Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md

279 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS Red Team Expert</strong></a><strong></strong></summary>
其他支持HackTricks的方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
对于本节,将使用工具[**Objection**](https://github.com/sensepost/objection)。\
首先要获取一个Objection的会话执行类似以下命令
```bash
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore
```
你也可以执行 `frida-ps -Uia` 来检查手机上正在运行的进程。
# 应用程序的基本枚举
## 本地应用程序路径
* `env`: 查找应用程序在设备内部存储的路径
```bash
env
Name Path
----------------- -----------------------------------------------------------------------------------------------
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
```
## 列出捆绑包、框架和库
* `ios bundles list_bundles`: 列出应用程序的捆绑包
```bash
ios bundles list_bundles
Executable Bundle Version Path
------------ -------------------- --------- -------------------------------------------
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
```
* `ios bundles list_frameworks`: 列出应用程序使用的外部框架
```bash
ios bundles list_frameworks
Executable Bundle Version Path
------------------------------ -------------------------------------------- ---------- -------------------------------------------
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
[..]
```
* `memory list modules`: 列出内存中加载的模块
```bash
memory list modules
Name Base Size Path
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
[...]
```
* `memory list exports <module_name>`: 加载模块的导出
```bash
memory list exports iGoat-Swift
Type Name Address
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
variable _mh_execute_header 0x104ffc000
function _mdictof 0x10516cb88
function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
[..]
```
## 列出应用程序的类
* `ios hooking list classes`: 列出应用程序的类
```bash
ios hooking list classes
AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
[...]
```
* `ios hooking search classes <search_term>`: 搜索包含特定字符串的类。您可以**搜索与主应用程序包名称相关的某些唯一术语**,以查找应用程序的主要类,如示例中所示:
```bash
ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]
```
## 列出类方法
* `ios hooking list class_methods`: 列出特定类的方法
```bash
ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:
```
* `ios hooking search methods <search_term>`: 搜索包含特定字符串的方法
```bash
ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
```
# 基本Hooking
现在您已经**枚举了应用程序使用的类和模块**,可能已经找到了一些**有趣的类和方法名称**。
## 钩住类的所有方法
* `ios hooking watch class <class_name>`: 钩住类的所有方法,转储所有初始参数和返回值
```bash
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
```
## 钩住单个方法
* `ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace`: 钩住类的特定方法,每次调用时转储参数、回溯和返回值
```bash
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
```
## 更改布尔返回值
* `ios hooking set return_value "-[<class_name> <method_name>]" false`: 这将使所选方法返回指定的布尔值
```bash
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
```
## 生成Hooking模板
* `ios hooking generate simple <class_name>`:
```bash
ios hooking generate simple iGoat_Swift.RCreditInfo
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});
Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});
Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});
Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});
```
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS Red Team Expert</strong></a><strong></strong></summary>
支持HackTricks的其他方式
* 如果您想在HackTricks中看到**您的公司广告**或**下载PDF版本的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
Reference in a new issue View git blame Copy permalink