iOS有反检测能力的越狱工具shadow的分析和检测
iOS有反检测能力的越狱工具shadow的分析和检测
血狼debugeeker
发布于 2021-09-10 10:45:19
发布于 2021-09-10 10:45:19
文章被收录于专栏:debugeeker的专栏
Shadow包地址:https://github.com/jjolano/shadow/releases/download/v2.0.x%40old/me.jjolano.shadow_2.0.20_iphoneos-arm.deb 分析工具:IDA 7.0
基本思路
在分析越狱工具shadow之前,所有越狱工具都是对进程进行注入挂钩来实现。注入从作用范围来看,分为两类:
- 用户态注入,通过动态库
- 内核态注入,通过驱动
根据https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development 来看,在苹果系统开发驱动,需要苹果授权,所以,越狱工具是没办法走这条路,只可能进行用户态注入。
那么,分析它就需要对进程启动时如何加载动态库了解,这就涉及到iOS进程启动模型。
本文的思路如下:
- iOS进程启动模型
- 依赖分析
- 钩子点分析
- 检测
iOS进程启动模型
iOS也是Unix族的衍生类。在Unix族里,进程启动模型的都大致如下:
- 加载执行文件:从绝对路径或相对路径或从环境变量指定搜索的路径搜索出来
- 根据执行文件依赖(导入表)来加载动态库文件:从绝对路径或相对路径或从环境变量和系统配置指定的搜索路径搜索出来
- 完成所有符号匹配,启动进程
- 进程处理输入参数和相应配置文件
从上面来看,只有1,2两步才可能进行注入。
在Unix族里,和执行文件加载相关的环境变量一般是**PATH** ,它一般是执行路径的列表,如/bin, /usr/bin, 和/usr/local/bin等,这个环境变量一般可以设置。搜索顺序是按照列表元素先后顺序进行,一旦找到,立马停止搜索。假设这个环境变量设置是这样的
PATH=/bin:/usr/bin:/usr/local/bin这些路径都有一个ls执行文件,当执行ls时,只会执行/bin/ls。
如果越狱工具要在这一步注入,它必须构建一个沙箱,接管所有程序执行。这种方式,所有用户态进程都可以变成它的子进程,这个沙箱可以任意更改子进程的环境变量,完成静态注入,甚至可以通过ptrace之类的系统调用来进行动态注入。这种方式可以非常好地绕过各种越狱检测工具的检测。
在Unix族,和动态库加载相关的环境变量和系统配置,就各有各的不同。Linux的可以看一下https://man7.org/linux/man-pages/man8/ld.so.8.html, 而iOS则可见https://web.archive.org/web/20160409091449/https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dyld.1.html
从上面可以看到iOS依次对下面这些环境变量包含的路径列表按照先后顺序遍历,一旦找到相应动态库,立马停止该次遍历,查找下一个:
-
DYLD_INSERT_LIBRARIES -
DYLD_VERSIONED_FRAMEWORK_PATH -
DYLD_FRAMEWORK_PATH -
DYLD_LIBRARY_PATH -
DYLD_FALLBACK_FRAMEWORK_PATH -
DYLD_FALLBACK_LIBRARY_PATH
目前不少APP检测iOS是否越狱,都是做下列动作:
- 访问root才能够访问的目录和文件,执行读或写
- 执行root才能够执行的命令
- 访问或更改root才能够访问的环境变量
- 调用root才能够调用的系统调用
- 访问root才能够访问的系统参数
根据上面进程启动模型分析,越狱工具要具有反检测的能力,必须要做这样事情:
- 保护环境变量的访问
- 禁止某些命令的执行
- 禁止某些路径访问
- 禁止某些系统参数访问
- 挂钩某些系统调用
依赖分析
根据上面的探究后,我们实际上看一下这个越狱工具是怎样的。
把me.jjolano.shadow_2.0.20_iphoneos-arm.deb解压的目录大致如下
PS D:\Library> Get-ChildItem -Recurse
目录: D:\Library
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 MobileSubstrate
d----- 2019/8/2 1:59 PreferenceBundles
d----- 2019/8/2 1:59 PreferenceLoader
目录: D:\Library\MobileSubstrate
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 DynamicLibraries
目录: D:\Library\MobileSubstrate\DynamicLibraries
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2019/8/2 1:59 728432 0Shadow.dylib
-a---- 2019/8/2 1:59 87 0Shadow.plist
目录: D:\Library\PreferenceBundles
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 ShadowPreferences.bundle
目录: D:\Library\PreferenceBundles\ShadowPreferences.bundle
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/7/14 1:29 en.lproj
-a---l 2021/4/10 0:27 0 Base.lproj
-a---- 2019/8/2 1:59 751 Icon-Small.png
-a---- 2019/8/2 1:59 1610 Icon-Small@2x.png
-a---- 2019/8/2 1:59 2693 Icon-Small@3x.png
-a---- 2019/8/2 1:59 404 Info.plist
-a---- 2019/8/2 1:59 3123 Root.plist
-a---- 2019/7/29 4:37 265808 ShadowPreferences
目录: D:\Library\PreferenceBundles\ShadowPreferences.bundle\en.lproj
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2019/8/2 1:59 3915 Root.strings
目录: D:\Library\PreferenceLoader
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2019/8/2 1:59 Preferences
目录: D:\Library\PreferenceLoader\Preferences
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2019/8/2 1:59 199 ShadowPreferences.plist从大小来看,只有D:\Library\MobileSubstrate\DynamicLibraries\0Shadow.dylib值得分析,用IDA打开一看,看一下导入表
Address Ordinal Name Library
0000000000026830 _OBJC_CLASS_$_HBPreferences /Library/Frameworks/Cephei.framework/Cephei
0000000000026838 _MSGetImageByName /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026840 _MSHookFunction /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026848 _MSHookMessageEx /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
0000000000026800 _OBJC_CLASS_$_NSArray /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026808 _OBJC_CLASS_$_NSDictionary /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026810 _OBJC_CLASS_$_NSMutableArray /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026818 _OBJC_CLASS_$_NSMutableDictionary /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026820 _OBJC_CLASS_$_NSURL /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0000000000026828 ___CFConstantStringClassReference /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
00000000000267A0 _NSCocoaErrorDomain /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267A8 _NSLocalizedDescriptionKey /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B0 _NSLocalizedFailureReasonErrorKey /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267B8 _NSLocalizedRecoverySuggestionErrorKey /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C0 _OBJC_CLASS_$_NSBundle /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267C8 _OBJC_CLASS_$_NSCharacterSet /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D0 _OBJC_CLASS_$_NSError /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267D8 _OBJC_CLASS_$_NSFileManager /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E0 _OBJC_CLASS_$_NSNumber /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267E8 _OBJC_CLASS_$_NSProcessInfo /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F0 _OBJC_CLASS_$_NSString /System/Library/Frameworks/Foundation.framework/Foundation
00000000000267F8 _OBJC_CLASS_$_NSValue /System/Library/Frameworks/Foundation.framework/Foundation
0000000000026858 _NSVersionOfLinkTimeLibrary /usr/lib/libSystem.B.dylib
0000000000026860 _NSVersionOfRunTimeLibrary /usr/lib/libSystem.B.dylib
0000000000026868 ___stack_chk_guard /usr/lib/libSystem.B.dylib
0000000000026870 __dyld_get_image_name /usr/lib/libSystem.B.dylib
0000000000026878 __dyld_image_count /usr/lib/libSystem.B.dylib
0000000000026880 _access /usr/lib/libSystem.B.dylib
0000000000026888 _chdir /usr/lib/libSystem.B.dylib
0000000000026890 _chroot /usr/lib/libSystem.B.dylib
0000000000026898 _creat /usr/lib/libSystem.B.dylib
00000000000268A0 _csops /usr/lib/libSystem.B.dylib
00000000000268A8 _dladdr /usr/lib/libSystem.B.dylib
00000000000268B0 _dlopen /usr/lib/libSystem.B.dylib
00000000000268B8 _dlopen_preflight /usr/lib/libSystem.B.dylib
00000000000268C0 _dlsym /usr/lib/libSystem.B.dylib
00000000000268C8 _faccessat /usr/lib/libSystem.B.dylib
00000000000268D0 _fchdir /usr/lib/libSystem.B.dylib
00000000000268D8 _fopen /usr/lib/libSystem.B.dylib
00000000000268E0 _fork /usr/lib/libSystem.B.dylib
00000000000268E8 _freopen /usr/lib/libSystem.B.dylib
00000000000268F0 _fstat /usr/lib/libSystem.B.dylib
00000000000268F8 _fstatat /usr/lib/libSystem.B.dylib
0000000000026900 _fstatfs /usr/lib/libSystem.B.dylib
0000000000026908 _getegid /usr/lib/libSystem.B.dylib
0000000000026910 _getenv /usr/lib/libSystem.B.dylib
0000000000026918 _geteuid /usr/lib/libSystem.B.dylib
0000000000026920 _getgid /usr/lib/libSystem.B.dylib
0000000000026928 _getppid /usr/lib/libSystem.B.dylib
0000000000026930 _getuid /usr/lib/libSystem.B.dylib
0000000000026938 _link /usr/lib/libSystem.B.dylib
0000000000026940 _lstat /usr/lib/libSystem.B.dylib
0000000000026948 _open /usr/lib/libSystem.B.dylib
0000000000026950 _openat /usr/lib/libSystem.B.dylib
0000000000026958 _opendir /usr/lib/libSystem.B.dylib
0000000000026960 _popen /usr/lib/libSystem.B.dylib
0000000000026968 _posix_spawn /usr/lib/libSystem.B.dylib
0000000000026970 _posix_spawnp /usr/lib/libSystem.B.dylib
0000000000026978 _readdir /usr/lib/libSystem.B.dylib
0000000000026980 _readlink /usr/lib/libSystem.B.dylib
0000000000026988 _readlinkat /usr/lib/libSystem.B.dylib
0000000000026990 _realpath$DARWIN_EXTSN /usr/lib/libSystem.B.dylib
0000000000026998 _remove /usr/lib/libSystem.B.dylib
00000000000269A0 _rename /usr/lib/libSystem.B.dylib
00000000000269A8 _rmdir /usr/lib/libSystem.B.dylib
00000000000269B0 _setegid /usr/lib/libSystem.B.dylib
00000000000269B8 _seteuid /usr/lib/libSystem.B.dylib
00000000000269C0 _setgid /usr/lib/libSystem.B.dylib
00000000000269C8 _setregid /usr/lib/libSystem.B.dylib
00000000000269D0 _setreuid /usr/lib/libSystem.B.dylib
00000000000269D8 _setuid /usr/lib/libSystem.B.dylib
00000000000269E0 _stat /usr/lib/libSystem.B.dylib
00000000000269E8 _statfs /usr/lib/libSystem.B.dylib
00000000000269F0 _symlink /usr/lib/libSystem.B.dylib
00000000000269F8 _sysctl /usr/lib/libSystem.B.dylib
0000000000026A00 _unlink /usr/lib/libSystem.B.dylib
0000000000026A08 _unlinkat /usr/lib/libSystem.B.dylib
0000000000026A10 _vfork /usr/lib/libSystem.B.dylib
0000000000026A18 dyld_stub_binder /usr/lib/libSystem.B.dylib
0000000000026A20 __Unwind_Resume /usr/lib/libSystem.B.dylib
0000000000026A28 ___error /usr/lib/libSystem.B.dylib
0000000000026A30 ___stack_chk_fail /usr/lib/libSystem.B.dylib
0000000000026A38 __dyld_register_func_for_add_image /usr/lib/libSystem.B.dylib
0000000000026A40 _dirfd /usr/lib/libSystem.B.dylib
0000000000026A48 _dlclose /usr/lib/libSystem.B.dylib
0000000000026A50 _fclose /usr/lib/libSystem.B.dylib
0000000000026A58 _fcntl /usr/lib/libSystem.B.dylib
0000000000026A60 _free /usr/lib/libSystem.B.dylib
0000000000026A68 _getpid /usr/lib/libSystem.B.dylib
0000000000026A70 _strcmp /usr/lib/libSystem.B.dylib
0000000000026A78 _strlen /usr/lib/libSystem.B.dylib
0000000000026850 ___gxx_personality_v0 /usr/lib/libc++.1.dylib
0000000000026720 _OBJC_CLASS_$_NSObject /usr/lib/libobjc.A.dylib
0000000000026728 _OBJC_METACLASS_$_NSObject /usr/lib/libobjc.A.dylib
0000000000026730 __objc_empty_cache /usr/lib/libobjc.A.dylib
0000000000026738 _objc_copyClassNamesForImage /usr/lib/libobjc.A.dylib
0000000000026740 _objc_copyImageNames /usr/lib/libobjc.A.dylib
0000000000026748 _objc_autoreleaseReturnValue /usr/lib/libobjc.A.dylib
0000000000026750 _objc_enumerationMutation /usr/lib/libobjc.A.dylib
0000000000026758 _objc_getClass /usr/lib/libobjc.A.dylib
0000000000026760 _objc_msgSend /usr/lib/libobjc.A.dylib
0000000000026768 _objc_msgSendSuper2 /usr/lib/libobjc.A.dylib
0000000000026770 _objc_release /usr/lib/libobjc.A.dylib
0000000000026778 _objc_retain /usr/lib/libobjc.A.dylib
0000000000026780 _objc_retainAutorelease /usr/lib/libobjc.A.dylib
0000000000026788 _objc_retainAutoreleasedReturnValue /usr/lib/libobjc.A.dylib
0000000000026790 _objc_storeStrong /usr/lib/libobjc.A.dylib
0000000000026798 _object_getClass /usr/lib/libobjc.A.dylib可以看到,这个工具除了系统的框架外,只引用了/Library/Frameworks/Cephei.framework/Cephei, /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate两个框架,而根据
https://hbang.github.io/libcephei/ 和https://iphonedev.wiki/index.php/Cydia_Substrate,这两个框架都是越狱框架。
对这个导入项进行分析
剩余内容请关注本人公众号debugeeker, 链接为iOS有反检测能力的越狱工具shadow的分析和检测
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2021/04/16 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
腾讯云开发者
