iOS有反检测能力的越狱工具shadow的分析和检测
2023-2-23 07:37:50 Author: 哆啦安全(查看原文) 阅读量:13 收藏

Shadow包地址:https://github.com/jjolano/shadow/releases/download/v2.0.x%40old/me.jjolano.shadow_2.0.20_iphoneos-arm.deb

https://github.com/jjolano/shadow/releases/download/v3.6.8/me.jjolano.shadow_3.6.8_iphoneos-arm.deb

分析工具:IDA 7.0

基本思路

在分析越狱工具shadow之前,所有越狱工具都是对进程进行注入挂钩来实现。注入从作用范围来看,分为两类:

  1. 用户态注入,通过动态库
  2. 内核态注入,通过驱动

根据https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development 来看,在苹果系统开发驱动,需要苹果授权,所以,越狱工具是没办法走这条路,只可能进行用户态注入。

那么,分析它就需要对进程启动时如何加载动态库了解,这就涉及到iOS进程启动模型。

本文的思路如下:

  1. iOS进程启动模型
  2. 依赖分析
  3. 钩子点分析
  4. 检测

iOS进程启动模型

iOS也是Unix族的衍生类。在Unix族里,进程启动模型的都大致如下:

  1. 加载执行文件:从绝对路径或相对路径或从环境变量指定搜索的路径搜索出来
  2. 根据执行文件依赖(导入表)来加载动态库文件:从绝对路径或相对路径或从环境变量和系统配置指定的搜索路径搜索出来
  3. 完成所有符号匹配,启动进程
  4. 进程处理输入参数和相应配置文件

从上面来看,只有1,2两步才可能进行注入。

在Unix族里,和执行文件加载相关的环境变量一般是**PATH** ,它一般是执行路径的列表,如/bin, /usr/bin, 和/usr/local/bin等,这个环境变量一般可以设置。搜索顺序是按照列表元素先后顺序进行,一旦找到,立马停止搜索。假设这个环境变量设置是这样的

PATH=/bin:/usr/bin:/usr/local/bin

这些路径都有一个ls执行文件,当执行ls时,只会执行/bin/ls

如果越狱工具要在这一步注入,它必须构建一个沙箱,接管所有程序执行。这种方式,所有用户态进程都可以变成它的子进程,这个沙箱可以任意更改子进程的环境变量,完成静态注入,甚至可以通过ptrace之类的系统调用来进行动态注入。这种方式可以非常好地绕过各种越狱检测工具的检测。

在Unix族,和动态库加载相关的环境变量和系统配置,就各有各的不同。Linux的可以看一下https://man7.org/linux/man-pages/man8/ld.so.8.html, 而iOS则可见https://web.archive.org/web/20160409091449/https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dyld.1.html

从上面可以看到iOS依次对下面这些环境变量包含的路径列表按照先后顺序遍历,一旦找到相应动态库,立马停止该次遍历,查找下一个:

  1. DYLD_INSERT_LIBRARIES
  2. DYLD_VERSIONED_FRAMEWORK_PATH
  3. DYLD_FRAMEWORK_PATH
  4. DYLD_LIBRARY_PATH
  5. DYLD_FALLBACK_FRAMEWORK_PATH
  6. DYLD_FALLBACK_LIBRARY_PATH

目前不少APP检测iOS是否越狱,都是做下列动作:

  • 访问root才能够访问的目录和文件,执行读或写
  • 执行root才能够执行的命令
  • 访问或更改root才能够访问的环境变量
  • 调用root才能够调用的系统调用
  • 访问root才能够访问的系统参数

根据上面进程启动模型分析,越狱工具要具有反检测的能力,必须要做这样事情:

  1. 保护环境变量的访问
  2. 禁止某些命令的执行
  3. 禁止某些路径访问
  4. 禁止某些系统参数访问
  5. 挂钩某些系统调用

依赖分析

根据上面的探究后,我们实际上看一下这个越狱工具是怎样的。

me.jjolano.shadow_2.0.20_iphoneos-arm.deb解压的目录大致如下

PS D:\Library> Get-ChildItem -Recurse

目录: D:\Library

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 MobileSubstrate
d----- 2019/8/2 1:59 PreferenceBundles
d----- 2019/8/2 1:59 PreferenceLoader

目录: D:\Library\MobileSubstrate

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 DynamicLibraries

目录: D:\Library\MobileSubstrate\DynamicLibraries

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2019/8/2 1:59 728432 0Shadow.dylib
-a---- 2019/8/2 1:59 87 0Shadow.plist

目录: D:\Library\PreferenceBundles

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 ShadowPreferences.bundle

目录: D:\Library\PreferenceBundles\ShadowPreferences.bundle

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/7/14 1:29 en.lproj
-a---l 2021/4/10 0:27 0 Base.lproj
-a---- 2019/8/2 1:59 751 Icon-Small.png
-a---- 2019/8/2 1:59 1610 [email protected]
-a---- 2019/8/2 1:59 2693 [email protected]
-a---- 2019/8/2 1:59 404 Info.plist
-a---- 2019/8/2 1:59 3123 Root.plist
-a---- 2019/7/29 4:37 265808 ShadowPreferences

目录: D:\Library\PreferenceBundles\ShadowPreferences.bundle\en.lproj

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2019/8/2 1:59 3915 Root.strings

目录: D:\Library\PreferenceLoader

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 Preferences

目录: D:\Library\PreferenceLoader\Preferences

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2019/8/2 1:59 199 ShadowPreferences.plist

从大小来看,只有D:\Library\MobileSubstrate\DynamicLibraries\0Shadow.dylib值得分析,用IDA打开一看,看一下导入表

Address	Ordinal	Name	Library
0000000000026830 _OBJC_CLASS_$_HBPreferences /Library/Frameworks/Cephei.framework/Cephei
0000000000026838 _MSGetImageByName /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840 _MSHookFunction /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848 _MSHookMessageEx /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026800 _OBJC_CLASS_$_NSArray /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026808 _OBJC_CLASS_$_NSDictionary /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026810 _OBJC_CLASS_$_NSMutableArray /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026818 _OBJC_CLASS_$_NSMutableDictionary /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026820 _OBJC_CLASS_$_NSURL /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026828 ___CFConstantStringClassReference /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
00000000000267A0 _NSCocoaErrorDomain /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267A8 _NSLocalizedDescriptionKey /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B0 _NSLocalizedFailureReasonErrorKey /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B8 _NSLocalizedRecoverySuggestionErrorKey /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C0 _OBJC_CLASS_$_NSBundle /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C8 _OBJC_CLASS_$_NSCharacterSet /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D0 _OBJC_CLASS_$_NSError /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D8 _OBJC_CLASS_$_NSFileManager /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E0 _OBJC_CLASS_$_NSNumber /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E8 _OBJC_CLASS_$_NSProcessInfo /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F0 _OBJC_CLASS_$_NSString /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F8 _OBJC_CLASS_$_NSValue /System/Library/Frameworks/Foundation.framework/Foundation
0000000000026858 _NSVersionOfLinkTimeLibrary /usr/lib/libSystem.B.dylib
0000000000026860 _NSVersionOfRunTimeLibrary /usr/lib/libSystem.B.dylib
0000000000026868 ___stack_chk_guard /usr/lib/libSystem.B.dylib
0000000000026870 __dyld_get_image_name /usr/lib/libSystem.B.dylib
0000000000026878 __dyld_image_count /usr/lib/libSystem.B.dylib
0000000000026880 _access /usr/lib/libSystem.B.dylib
0000000000026888 _chdir /usr/lib/libSystem.B.dylib
0000000000026890 _chroot /usr/lib/libSystem.B.dylib
0000000000026898 _creat /usr/lib/libSystem.B.dylib
00000000000268A0 _csops /usr/lib/libSystem.B.dylib
00000000000268A8 _dladdr /usr/lib/libSystem.B.dylib
00000000000268B0 _dlopen /usr/lib/libSystem.B.dylib
00000000000268B8 _dlopen_preflight /usr/lib/libSystem.B.dylib
00000000000268C0 _dlsym /usr/lib/libSystem.B.dylib
00000000000268C8 _faccessat /usr/lib/libSystem.B.dylib
00000000000268D0 _fchdir /usr/lib/libSystem.B.dylib
00000000000268D8 _fopen /usr/lib/libSystem.B.dylib
00000000000268E0 _fork /usr/lib/libSystem.B.dylib
00000000000268E8 _freopen /usr/lib/libSystem.B.dylib
00000000000268F0 _fstat /usr/lib/libSystem.B.dylib
00000000000268F8 _fstatat /usr/lib/libSystem.B.dylib
0000000000026900 _fstatfs /usr/lib/libSystem.B.dylib
0000000000026908 _getegid /usr/lib/libSystem.B.dylib
0000000000026910 _getenv /usr/lib/libSystem.B.dylib
0000000000026918 _geteuid /usr/lib/libSystem.B.dylib
0000000000026920 _getgid /usr/lib/libSystem.B.dylib
0000000000026928 _getppid /usr/lib/libSystem.B.dylib
0000000000026930 _getuid /usr/lib/libSystem.B.dylib
0000000000026938 _link /usr/lib/libSystem.B.dylib
0000000000026940 _lstat /usr/lib/libSystem.B.dylib
0000000000026948 _open /usr/lib/libSystem.B.dylib
0000000000026950 _openat /usr/lib/libSystem.B.dylib
0000000000026958 _opendir /usr/lib/libSystem.B.dylib
0000000000026960 _popen /usr/lib/libSystem.B.dylib
0000000000026968 _posix_spawn /usr/lib/libSystem.B.dylib
0000000000026970 _posix_spawnp /usr/lib/libSystem.B.dylib
0000000000026978 _readdir /usr/lib/libSystem.B.dylib
0000000000026980 _readlink /usr/lib/libSystem.B.dylib
0000000000026988 _readlinkat /usr/lib/libSystem.B.dylib
0000000000026990 _realpath$DARWIN_EXTSN /usr/lib/libSystem.B.dylib
0000000000026998 _remove /usr/lib/libSystem.B.dylib
00000000000269A0 _rename /usr/lib/libSystem.B.dylib
00000000000269A8 _rmdir /usr/lib/libSystem.B.dylib
00000000000269B0 _setegid /usr/lib/libSystem.B.dylib
00000000000269B8 _seteuid /usr/lib/libSystem.B.dylib
00000000000269C0 _setgid /usr/lib/libSystem.B.dylib
00000000000269C8 _setregid /usr/lib/libSystem.B.dylib
00000000000269D0 _setreuid /usr/lib/libSystem.B.dylib
00000000000269D8 _setuid /usr/lib/libSystem.B.dylib
00000000000269E0 _stat /usr/lib/libSystem.B.dylib
00000000000269E8 _statfs /usr/lib/libSystem.B.dylib
00000000000269F0 _symlink /usr/lib/libSystem.B.dylib
00000000000269F8 _sysctl /usr/lib/libSystem.B.dylib
0000000000026A00 _unlink /usr/lib/libSystem.B.dylib
0000000000026A08 _unlinkat /usr/lib/libSystem.B.dylib
0000000000026A10 _vfork /usr/lib/libSystem.B.dylib
0000000000026A18 dyld_stub_binder /usr/lib/libSystem.B.dylib
0000000000026A20 __Unwind_Resume /usr/lib/libSystem.B.dylib
0000000000026A28 ___error /usr/lib/libSystem.B.dylib
0000000000026A30 ___stack_chk_fail /usr/lib/libSystem.B.dylib
0000000000026A38 __dyld_register_func_for_add_image /usr/lib/libSystem.B.dylib
0000000000026A40 _dirfd /usr/lib/libSystem.B.dylib
0000000000026A48 _dlclose /usr/lib/libSystem.B.dylib
0000000000026A50 _fclose /usr/lib/libSystem.B.dylib
0000000000026A58 _fcntl /usr/lib/libSystem.B.dylib
0000000000026A60 _free /usr/lib/libSystem.B.dylib
0000000000026A68 _getpid /usr/lib/libSystem.B.dylib
0000000000026A70 _strcmp /usr/lib/libSystem.B.dylib
0000000000026A78 _strlen /usr/lib/libSystem.B.dylib
0000000000026850 ___gxx_personality_v0 /usr/lib/libc++.1.dylib
0000000000026720 _OBJC_CLASS_$_NSObject /usr/lib/libobjc.A.dylib
0000000000026728 _OBJC_METACLASS_$_NSObject /usr/lib/libobjc.A.dylib
0000000000026730 __objc_empty_cache /usr/lib/libobjc.A.dylib
0000000000026738 _objc_copyClassNamesForImage /usr/lib/libobjc.A.dylib
0000000000026740 _objc_copyImageNames /usr/lib/libobjc.A.dylib
0000000000026748 _objc_autoreleaseReturnValue /usr/lib/libobjc.A.dylib
0000000000026750 _objc_enumerationMutation /usr/lib/libobjc.A.dylib
0000000000026758 _objc_getClass /usr/lib/libobjc.A.dylib
0000000000026760 _objc_msgSend /usr/lib/libobjc.A.dylib
0000000000026768 _objc_msgSendSuper2 /usr/lib/libobjc.A.dylib
0000000000026770 _objc_release /usr/lib/libobjc.A.dylib
0000000000026778 _objc_retain /usr/lib/libobjc.A.dylib
0000000000026780 _objc_retainAutorelease /usr/lib/libobjc.A.dylib
0000000000026788 _objc_retainAutoreleasedReturnValue /usr/lib/libobjc.A.dylib
0000000000026790 _objc_storeStrong /usr/lib/libobjc.A.dylib
0000000000026798 _object_getClass /usr/lib/libobjc.A.dylib

可以看到,这个工具除了系统的框架外,只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate两个框架,而根据

https://hbang.github.io/libcephei/ 和https://iphonedev.wiki/index.php/Cydia_Substrate,这两个框架都是越狱框架。

对这个导入项进行分析

0000000000026830		_OBJC_CLASS_$_HBPreferences	/Library/Frameworks/Cephei.framework/Cephei

_OBJC_CLASS_$_HBPreferences这个符号经过Name Mangling处理,实际上它是引入了HBPreferences这个类,按照https://hbang.github.io/libcephei/Classes/HBPreferences.html, 这个类是处理界面上配置。所以这一个可以忽略。

Name Mangling可以参考https://en.wikipedia.org/wiki/Name_mangling

只剩下这三个符号了

0000000000026838		_MSGetImageByName	/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840 _MSHookFunction /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848 _MSHookMessageEx /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

同样根据Name Mangling原则,这三个符号实际上是MSGetImageByName, MSHookFunction, MSHookMessageEx

先分析一下MSGetImageByName, 它的文档在http://www.cydiasubstrate.com/api/c/MSGetImageByName/。

从它的引用来看

Direction	Type	Address	Text
Up p InitFunc_0+64C BL _MSGetImageByName

只有一处地方,就是InitFunc_0+64C

在IDA操作,是从导入表选中这个符号,双击,进入这个符号所在代码位置,在代码位置选中这个符号,右键选中"Jump to xref to operand...",就可以得到所有引用了

看引用它的汇编

_text:000000000000C34C                 ADR             X0, aUsrLibLibsubst_2 ; "/usr/lib/libsubstitute.dylib"
__text:000000000000C350 NOP
__text:000000000000C354 STP X19, X26, [SP,#0x210+var_210]
__text:000000000000C358 STR X23, [SP,#0x210+var_200]
__text:000000000000C35C BL _MSGetImageByName
__text:000000000000C360 MOV X24, X0
__text:000000000000C364 NOP
__text:000000000000C368 LDR X0, qword_26080 ; void *
__text:000000000000C36C NOP
__text:000000000000C370 LDR X20, =sel_setUseInjectCompatibilityMode_ ; "setUseInjectCompatibilityMode:"
__text:000000000000C374 CBZ X24, loc_C3A0
__text:000000000000C378 MOV W2, #0
__text:000000000000C37C MOV X1, X20 ; char *
__text:000000000000C380 BL _objc_msgSend
__text:000000000000C384 B loc_C3AC

可见是加载/usr/lib/libsubstitute.dylib, 再把获得的句柄判断这个文件是否存在,再跳转。

__text:000000000000C354                 STP             X19, X26, [SP,#0x210+var_210]
__text:000000000000C358                 STR             X23, [SP,#0x210+var_200]

这几两行指令其实没多少用处,只是编译器为了代码优化做的乱序执行。其实和这个接口引用无关。

从这个句柄的处理汇编

__text:000000000000C3A0 loc_C3A0                                ; CODE XREF: InitFunc_0+664↑j
__text:000000000000C3A0 MOV W2, #1
__text:000000000000C3A4 MOV X1, X20 ; char *
__text:000000000000C3A8 BL _objc_msgSend
__text:000000000000C3AC
__text:000000000000C3AC loc_C3AC ; CODE XREF: InitFunc_0+674↑j
__text:000000000000C3AC LDR X0, [SP,#0x210+var_1E0] ; void *
__text:000000000000C3B0 MOV X1, X28 ; char *
__text:000000000000C3B4 LDR X2, [SP,#0x210+var_1B8]
__text:000000000000C3B8 BL _objc_msgSend
__text:000000000000C3BC CBZ W0, loc_C6A0
__text:000000000000C3C0 NOP

无非就是和管理配置通信,可以忽略。

再看MSHookFunction, MSHookMessageEx的文档http://www.cydiasubstrate.com/api/c/MSHookFunction/和http://www.cydiasubstrate.com/api/c/MSHookMessageEx/,这两个函数是专门用来挂钩的。MSHookFunction是对API挂钩,而MSHookMessageEx则对类的成员函数挂钩。

钩子点分析

先看MSHookFunction,获取它所有的引用点,一共57处。

Direction	Type	Address	Text
Up p InitFunc_0+6C8 BL _MSHookFunction
Up p InitFunc_0+6E4 BL _MSHookFunction
Up p InitFunc_0+700 BL _MSHookFunction
Up p InitFunc_0+71C BL _MSHookFunction
Up p InitFunc_0+8DC BL _MSHookFunction
Up p InitFunc_0+8F8 BL _MSHookFunction
Up p InitFunc_0+9C4 BL _MSHookFunction
Up p InitFunc_0+9E0 BL _MSHookFunction
Up p InitFunc_0+A9C BL _MSHookFunction
Up p InitFunc_0+1124 BL _MSHookFunction
Up p InitFunc_0+1140 BL _MSHookFunction
Up p InitFunc_0+115C BL _MSHookFunction
Up p InitFunc_0+1178 BL _MSHookFunction
Up p InitFunc_0+1194 BL _MSHookFunction
Up p InitFunc_0+11B0 BL _MSHookFunction
Up p InitFunc_0+11CC BL _MSHookFunction
Up p InitFunc_0+11E8 BL _MSHookFunction
Up p InitFunc_0+1204 BL _MSHookFunction
Up p InitFunc_0+1220 BL _MSHookFunction
Up p InitFunc_0+123C BL _MSHookFunction
Up p InitFunc_0+1258 BL _MSHookFunction
Up p InitFunc_0+1274 BL _MSHookFunction
Up p InitFunc_0+1290 BL _MSHookFunction
Up p InitFunc_0+12AC BL _MSHookFunction
Up p InitFunc_0+12C8 BL _MSHookFunction
Up p InitFunc_0+12E4 BL _MSHookFunction
Up p InitFunc_0+1300 BL _MSHookFunction
Up p InitFunc_0+131C BL _MSHookFunction
Up p InitFunc_0+1338 BL _MSHookFunction
Up p InitFunc_0+1354 BL _MSHookFunction
Up p InitFunc_0+1370 BL _MSHookFunction
Up p InitFunc_0+138C BL _MSHookFunction
Up p InitFunc_0+13A8 BL _MSHookFunction
Up p InitFunc_0+13C4 BL _MSHookFunction
Up p InitFunc_0+196C BL _MSHookFunction
Up p InitFunc_0+1988 BL _MSHookFunction
Up p InitFunc_0+1E84 BL _MSHookFunction
Up p InitFunc_0+1EA0 BL _MSHookFunction
Up p InitFunc_0+1EBC BL _MSHookFunction
Up p InitFunc_0+1ED8 BL _MSHookFunction
Up p InitFunc_0+2168 BL _MSHookFunction
Up p InitFunc_0+2184 BL _MSHookFunction
Up p InitFunc_0+21A0 BL _MSHookFunction
Up p InitFunc_0+21BC BL _MSHookFunction
Up p InitFunc_0+21D8 BL _MSHookFunction
Up p InitFunc_0+21F4 BL _MSHookFunction
Up p InitFunc_0+2210 BL _MSHookFunction
Up p InitFunc_0+222C BL _MSHookFunction
Up p InitFunc_0+2248 BL _MSHookFunction
Up p InitFunc_0+2264 BL _MSHookFunction
Up p InitFunc_0+2280 BL _MSHookFunction
Up p InitFunc_0+229C BL _MSHookFunction
Up p InitFunc_0+22B8 BL _MSHookFunction
Up p InitFunc_0+22D4 BL _MSHookFunction
Up p InitFunc_0+2354 BL _MSHookFunction
Up p InitFunc_0+2370 BL _MSHookFunction
Up p InitFunc_0+23A0 BL _MSHookFunction

先看第一处

Up p InitFunc_0+6C8 BL              _MSHookFunction

按照MSHookFunction的原型

void MSHookFunction(void *symbol, void *hook, void **old);

是找到某个symbol对应的函数,把hook挂在上面,并用old保存原函数地址。

根据InitFunc的位置

__text:000000000000BD10 InitFunc_0

InitFunc_0+6C8就是000000000000C3D8:

__text:000000000000C3C4                 LDR             X0, =_fstat
__text:000000000000C3C8 ADR X1, sub_E590
__text:000000000000C3CC NOP
__text:000000000000C3D0 ADR X2, qword_260A8
__text:000000000000C3D4 NOP
__text:000000000000C3D8 BL _MSHookFunction

可见,这处是用sub_E590fstat进行挂钩,并把fstat函数地址保存在qword_260A8。那么分析一下sub_E590

__text:000000000000E590 sub_E590                                ; DATA XREF: InitFunc_0+6B8↑o
__text:000000000000E590
__text:000000000000E590 var_440 = -0x440
__text:000000000000E590 var_438 = -0x438
__text:000000000000E590 var_38 = -0x38
__text:000000000000E590 var_30 = -0x30
__text:000000000000E590 var_20 = -0x20
__text:000000000000E590 var_10 = -0x10
__text:000000000000E590 var_s0 = 0
__text:000000000000E590
__text:000000000000E590 STP X28, X27, [SP,#-0x10+var_30]!
__text:000000000000E594 STP X22, X21, [SP,#0x30+var_20]
__text:000000000000E598 STP X20, X19, [SP,#0x30+var_10]
__text:000000000000E59C STP X29, X30, [SP,#0x30+var_s0]
__text:000000000000E5A0 ADD X29, SP, #0x30
__text:000000000000E5A4 SUB SP, SP, #0x410
__text:000000000000E5A8 MOV X19, X1
__text:000000000000E5AC MOV X20, X0
__text:000000000000E5B0 NOP
__text:000000000000E5B4 LDR X8, =___stack_chk_guard
__text:000000000000E5B8 LDR X8, [X8]
__text:000000000000E5BC STUR X8, [X29,#var_38]
__text:000000000000E5C0 ADD X8, SP, #0x440+var_438
__text:000000000000E5C4 STR X8, [SP,#0x440+var_440]
__text:000000000000E5C8 MOV W1, #0x32 ; int
__text:000000000000E5CC BL _fcntl
__text:000000000000E5D0 CMN W0, #1
__text:000000000000E5D4 B.EQ loc_E6C0
__text:000000000000E5D8 NOP
__text:000000000000E5DC LDR X0, =_OBJC_CLASS_$_NSFileManager ; void *
__text:000000000000E5E0 NOP
__text:000000000000E5E4 LDR X1, =sel_defaultManager ; "defaultManager"
__text:000000000000E5E8 BL _objc_msgSend
__text:000000000000E5EC MOV X29, X29
__text:000000000000E5F0 BL _objc_retainAutoreleasedReturnValue
__text:000000000000E5F4 MOV X22, X0
__text:000000000000E5F8 ADD X0, SP, #0x440+var_438 ; char *
__text:000000000000E5FC BL _strlen
__text:000000000000E600 MOV X3, X0
__text:000000000000E604 NOP
__text:000000000000E608 LDR X1, =sel_stringWithFileSystemRepresentation_length_ ; "stringWithFileSystemRepresentation:leng"...
__text:000000000000E60C ADD X2, SP, #0x440+var_438
__text:000000000000E610 MOV X0, X22 ; void *
__text:000000000000E614 BL _objc_msgSend
__text:000000000000E618 MOV X29, X29
__text:000000000000E61C BL _objc_retainAutoreleasedReturnValue
__text:000000000000E620 MOV X21, X0
__text:000000000000E624 MOV X0, X22
__text:000000000000E628 BL _objc_release
__text:000000000000E62C NOP
__text:000000000000E630 LDR X0, qword_26080 ; void *
__text:000000000000E634 NOP
__text:000000000000E638 LDR X1, =sel_isPathRestricted_ ; "isPathRestricted:"
__text:000000000000E63C MOV X2, X21
__text:000000000000E640 BL _objc_msgSend
__text:000000000000E644 CBZ W0, loc_E664
__text:000000000000E648 BL ___error
__text:000000000000E64C MOV W8, #9
__text:000000000000E650 STR W8, [X0]
__text:000000000000E654 MOV W20, #0xFFFFFFFF
__text:000000000000E658
__text:000000000000E658 loc_E658 ; CODE XREF: sub_E590+124↓j
__text:000000000000E658 MOV X0, X21
__text:000000000000E65C BL _objc_release
__text:000000000000E660 B loc_E6D8
__text:000000000000E664 ; ---------------------------------------------------------------------------
__text:000000000000E664
__text:000000000000E664 loc_E664 ; CODE XREF: sub_E590+B4↑j
__text:000000000000E664 CBZ X19, loc_E6B8
__text:000000000000E668 NOP
__text:000000000000E66C LDR X1, =sel_isEqualToString_ ; "isEqualToString:"
__text:000000000000E670 ADR X2, cfstr_Bin ; "/bin"
__text:000000000000E674 NOP
__text:000000000000E678 MOV X0, X21 ; void *
__text:000000000000E67C BL _objc_msgSend
__text:000000000000E680 CBZ W0, loc_E6B8
__text:000000000000E684 NOP
__text:000000000000E688 LDR X8, qword_260A8
__text:000000000000E68C MOV X0, X20
__text:000000000000E690 MOV X1, X19
__text:000000000000E694 BLR X8
__text:000000000000E698 CBNZ W0, loc_E6B8
__text:000000000000E69C LDR X8, [X19,#0x60]
__text:000000000000E6A0 CMP X8, #0x80
__text:000000000000E6A4 B.LE loc_E6B8
__text:000000000000E6A8 MOV W20, #0
__text:000000000000E6AC MOV W8, #0x80
__text:000000000000E6B0 STR X8, [X19,#0x60]
__text:000000000000E6B4 B loc_E658
__text:000000000000E6B8 ; ---------------------------------------------------------------------------
__text:000000000000E6B8
__text:000000000000E6B8 loc_E6B8 ; CODE XREF: sub_E590:loc_E664↑j
__text:000000000000E6B8 ; sub_E590+F0↑j ...
__text:000000000000E6B8 MOV X0, X21
__text:000000000000E6BC BL _objc_release
__text:000000000000E6C0
__text:000000000000E6C0 loc_E6C0 ; CODE XREF: sub_E590+44↑j
__text:000000000000E6C0 NOP
__text:000000000000E6C4 LDR X8, qword_260A8
__text:000000000000E6C8 MOV X0, X20
__text:000000000000E6CC MOV X1, X19
__text:000000000000E6D0 BLR X8
__text:000000000000E6D4 MOV X20, X0
__text:000000000000E6D8
__text:000000000000E6D8 loc_E6D8 ; CODE XREF: sub_E590+D0↑j
__text:000000000000E6D8 LDUR X8, [X29,#var_38]
__text:000000000000E6DC NOP
__text:000000000000E6E0 LDR X9, =___stack_chk_guard
__text:000000000000E6E4 LDR X9, [X9]
__text:000000000000E6E8 CMP X9, X8
__text:000000000000E6EC B.NE loc_E70C
__text:000000000000E6F0 MOV X0, X20
__text:000000000000E6F4 ADD SP, SP, #0x410
__text:000000000000E6F8 LDP X29, X30, [SP,#0x30+var_s0]
__text:000000000000E6FC LDP X20, X19, [SP,#0x30+var_10]
__text:000000000000E700 LDP X22, X21, [SP,#0x30+var_20]
__text:000000000000E704 LDP X28, X27, [SP+0x30+var_30],#0x40
__text:000000000000E708 RET
__text:000000000000E70C ; ---------------------------------------------------------------------------
__text:000000000000E70C
__text:000000000000E70C loc_E70C ; CODE XREF: sub_E590+15C↑j
__text:000000000000E70C BL ___stack_chk_fail
__text:000000000000E70C ; End of function sub_E590

看起来很复杂,其实这个函数是对任何调用fstat的路径判断是否是在指定限制目录/bin下,如果是就绕过,否则就继续调用qword_260A8(fstat原地址)处理。

按照同样思路分析,可以得到这个表格

原函数钩子函数作用
fstat绕过指定限制目录/bin/下文件
dlopen绕过指定限制镜像
open绕过指定限制目录的文件
openat绕过指定限制目录的文件
NSVersionOfRunTimeLibrary绕过指定限制镜像
NSVersionOfLinkTimeLibrary绕过指定限制镜像
opendir绕过指定限制目录
readdir绕过指定限制目录
csopsgetpid结果处理
access指定限制目录或前缀为/Library/MobileSubstrate绕过
getenvDYLD_INSERT_LIBRARIES,_MSSafeMode,_SafeMode绕过
fopen绕过指定限制目录的文件
freopen绕过指定限制目录的文件
stat绕过指定限制目录/bin/下文件
lstat绕过指定限制目录/bin/,
/Applications,
/usr/share,
/usr/libexec,
/usr/include,
/Library/Ringtones,
/Library/Wallpaper下文件
fstatfs指定限制目录或前缀为/var, /private/var绕过
statfs指定限制目录或前缀为/var, /private/var绕过
posix_spawn绕过指定限制目录的文件
posix_spawnp绕过指定限制目录的文件
realpath绕过指定限制目录的路径
symlink绕过指定限制目录的路径
rename绕过指定限制目录的路径
rename绕过指定限制目录的路径
unlink绕过指定限制目录的路径
unlinkat绕过指定限制目录的路径
rmdir绕过指定限制目录的目录
chdir绕过指定限制目录的目录
fchdir绕过指定限制目录的目录
link绕过指定限制目录的路径
fstatat绕过指定限制目录的路径
faccessat绕过指定限制目录的路径
chroot绕过指定限制目录的路径
sysctl从内核里获取所有进程,对当前进程比对,并获取当前进程是否被调试
getppid指定限制目录的文件绕过
readlink绕过指定限制目录的路径
readlinkat绕过指定限制目录的路径
_dyld_image_count绕过指定限制镜像
_dyld_get_image_name绕过指定限制镜像
dlopen_preflight绕过指定限制镜像
dladdr绕过指定限制镜像
creat绕过指定限制目录的文件
vfork直接返回-1,禁止创建进程
fork直接返回-1,禁止创建进程
popen直接返回0
setgid,setuid,setegid,seteuid,setreuid,setregid直接返回-1
getuidgetgid,geteuid,getegid返回0x1F5
objc_copyImageNames获取镜像名称和某个库一样,就返回0
objc_copyClassNamesForImage绕过指定限制镜像
dlsym对符号前缀为MS,Sub,PS,LM,rocketbootstrap,
substitute_,_logos返回0,绕过

再看MSHookMessageEx,它的调用点有149处。它的原型如下

void MSHookMessageEx(Class _class, SEL message, IMP hook, IMP *old);

是找到某个类_class对应的成员函数message,把hook挂在上面,并用old保存原成员函数地址。

MSHookFunction的方式分析,得到下表

钩子函数作用
SpringBoard返回和黑名单列表匹配的结果
NSDataUIApplication
NSFileManager,NSFileWrapper,
NSFileVersion,NSFileHandle,
NSURL,NSMutableArray,
NSArray,NSMutableDictionary,
NSDictionary,NSString,
绕过指定限制目录指定限制URL的路径
NSBundle防止获取SignerIdentity, 绕过指定限制目录指定限制URL的路径
NSProcessInfo,UIImage绕过指定限制目录的路径
NSDirectoryEnumerator绕过特定类限制目录限制URL
UIDevice挂钩以下方法isJailbroken,isJailBreak,isJailBroken,均返回0
JailbreakDetectionVC, DTTJailbreakDetection,
GBDeviceInfo,CPWRDeviceInfo,
CPWRSessionInfo,KSSystemInfo,
FCRSystemMetadata,OneSignalJailbreakDetection
挂钩isJailbroken,返回0
ANSMetadata挂钩computeIsJailbroken,isJailbroken,返回0
AppsFlyerUtils挂钩isJailBreakon,返回0
CMARAppRestrictionsDelegate挂钩isDeviceNonCompliant,返回0
ADYSecurityCheck挂钩isDeviceJailbroken,返回0
UBReportMetadataDevice挂钩is_rooted,返回0
UtilitySystem,GemaltoConfiguration挂钩isJailbreak,返回0
EMDSKPPConfiguration挂钩jailBroken,返回0
EnrollParameters挂钩jailbroken,返回0
EMDskppConfigurationBuilder挂钩jailbreakStatus,返回0
v_VDMap挂钩isJailBrokenDetectedByVOS,isDFPHookedDetecedByVOS,
isCodeInjectionDetectedByVOS,isDebuggerCheckDetectedByVOS,
isAppSignerCheckDetectedByVOS,v_checkAModified,返回0
SDMUtils挂钩isJailBroken,返回0
DigiPassHandler挂钩rootedDeviceTestResult,返回0
AWMyDeviceGeneralInfo挂钩isCompliant,返回1

其中限制目录,URL或镜像都是取这些目录或以这些目录为前缀

/
/.HFS
/.Trashes
/.ba
/.file
/.mb
/Applications
/Applications/AXUIViewService.app
/Applications/AccountAuthenticationDialog.app
/Applications/ActivityMessagesApp.app
/Applications/AdPlatformsDiagnostics.app
/Applications/AppStore.app
/Applications/AskPermissionUI.app
/Applications/BusinessExtensionsWrapper.app
/Applications/CTCarrierSpaceAuth.app
/Applications/Camera.app
/Applications/CheckerBoard.app
/Applications/CompassCalibrationViewService.app
/Applications/ContinuityCamera.app
/Applications/CoreAuthUI.app
/Applications/DDActionsService.app
/Applications/DNDBuddy.app
/Applications/DataActivation.app
/Applications/DemoApp.app
/Applications/Diagnostics.app
/Applications/DiagnosticsService.app
/Applications/FTMInternal-4.app
/Applications/Family.app
/Applications/Feedback
/Applications/FieldTest.app
/Applications/FindMyiPhone.app
/Applications/FunCameraShapes.app
/Applications/FunCameraText.app
/Applications/GameCenterUIService.app
/Applications/HashtagImages.app
/Applications/Health.app
/Applications/HealthPrivacyService.app
/Applications/HomeUIService.app
/Applications/InCallService.app
/Applications/Magnifier.app
/Applications/MailCompositionService.app
/Applications/MessagesViewService.app
/Applications/MobilePhone.app
/Applications/MobileSMS.app
/Applications/MobileSafari.app
/Applications/MobileSlideShow.app
/Applications/MobileTimer.app
/Applications/MusicUIService.app
/Applications/Passbook.app
/Applications/PassbookUIService.app
/Applications/PhotosViewService.app
/Applications/PreBoard.app
/Applications/Preferences.app
/Applications/Print
/Applications/SIMSetupUIService.app
/Applications/SLGoogleAuth.app
/Applications/SLYahooAuth.app
/Applications/SafariViewService.app
/Applications/ScreenSharingViewService.app
/Applications/ScreenshotServicesService.app
/Applications/Setup.app
/Applications/SharedWebCredentialViewService.app
/Applications/SharingViewService.app
/Applications/SiriViewService.app
/Applications/SoftwareUpdateUIService.app
/Applications/StoreDemoViewService.app
/Applications/StoreKitUIService.app
/Applications/TrustMe.app
/Applications/Utilities
/Applications/VideoSubscriberAccountViewService.app
/Applications/WLAccessService.app
/Applications/Web.app
/Applications/WebApp1.app
/Applications/WebContentAnalysisUI.app
/Applications/WebSheet.app
/Applications/iAdOptOut.app
/Applications/iCloud.app
/Developer
/Library
/Library/Application
/Library/Application
/Library/Application
/Library/Audio
/Library/Caches
/Library/Caches/cy-
/Library/Filesystems
/Library/Frameworks
/Library/Frameworks/Cephei.framework/Cephei
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
/Library/Internet
/Library/Keychains
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Logs
/Library/Managed
/Library/MobileDevice
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib
/Library/MusicUISupport
/Library/PreferenceBundles
/Library/Preferences
/Library/Printers
/Library/Ringtones
/Library/SnowBoard
/Library/Themes
/Library/TweakInject
/Library/Updates
/Library/Wallpaper
/System
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
/System/Library/Frameworks/Foundation.framework/Foundation
/System/Library/PreferenceBundles/AppList.bundle
/User/Library/Preferences
/bin
/bin/df
/bin/ps
/cores
/dev
/dev/dlci.
/dev/kmem
/dev/mem
/dev/vn0
/dev/vn1
/etc
/etc/asl
/etc/asl.conf
/etc/fstab
/etc/group
/etc/hosts
/etc/hosts.equiv
/etc/master.passwd
/etc/networks
/etc/notify.conf
/etc/passwd
/etc/ppp
/etc/protocols
/etc/racoon
/etc/services
/etc/ttys
/lib
/mnt
/private
/private/etc
/private/system_data
/private/var
/private/var/containers/Bundle/Application
/private/var/mobile/Containers/Bundle/Application
/private/xarts
/sbin
/sbin/fsck
/sbin/launchd
/sbin/mount
/sbin/pfctl
/tmp
/tmp/Substrate
/tmp/amfid_payload.alive
/tmp/amfidebilitate.out
/tmp/com.apple
/tmp/cydia.log
/tmp/jailbreakd.pid
/tmp/org.coolstar
/tmp/slide.txt
/tmp/substrate
/tmp/syslog
/usr
/usr/bin
/usr/bin/DumpBasebandCrash
/usr/bin/PerfPowerServicesExtended
/usr/bin/abmlite
/usr/bin/brctl
/usr/bin/footprint
/usr/bin/hidutil
/usr/bin/hpmdiagnose
/usr/bin/kbdebug
/usr/bin/powerlogHelperd
/usr/bin/sysdiagnose
/usr/bin/tailspin
/usr/bin/taskinfo
/usr/bin/vm_stat
/usr/bin/zprint
/usr/include
/usr/lib
/usr/lib/FDRSealingMap.plist
/usr/lib/TweakInject
/usr/lib/apt
/usr/lib/bash
/usr/lib/bbmasks
/usr/lib/cycript
/usr/lib/dyld
/usr/lib/lib%@.dylib
/usr/lib/libCRFSuite
/usr/lib/libDHCPServer
/usr/lib/libMatch
/usr/lib/libSubstitrate
/usr/lib/libSystem
/usr/lib/libSystem.B.dylib
/usr/lib/libarchive
/usr/lib/libbsm
/usr/lib/libbz2
/usr/lib/libc
/usr/lib/libc++
/usr/lib/libc++.1.dylib
/usr/lib/libcharset
/usr/lib/libcurses
/usr/lib/libdbm
/usr/lib/libdl
/usr/lib/libeasyperf
/usr/lib/libedit
/usr/lib/libexslt
/usr/lib/libextension
/usr/lib/libform
/usr/lib/libiconv
/usr/lib/libicucore
/usr/lib/libinfo
/usr/lib/libipsec
/usr/lib/liblzma
/usr/lib/libm
/usr/lib/libmecab
/usr/lib/libmis.dylib
/usr/lib/libncurses
/usr/lib/libobjc
/usr/lib/libobjc.A.dylib
/usr/lib/libpcap
/usr/lib/libperfcheck
/usr/lib/libpmsample
/usr/lib/libpoll
/usr/lib/libproc
/usr/lib/libpthread
/usr/lib/libresolv
/usr/lib/librpcsvc
/usr/lib/libsandbox
/usr/lib/libsqlite3
/usr/lib/libstdc++
/usr/lib/libsubstitute
/usr/lib/libsubstitute.dylib
/usr/lib/libsubstrate
/usr/lib/libtidy
/usr/lib/libutil
/usr/lib/libxml2
/usr/lib/libxslt
/usr/lib/libz
/usr/lib/log
/usr/lib/substrate
/usr/lib/system
/usr/lib/tweaks
/usr/lib/updaters
/usr/lib/xpc
/usr/libexec
/usr/libexec/BackupAgent
/usr/libexec/BackupAgent2
/usr/libexec/CrashHousekeeping
/usr/libexec/DataDetectorsSourceAccess
/usr/libexec/FSTaskScheduler
/usr/libexec/FinishRestoreFromBackup
/usr/libexec/IOAccelMemoryInfoCollector
/usr/libexec/IOMFB_bics_daemon
/usr/libexec/Library
/usr/libexec/MobileGestaltHelper
/usr/libexec/MobileStorageMounter
/usr/libexec/NANDTaskScheduler
/usr/libexec/OTATaskingAgent
/usr/libexec/PowerUIAgent
/usr/libexec/PreboardService
/usr/libexec/ProxiedCrashCopier
/usr/libexec/PurpleReverseProxy
/usr/libexec/ReportMemoryException
/usr/libexec/SafariCloudHistoryPushAgent
/usr/libexec/SidecarRelay
/usr/libexec/SyncAgent
/usr/libexec/UserEventAgent
/usr/libexec/addressbooksyncd
/usr/libexec/adid
/usr/libexec/adprivacyd
/usr/libexec/adservicesd
/usr/libexec/afcd
/usr/libexec/airtunesd
/usr/libexec/amfid
/usr/libexec/asd
/usr/libexec/assertiond
/usr/libexec/atc
/usr/libexec/atwakeup
/usr/libexec/backboardd
/usr/libexec/biometrickitd
/usr/libexec/bootpd
/usr/libexec/bulletindistributord
/usr/libexec/captiveagent
/usr/libexec/cc_fips_test
/usr/libexec/checkpointd
/usr/libexec/cloudpaird
/usr/libexec/com.apple.automation.defaultslockdownserviced
/usr/libexec/companion_proxy
/usr/libexec/configd
/usr/libexec/corecaptured
/usr/libexec/coreduetd
/usr/libexec/crash_mover
/usr/libexec/dasd
/usr/libexec/demod
/usr/libexec/demod_helper
/usr/libexec/dhcpd
/usr/libexec/diagnosticd
/usr/libexec/diagnosticextensionsd
/usr/libexec/dmd
/usr/libexec/dprivacyd
/usr/libexec/dtrace
/usr/libexec/duetexpertd
/usr/libexec/eventkitsyncd
/usr/libexec/fdrhelper
/usr/libexec/findmydeviced
/usr/libexec/finish_demo_restore
/usr/libexec/fmfd
/usr/libexec/fmflocatord
/usr/libexec/fseventsd
/usr/libexec/ftp-proxy
/usr/libexec/gamecontrollerd
/usr/libexec/gamed
/usr/libexec/gpsd
/usr/libexec/hangreporter
/usr/libexec/hangtracerd
/usr/libexec/heartbeatd
/usr/libexec/hostapd
/usr/libexec/idamd
/usr/libexec/init_data_protection
/usr/libexec/installd
/usr/libexec/ioupsd
/usr/libexec/keybagd
/usr/libexec/languageassetd
/usr/libexec/locationd
/usr/libexec/lockdownd
/usr/libexec/logd
/usr/libexec/lsd
/usr/libexec/lskdd
/usr/libexec/lskdmsed
/usr/libexec/magicswitchd
/usr/libexec/mc_mobile_tunnel
/usr/libexec/microstackshot
/usr/libexec/misagent
/usr/libexec/misd
/usr/libexec/mmaintenanced
/usr/libexec/mobile_assertion_agent
/usr/libexec/mobile_diagnostics_relay
/usr/libexec/mobile_house_arrest
/usr/libexec/mobile_installation_proxy
/usr/libexec/mobile_obliterator
/usr/libexec/mobile_storage_proxy
/usr/libexec/mobileactivationd
/usr/libexec/mobileassetd
/usr/libexec/mobilewatchdog
/usr/libexec/mtmergeprops
/usr/libexec/nanomediaremotelinkagent
/usr/libexec/nanoregistryd
/usr/libexec/nanoregistrylaunchd
/usr/libexec/neagent
/usr/libexec/nehelper
/usr/libexec/nesessionmanager
/usr/libexec/networkserviceproxy
/usr/libexec/nfcd
/usr/libexec/nfrestore_service
/usr/libexec/nlcd
/usr/libexec/notification_proxy
/usr/libexec/nptocompaniond
/usr/libexec/nsurlsessiond
/usr/libexec/nsurlstoraged
/usr/libexec/online-auth-agent
/usr/libexec/oscard
/usr/libexec/pcapd
/usr/libexec/pcsstatus
/usr/libexec/pfd
/usr/libexec/pipelined
/usr/libexec/pkd
/usr/libexec/pkreporter
/usr/libexec/ptpd
/usr/libexec/rapportd
/usr/libexec/replayd
/usr/libexec/resourcegrabberd
/usr/libexec/rolld
/usr/libexec/routined
/usr/libexec/rtbuddyd
/usr/libexec/rtcreportingd
/usr/libexec/safarifetcherd
/usr/libexec/screenshotsyncd
/usr/libexec/security-sysdiagnose
/usr/libexec/securityd
/usr/libexec/securityuploadd
/usr/libexec/seld
/usr/libexec/seputil
/usr/libexec/sharingd
/usr/libexec/signpost_reporter
/usr/libexec/silhouette
/usr/libexec/siriknowledged
/usr/libexec/smcDiagnose
/usr/libexec/splashboardd
/usr/libexec/springboardservicesrelay
/usr/libexec/streaming_zip_conduit
/usr/libexec/swcd
/usr/libexec/symptomsd
/usr/libexec/symptomsd-helper
/usr/libexec/sysdiagnose_helper
/usr/libexec/sysstatuscheck
/usr/libexec/tailspind
/usr/libexec/timed
/usr/libexec/tipsd
/usr/libexec/topicsmap.db
/usr/libexec/transitd
/usr/libexec/trustd
/usr/libexec/tursd
/usr/libexec/tzd
/usr/libexec/tzinit
/usr/libexec/tzlinkd
/usr/libexec/videosubscriptionsd
/usr/libexec/wapic
/usr/libexec/wcd
/usr/libexec/webbookmarksd
/usr/libexec/webinspectord
/usr/libexec/wifiFirmwareLoader
/usr/libexec/wifivelocityd
/usr/libexec/xpcproxy
/usr/libexec/xpcroleaccountd
/usr/local
/usr/local/bin
/usr/local/lib
/usr/local/standalone
/usr/sbin
/usr/sbin/BTAvrcp
/usr/sbin/BTLEServer
/usr/sbin/BTMap
/usr/sbin/BTPbap
/usr/sbin/BlueTool
/usr/sbin/WiFiNetworkStoreModel.momd
/usr/sbin/WirelessRadioManagerd
/usr/sbin/absd
/usr/sbin/addNetworkInterface
/usr/sbin/applecamerad
/usr/sbin/aslmanager
/usr/sbin/bluetoothd
/usr/sbin/cfprefsd
/usr/sbin/ckksctl
/usr/sbin/distnoted
/usr/sbin/fairplayd.H2
/usr/sbin/filecoordinationd
/usr/sbin/ioreg
/usr/sbin/ipconfig
/usr/sbin/mDNSResponder
/usr/sbin/mDNSResponderHelper
/usr/sbin/mediaserverd
/usr/sbin/notifyd
/usr/sbin/nvram
/usr/sbin/pppd
/usr/sbin/racoon
/usr/sbin/rtadvd
/usr/sbin/scutil
/usr/sbin/spindump
/usr/sbin/syslogd
/usr/sbin/wifid
/usr/sbin/wirelessproxd
/usr/share
/usr/share/CSI
/usr/share/com.apple.languageassetd
/usr/share/firmware
/usr/share/icu
/usr/share/langid
/usr/share/locale
/usr/share/mecabra
/usr/share/misc
/usr/share/progressui
/usr/share/tokenizer
/usr/share/zoneinfo
/usr/share/zoneinfo.default
/usr/standalone
/var
/var/.DocumentRevisions
/var/.fseventsd
/var/.overprovisioning_file
/var/Keychains
/var/Managed
/var/MobileAsset
/var/MobileDevice
/var/MobileSoftwareUpdate
/var/audit
/var/backups
/var/buddy
/var/containers
/var/containers/Bundle
/var/containers/Bundle/Application
/var/containers/Bundle/Framework
/var/containers/Bundle/PluginKitPlugin
/var/containers/Bundle/VPNPlugin
/var/containers/Bundle/dylibs
/var/containers/Bundle/tweaksupport
/var/cores
/var/db
/var/db/stash
/var/ea
/var/empty
/var/folders
/var/hardware
/var/installd
/var/internal
/var/keybags
/var/lib
/var/lib/dpkg/info
/var/local
/var/lock
/var/log
/var/log/asl
/var/log/com.apple.xpc.launchd
/var/log/corecaptured.log
/var/log/ppp
/var/log/ppp.log
/var/log/racoon.log
/var/log/sa
/var/logs
/var/mobile
/var/mobile/Applications
/var/mobile/Containers
/var/mobile/Containers/Bundle/Application
/var/mobile/Containers/Data
/var/mobile/Containers/Data/Application
/var/mobile/Containers/Data/InternalDaemon
/var/mobile/Containers/Data/PluginKitPlugin
/var/mobile/Containers/Data/TempDir
/var/mobile/Containers/Data/VPNPlugin
/var/mobile/Containers/Data/XPCService
/var/mobile/Containers/Shared
/var/mobile/Containers/Shared/AppGroup
/var/mobile/Documents
/var/mobile/Downloads
/var/mobile/Library
/var/mobile/Library/Caches
/var/mobile/Library/Caches/.com.apple
/var/mobile/Library/Caches/ACMigrationLock
/var/mobile/Library/Caches/AccountMigrationInProgress
/var/mobile/Library/Caches/AdMob
/var/mobile/Library/Caches/BTAvrcp
/var/mobile/Library/Caches/Checkpoint.plist
/var/mobile/Library/Caches/CloudKit
/var/mobile/Library/Caches/DateFormats.plist
/var/mobile/Library/Caches/FamilyCircle
/var/mobile/Library/Caches/GameKit
/var/mobile/Library/Caches/GeoServices
/var/mobile/Library/Caches/MappedImageCache
/var/mobile/Library/Caches/OTACrashCopier
/var/mobile/Library/Caches/PassKit
/var/mobile/Library/Caches/Snapshots
/var/mobile/Library/Caches/Snapshots/com.apple
/var/mobile/Library/Caches/TelephonyUI
/var/mobile/Library/Caches/Weather
/var/mobile/Library/Caches/cache
/var/mobile/Library/Caches/ckkeyrolld
/var/mobile/Library/Caches/com.apple
/var/mobile/Library/Caches/rtcreportingd
/var/mobile/Library/Caches/sharedCaches
/var/mobile/Library/ControlCenter
/var/mobile/Library/ControlCenter/ModuleConfiguration.plist
/var/mobile/Library/Cydia
/var/mobile/Library/Logs/Cydia
/var/mobile/Library/Preferences
/var/mobile/Library/Preferences/.GlobalPreferences.plist
/var/mobile/Library/Preferences/UITextInputContextIdentifiers.plist
/var/mobile/Library/Preferences/Wallpaper.png
/var/mobile/Library/Preferences/ckkeyrolld.plist
/var/mobile/Library/Preferences/com.apple.
/var/mobile/Library/Preferences/nfcd.plist
/var/mobile/Library/SBSettings
/var/mobile/Library/Sileo
/var/mobile/Media
/var/mobile/MobileSoftwareUpdate
/var/msgs
/var/networkd
/var/preferences
/var/root
/var/run
/var/run/asl_input
/var/run/configd.pid
/var/run/fudinit
/var/run/lockbot
/var/run/lockdown
/var/run/lockdown.sock
/var/run/lockdown_first_run
/var/run/mDNSResponder
/var/run/pppconfd
/var/run/printd
/var/run/syslog
/var/run/syslog.pid
/var/run/utmpx
/var/run/vpncontrol.sock
/var/spool
/var/staged_system_apps
/var/tmp
/var/vm
/var/wireless

除了上面目录,还对这些路径匹配绕过

list
firmware-sbin.list
gsc.firmware-sbin.list

同时对包含这些字段的路径绕过

Substrate
substrate
substitute
Substitrate
TweakInject
jailbreak
cycript
SBInject
pspawn
rocketbootstrap
bfdecrypt

对URL包含这种模式绕过

cydia
sileo

检测

从上面来看,这个越狱工具从目录和系统API上做了很多绕过措施,但还是有地方囊括不够的。

对比在基本思路里的几条,基本如下

  1. 保护环境变量的访问  ---- 有部分
  2. 禁止某些命令的执行  --- 没有
  3. 禁止某些路径访问 ---- 有
  4. 禁止某些系统参数访问 -- 有部分
  5. 挂钩某些系统调用 --- 有部分

那么检测方案可以这样:

  1. 没有挂钩mkdir,考虑使用mkdir在正常情况下禁止访问的目录下创建子目录,如果OK,就说明是被越狱。
  2. 没有挂钩execve,可以考虑执行一个正常情况下禁止执行的程序,如果成功,说明被越狱。
  3. 没有挂钩ptrace,可以使用它进行自身调试,如果成功,说明被越狱
  4. 创建一个库,里面定义一些函数是MS,Sub,PS,LM,rocketbootstrap, substitute_,_logos为前缀的,如果调用dlsym返回失败,说明被越狱
  5. 只对sysctl挂钩了,但对sysctlbyname,sysctlnametomib没有挂钩,可以调用这两个函数来获取进程信息。同时sysctl也并不是所有情况都处理了,比如获取硬件信息就没有。这三个系统调用可以获取一些高权限信息,说明被越狱
  6. 不引入其它检测越狱的库,但自己实现一个同名的类和方法,比如SDMUtils和方法isJailBroken,这个方法只返回一个结果,就是1。如果调用这个方法,返回值为0,那么说明被越狱

还有很多,不过,本人对iOS不熟悉,对它的系统调用也不熟悉,只能给出这些。有兴趣的,可以参考下面

https://www.theiphonewiki.com/wiki/Kernel_Syscalls#List_of_system_calls_from_iOS_6.0_GM

对这些系统调用一一尝试。

https://github.com/jjolano/shadow/https://github.com/jjolano/shadow/releases

推荐阅读

突破iOS App双向认证抓包

App绕过iOS手机的越狱检测

iOS系统抓包入门实践之短链

Android和iOS静态代码扫描工具

iOS系统抓包之短链-破解双向证书

Android和iOS应用源码的静态分析

ios逆向-app登录协议逆向分析破解

iOS逆向绕过越狱检测(iOS越狱工具)

MacOS/iOS Mach-O应用程序代码混淆

Code Signing - iOS 代码段的校验机制分析

Android和iOS逆向分析/安全检测/渗透测试框架(建议收藏)


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2NzUzNzk1Mw==&mid=2247495207&idx=1&sn=a4d57b1005b544261a79b53a941af860&chksm=ceb8ab69f9cf227ffc2ecae47e72000a576c4473b086c5ef092cefe530f7d9bce047f3898f33#rd
如有侵权请联系:admin#unsafe.sh