGLES.framework/libCoreFSCache.dylib/System/Library/PrivateFrameworks/SignpostCollection.framework/SignpostCollection/System/Library/PrivateFrameworks/ktrace.framework/ktrace/System/Library/PrivateFrameworks/SampleAnalysis.framework/SampleAnalysis/System/Library/PrivateFrameworks/kperfdata.framework/kperfdata/System/Library/PrivateFrameworks/CoreSymbolication.framework/CoreSymbolication/usr/lib/libdscsym.dylib/System/Library/PrivateFrameworks/SignpostSupport.framework/SignpostSupport/System/Library/PrivateFrameworks/LoggingSupport.framework/LoggingSupport/System/Library/PrivateFrameworks/kperf.framework/kperf/System/Library/PrivateFrameworks/OSAnalytics.framework/OSAnalytics/System/Library/PrivateFrameworks/Symbolication.framework/Symbolication/System/Library/PrivateFrameworks/OSAServicesClient.framework/OSAServicesClient/System/Library/PrivateFrameworks/MallocStackLogging.framework/MallocStackLogging/System/Library/PrivateFrameworks/CoreBrightness.framework/CoreBrightness/usr/lib/libAccessibility.dylib/usr/lib/libIOReport.dylib/System/Library/PrivateFrameworks/CPMS.framework/CPMS/System/Library/PrivateFrameworks/HID.framework/HID/System/Library/PrivateFrameworks/IdleTimerServices.framework/IdleTimerServices/System/Library/PrivateFrameworks/BoardServices.framework/BoardServices/System/Library/PrivateFrameworks/FrontBoardServices.framework/FrontBoardServices/System/Library/PrivateFrameworks/BackBoardServices.framework/BackBoardServices/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices/System/Library/PrivateFrameworks/FontServices.framework/libGSFont.dylib/System/Library/PrivateFrameworks/FontServices.framework/FontServices/System/Library/PrivateFrameworks/FontServices.framework/libGSFontCache.dylib/System/Library/PrivateFrameworks/OTSVG.framework/OTSVG/System/Library/PrivateFrameworks/ConstantClasses.framework/ConstantClasses/System/Library/PrivateFrameworks/AXCoreUtilities.framework/AXCoreUtilities/System/Library/Frameworks/MediaAccessibility.framework/MediaAccessibility/System/Library/Frameworks/OpenGLES.framework/libGFXShared.dylib/System/Library/Frameworks/OpenGLES.framework/libGLImage.dylib/System/Library/Frameworks/OpenGLES.framework/libCVMSPluginSupport.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreVMClient.dylib/System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSCore.framework/MPSCore/System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSImage.framework/MPSImage/System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSNeuralNetwork.framework/MPSNeuralNetwork/System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSMatrix.framework/MPSMatrix/System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector/System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSNDArray.framework/MPSNDArray/System/Library/PrivateFrameworks/AudioToolboxCore.framework/AudioToolboxCore/System/Library/PrivateFrameworks/caulk.framework/caulk/usr/lib/libAudioToolboxUtility.dylib/System/Library/PrivateFrameworks/CorePhoneNumbers.framework/CorePhoneNumbers/System/Library/PrivateFrameworks/MediaExperience.framework/MediaExperience/System/Library/PrivateFrameworks/TextureIO.framework/TextureIO/System/Library/PrivateFrameworks/CoreSVG.framework/CoreSVG/System/Library/PrivateFrameworks/InternationalSupport.framework/InternationalSupport/System/Library/PrivateFrameworks/CoreUtils.framework/CoreUtils/System/Library/PrivateFrameworks/IconServices.framework/IconServices/System/Library/PrivateFrameworks/UIFoundation.framework/UIFoundation/System/Library/Frameworks/PushKit.framework/PushKit/System/Library/PrivateFrameworks/XCTTargetBootstrap.framework/XCTTargetBootstrap/System/Library/PrivateFrameworks/WebKitLegacy.framework/WebKitLegacy/System/Library/PrivateFrameworks/SAObjects.framework/SAObjects/System/Library/PrivateFrameworks/HangTracer.framework/HangTracer/System/Library/PrivateFrameworks/SignpostMetrics.framework/SignpostMetrics/System/Library/PrivateFrameworks/PointerUIServices.framework/PointerUIServices/System/Library/PrivateFrameworks/StudyLog.framework/StudyLog/System/Library/PrivateFrameworks/CoreMaterial.framework/CoreMaterial/usr/lib/libapp_launch_measurement.dylib/System/Library/Frameworks/UserNotifications.framework/UserNotifications/System/Library/PrivateFrameworks/MobileAsset.framework/MobileAsset/System/Library/PrivateFrameworks/PhysicsKit.framework/PhysicsKit/System/Library/PrivateFrameworks/PrototypeTools.framework/PrototypeTools/System/Library/PrivateFrameworks/TextInput.framework/TextInput/System/Library/PrivateFrameworks/UIKitServices.framework/UIKitServices/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore/System/Library/PrivateFrameworks/WebCore.framework/WebCore/System/Library/PrivateFrameworks/WebCore.framework/Frameworks/libwebrtc.dylib/System/Library/PrivateFrameworks/URLFormatting.framework/URLFormatting/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox/System/Library/PrivateFrameworks/TCC.framework/TCC/usr/lib/libAudioStatistics.dylib/System/Library/PrivateFrameworks/perfdata.framework/perfdata/usr/lib/libperfcheck.dylib/System/Library/PrivateFrameworks/StreamingZip.framework/StreamingZip/System/Library/Frameworks/Accounts.framework/Accounts/System/Library/PrivateFrameworks/GenerationalStorage.framework/GenerationalStorage/System/Library/PrivateFrameworks/SymptomDiagnosticReporter.framework/SymptomDiagnosticReporter/System/Library/PrivateFrameworks/UserManagement.framework/UserManagement/System/Library/Frameworks/CoreData.framework/CoreData/System/Library/PrivateFrameworks/ChunkingLibrary.framework/ChunkingLibrary/System/Library/PrivateFrameworks/ManagedConfiguration.framework/ManagedConfiguration/System/Library/PrivateFrameworks/AppleAccount.framework/AppleAccount/usr/lib/liblockdown.dylib/usr/lib/libmis.dylib/System/Library/PrivateFrameworks/Netrb.framework/Netrb/System/Library/PrivateFrameworks/DataMigration.framework/DataMigration/System/Library/PrivateFrameworks/DeviceIdentity.framework/DeviceIdentity/System/Library/PrivateFrameworks/SetupAssistant.framework/SetupAssistant/System/Library/PrivateFrameworks/AppleIDSSOAuthentication.framework/AppleIDSSOAuthentication/System/Library/PrivateFrameworks/AccountSettings.framework/AccountSettings/System/Library/PrivateFrameworks/ApplePushService.framework/ApplePushService/System/Library/PrivateFrameworks/AuthKit.framework/AuthKit/System/Library/PrivateFrameworks/CoreFollowUp.framework/CoreFollowUp/System/Library/PrivateFrameworks/SetupAssistantSupport.framework/SetupAssistantSupport/System/Library/PrivateFrameworks/MobileBackup.framework/MobileBackup/System/Library/PrivateFrameworks/CoreTime.framework/CoreTime/System/Library/PrivateFrameworks/IntlPreferences.framework/IntlPreferences/System/Library/PrivateFrameworks/NanoPreferencesSync.framework/NanoPreferencesSync/System/Library/PrivateFrameworks/NanoRegistry.framework/NanoRegistry/System/Library/PrivateFrameworks/AppConduit.framework/AppConduit/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication/System/Library/PrivateFrameworks/AppleIDAuthSupport.framework/AppleIDAuthSupport/System/Library/PrivateFrameworks/PhoneNumbers.framework/PhoneNumbers/System/Library/Frameworks/LocalAuthentication.framework/Support/SharedUtils.framework/SharedUtils/System/Library/PrivateFrameworks/Rapport.framework/Rapport/System/Library/PrivateFrameworks/MobileDeviceLink.framework/MobileDeviceLink/System/Library/PrivateFrameworks/AccountsDaemon.framework/AccountsDaemon/System/Library/Frameworks/GSS.framework/GSS/System/Library/PrivateFrameworks/IDS.framework/IDS/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/WirelessDiagnostics/System/Library/PrivateFrameworks/OAuth.framework/OAuth/usr/lib/libheimdal-asn1.dylib/System/Library/PrivateFrameworks/Heimdal.framework/Heimdal/usr/lib/libresolv.9.dylib/System/Library/PrivateFrameworks/CommonAuth.framework/CommonAuth/System/Library/PrivateFrameworks/Marco.framework/Marco/System/Library/PrivateFrameworks/IMFoundation.framework/IMFoundation/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSFoundation/System/Library/PrivateFrameworks/Engram.framework/Engram/usr/lib/libtidy.A.dylib/System/Library/Frameworks/CoreBluetooth.framework/CoreBluetooth/usr/lib/libAWDSupportFramework.dylib/usr/lib/libAWDSupport.dylib/usr/lib/libprotobuf-lite.dylib/usr/lib/libprotobuf.dylib/Developer/Library/PrivateFrameworks/DebugHierarchyFoundation.framework/DebugHierarchyFoundation/System/Library/Frameworks/GLKit.framework/GLKit/System/Library/Frameworks/SceneKit.framework/SceneKit/System/Library/Frameworks/MapKit.framework/MapKit/System/Library/Frameworks/ModelIO.framework/ModelIO/System/Library/Frameworks/AVFoundation.framework/AVFoundation/System/Library/Frameworks/MetalKit.framework/MetalKit/System/Library/Frameworks/AVFoundation.framework/Frameworks/AVFAudio.framework/AVFAudio/System/Library/Frameworks/MediaToolbox.framework/MediaToolbox/System/Library/PrivateFrameworks/Celestial.framework/Celestial/System/Library/PrivateFrameworks/Quagga.framework/Quagga/System/Library/Frameworks/CoreMotion.framework/CoreMotion/System/Library/PrivateFrameworks/CoreAUC.framework/CoreAUC/System/Library/Frameworks/CoreHaptics.framework/CoreHaptics/System/Library/PrivateFrameworks/NetworkStatistics.framework/NetworkStatistics/System/Library/PrivateFrameworks/LocationSupport.framework/LocationSupport/System/Library/Frameworks/ContactsUI.framework/ContactsUI/System/Library/Frameworks/Contacts.framework/Contacts/System/Library/PrivateFrameworks/SearchFoundation.framework/SearchFoundation/System/Library/Frameworks/Intents.framework/Intents/System/Library/PrivateFrameworks/Navigation.framework/Navigation/System/Library/PrivateFrameworks/VectorKit.framework/VectorKit/System/Library/Frameworks/CoreLocation.framework/CoreLocation/System/Library/PrivateFrameworks/GeoServices.framework/GeoServices/System/Library/PrivateFrameworks/AddressBookLegacy.framework/AddressBookLegacy/System/Library/PrivateFrameworks/AppSupportUI.framework/AppSupportUI/System/Library/PrivateFrameworks/DataAccessExpress.framework/DataAccessExpress/System/Library/PrivateFrameworks/PersonaKit.framework/PersonaKit/System/Library/PrivateFrameworks/PersonaUI.framework/PersonaUI/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlight/System/Library/PrivateFrameworks/CommunicationsFilter.framework/CommunicationsFilter/System/Library/PrivateFrameworks/ContactsDonation.framework/ContactsDonation/System/Library/PrivateFrameworks/ContactsFoundation.framework/ContactsFoundation/System/Library/PrivateFrameworks/ContactsUICore.framework/ContactsUICore/System/Library/PrivateFrameworks/FamilyCircle.framework/FamilyCircle/System/Library/PrivateFrameworks/OnBoardingKit.framework/OnBoardingKit/System/Library/PrivateFrameworks/TelephonyUtilities.framework/TelephonyUtilities/System/Library/PrivateFrameworks/vCard.framework/vCard/System/Library/PrivateFrameworks/DataDetectorsCore.framework/DataDetectorsCore/System/Library/PrivateFrameworks/CoreNLP.framework/CoreNLP/System/Library/PrivateFrameworks/AppleFSCompression.framework/AppleFSCompression/usr/lib/libmecab.dylib/usr/lib/libgermantok.dylib/usr/lib/libThaiTokenizer.dylib/usr/lib/libChineseTokenizer.dylib/System/Library/PrivateFrameworks/LanguageModeling.framework/LanguageModeling/System/Library/PrivateFrameworks/CoreEmoji.framework/CoreEmoji/System/Library/PrivateFrameworks/LinguisticData.framework/LinguisticData/System/Library/PrivateFrameworks/Lexicon.framework/Lexicon/usr/lib/libcmph.dylib/System/Library/PrivateFrameworks/MetadataUtilities.framework/MetadataUtilities/System/Library/PrivateFrameworks/CellularPlanManager.framework/CellularPlanManager/System/Library/Frameworks/ClassKit.framework/ClassKit/System/Library/PrivateFrameworks/CoreSuggestions.framework/CoreSuggestions/System/Library/Frameworks/CloudKit.framework/CloudKit/System/Library/PrivateFrameworks/CloudDocs.framework/CloudDocs/System/Library/Frameworks/QuickLookThumbnailing.framework/QuickLookThumbnailing/System/Library/PrivateFrameworks/C2.framework/C2/System/Library/PrivateFrameworks/ProtectedCloudStorage.framework/ProtectedCloudStorage/System/Library/Frameworks/NetworkExtension.framework/NetworkExtension/usr/lib/libnetworkextension.dylib/System/Library/PrivateFrameworks/CoreLocationProtobuf.framework/CoreLocationProtobuf/System/Library/PrivateFrameworks/MobileSpotlightIndex.framework/MobileSpotlightIndex/usr/lib/libprequelite.dylib/System/Library/PrivateFrameworks/ProactiveEventTracker.framework/ProactiveEventTracker/System/Library/PrivateFrameworks/ProactiveSupport.framework/ProactiveSupport/System/Library/PrivateFrameworks/DataDetectorsNaturalLanguage.framework/DataDetectorsNaturalLanguage/System/Library/PrivateFrameworks/IntentsFoundation.framework/IntentsFoundation/System/Library/PrivateFrameworks/InternationalTextSearch.framework/InternationalTextSearch/System/Library/Frameworks/EventKit.framework/EventKit/System/Library/PrivateFrameworks/ResponseKit.framework/ResponseKit/System/Library/PrivateFrameworks/CalendarDaemon.framework/CalendarDaemon/System/Library/PrivateFrameworks/CalendarDatabase.framework/CalendarDatabase/System/Library/PrivateFrameworks/CalendarFoundation.framework/CalendarFoundation/System/Library/PrivateFrameworks/iCalendar.framework/iCalendar/System/Library/PrivateFrameworks/BackgroundTaskAgent.framework/BackgroundTaskAgent/System/Library/PrivateFrameworks/CoreDAV.framework/CoreDAV/System/Library/PrivateFrameworks/NLP.framework/NLP/System/Library/PrivateFrameworks/Montreal.framework/Montreal/System/Library/PrivateFrameworks/CoreDuet.framework/CoreDuet/System/Library/PrivateFrameworks/CoreRecents.framework/CoreRecents/System/Library/PrivateFrameworks/CoreDuetDebugLogging.framework/CoreDuetDebugLogging/System/Library/PrivateFrameworks/CoreDuetDaemonProtocol.framework/CoreDuetDaemonProtocol/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices/System/Library/PrivateFrameworks/AppleMediaServices.framework/AppleMediaServices/System/Library/Frameworks/CryptoTokenKit.framework/CryptoTokenKit/System/Library/PrivateFrameworks/CoreDuetContext.framework/CoreDuetContext/System/Library/PrivateFrameworks/IncomingCallFilter.framework/IncomingCallFilter";

II.判断是否是需要的动态库,若在imagelist中的动态库,提示告警

+(void)load
{
    int count = _dyld_image_count();//你进程依赖库的数量!
    for (int i = 1; i < count; i++) {
        const char * imageName = _dyld_get_image_name(i);
//        printf("%s",imageName);
        if (!strstr(libStrs, imageName)) {//如果这个库不在白名单中!
          printf("该动态库有危险!%s\n",imageName);//exit(0)
        }
    }
}
图片.png

III.自己写一个插件看是否能检测到,发现能检测到,检测到之后不要写exit(0),给黑客留下了记号,一般发送请求给服务器


image

image

image

6.如何阻止进程附加?为何debugserver能调试App?

关于进程附加的函数ptrace(),debugserver有trace process,跟踪进程,利用系统内核函数ptrace(),ptrace()函数的调用能确定是否被trace,是否能被dubugserver附加
告诉当前进程不允许附加,debugserver就无法附加

I.新建工程拖入MyPtraceHeader.h文件,使用ptrace,程序运行就闪退

- (void)viewDidLoad {
    [super viewDidLoad];
    //告诉系统,当前进程 拒绝被dubugserver附加!
    //arg1:ptrace要做的事情
    //arg2:需要操作的进程
    //arg3/arg4:取决于第一个参数!
    ptrace(PT_DENY_ATTACH, 0, 0, 0);
    //如果附加就闪退
}
- (void)touchesBegan:(NSSet *)touches withEvent:(UIEvent *)event{
    NSLog(@"66666666");
}
图片.png

II.后台程序重新点开可以运行,通过Xcode打开控制台,查看输出日志


3

III.进入越狱手机,手动启用debugserver附加不上,Xcode中


图片.png

图片.png

7.上面ptrace能防护好进程附加,怎么破解这层防护呢?逆向工程师在这种情况下如何继续分析呢?

ptrace防护的特点:附加不了,Xcode运行闪退,使用正常!
要想破解这层防护,ptrace是系统函数,可以使用fishhook钩住ptrace函数来破解这层防护
破解ptrace如下:

I.ptrace是系统函数,下符号断点能断住


image

II.添加fishhook代码进行拦截,ptrace系统函数拦截到是拒绝附加,直接返回0跳过,若不是拒绝附加,则保持原有的调用不变

#import "InjectCode.h"
#import "fishhook.h"
#import "MyPtraceHeader.h"
@implementation InjectCode
//定义函数指针
int (*ptrace_p)(int _request,pid_t _pid,caddr_t _addr,int _data);
+(void)load{
    //交换
    struct rebinding ptraceBd;
    ptraceBd.name = "ptrace";
    ptraceBd.replacement = my_ptrace;
    ptraceBd.replaced = (void *)&ptrace_p;
    
    struct rebinding bds[] = {ptraceBd};
    rebind_symbols(bds, 1);
}
//自定义
int my_ptrace(int _request,pid_t _pid,caddr_t _addr,int _data){
    if (_request != PT_DENY_ATTACH) {//如果不是拒绝附加,保持调用
        ptrace(_request, _pid, _addr, _data);
    }
    return 0;
}
@end
image

8.利用uncOver,恢复越狱之前的系统,将左上角设置选项中的额Restore RootFS打开,后断网,待自动重启后即恢复为越狱前的系统了,Cydia被自动删除。

6

你可能感兴趣的:(iOS-逆向25-越狱防护)