mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
281 lines
12 KiB
Markdown
281 lines
12 KiB
Markdown
# macOS函数挂钩
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
|
||
|
||
</details>
|
||
|
||
## 函数替换
|
||
|
||
创建一个包含指向**原始函数**和**替换函数**的**函数指针**元组的**dylib**,并带有一个**`__interpose`**部分(或带有**`S_INTERPOSING`**标志的部分)。
|
||
|
||
然后,使用**`DYLD_INSERT_LIBRARIES`**注入dylib(替换需要在主应用程序加载之前发生)。显然,这个限制受到了对DYLD\_INSERT\_LIBRARIES使用的限制。 
|
||
|
||
### 替换printf
|
||
|
||
{% tabs %}
|
||
{% tab title="interpose.c" %}
|
||
{% code title="interpose.c" %}
|
||
```c
|
||
// gcc -dynamiclib interpose.c -o interpose.dylib
|
||
#include <stdio.h>
|
||
#include <stdarg.h>
|
||
|
||
int my_printf(const char *format, ...) {
|
||
//va_list args;
|
||
//va_start(args, format);
|
||
//int ret = vprintf(format, args);
|
||
//va_end(args);
|
||
|
||
int ret = printf("[+] Hello from interpose\n");
|
||
return ret;
|
||
}
|
||
|
||
__attribute__((used)) static struct { const void *replacement; const void *replacee; } _interpose_printf
|
||
__attribute__ ((section ("__DATA,__interpose"))) = { (const void *)(unsigned long)&my_printf, (const void *)(unsigned long)&printf };
|
||
```
|
||
{% endcode %}
|
||
{% endtab %}
|
||
|
||
{% tab title="hello.c" %}
|
||
```c
|
||
//gcc hello.c -o hello
|
||
#include <stdio.h>
|
||
|
||
int main() {
|
||
printf("Hello, World!\n");
|
||
return 0;
|
||
}
|
||
```
|
||
{% endtab %}
|
||
{% endtabs %}
|
||
```bash
|
||
DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello
|
||
[+] Hello from interpose
|
||
```
|
||
## 方法交换
|
||
|
||
在ObjectiveC中,方法的调用方式是:`[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`
|
||
|
||
需要提供**对象**、**方法**和**参数**。当调用方法时,会使用函数**`objc_msgSend`**发送一条消息:`int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);`
|
||
|
||
对象是**`someObject`**,方法是**`@selector(method1p1:p2:)`**,参数是**value1**和**value2**。
|
||
|
||
根据对象的结构,可以找到一个包含方法**名称**和**指向方法代码的指针**的方法数组。
|
||
|
||
{% hint style="danger" %}
|
||
请注意,由于方法和类是根据名称访问的,这些信息存储在二进制文件中,因此可以使用`otool -ov </path/bin>`或[`class-dump </path/bin>`](https://github.com/nygard/class-dump)来检索它们。
|
||
{% endhint %}
|
||
|
||
### 访问原始方法
|
||
|
||
可以访问方法的信息,例如名称、参数数量或地址,如下面的示例所示:
|
||
```objectivec
|
||
// gcc -framework Foundation test.m -o test
|
||
|
||
#import <Foundation/Foundation.h>
|
||
#import <objc/runtime.h>
|
||
#import <objc/message.h>
|
||
|
||
int main() {
|
||
// Get class of the variable
|
||
NSString* str = @"This is an example";
|
||
Class strClass = [str class];
|
||
NSLog(@"str's Class name: %s", class_getName(strClass));
|
||
|
||
// Get parent class of a class
|
||
Class strSuper = class_getSuperclass(strClass);
|
||
NSLog(@"Superclass name: %@",NSStringFromClass(strSuper));
|
||
|
||
// Get information about a method
|
||
SEL sel = @selector(length);
|
||
NSLog(@"Selector name: %@", NSStringFromSelector(sel));
|
||
Method m = class_getInstanceMethod(strClass,sel);
|
||
NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m));
|
||
NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m));
|
||
|
||
// Iterate through the class hierarchy
|
||
NSLog(@"Listing methods:");
|
||
Class currentClass = strClass;
|
||
while (currentClass != NULL) {
|
||
unsigned int inheritedMethodCount = 0;
|
||
Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount);
|
||
|
||
NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount);
|
||
|
||
for (unsigned int i = 0; i < inheritedMethodCount; i++) {
|
||
Method method = inheritedMethods[i];
|
||
SEL selector = method_getName(method);
|
||
const char* methodName = sel_getName(selector);
|
||
unsigned long address = (unsigned long)method_getImplementation(m);
|
||
NSLog(@"Inherited method name: %s (0x%lx)", methodName, address);
|
||
}
|
||
|
||
// Free the memory allocated by class_copyMethodList
|
||
free(inheritedMethods);
|
||
currentClass = class_getSuperclass(currentClass);
|
||
}
|
||
|
||
// Other ways to call uppercaseString method
|
||
if([str respondsToSelector:@selector(uppercaseString)]) {
|
||
NSString *uppercaseString = [str performSelector:@selector(uppercaseString)];
|
||
NSLog(@"Uppercase string: %@", uppercaseString);
|
||
}
|
||
|
||
// Using objc_msgSend directly
|
||
NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString));
|
||
NSLog(@"Uppercase string: %@", uppercaseString2);
|
||
|
||
// Calling the address directly
|
||
IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address
|
||
NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp
|
||
NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method
|
||
NSLog(@"Uppercase string: %@", uppercaseString3);
|
||
|
||
return 0;
|
||
}
|
||
```
|
||
### 使用method\_exchangeImplementations进行方法交换
|
||
|
||
函数method\_exchangeImplementations允许将一个函数的地址更改为另一个函数的地址。因此,当调用一个函数时,实际执行的是另一个函数。
|
||
```objectivec
|
||
//gcc -framework Foundation swizzle_str.m -o swizzle_str
|
||
|
||
#import <Foundation/Foundation.h>
|
||
#import <objc/runtime.h>
|
||
|
||
|
||
// Create a new category for NSString with the method to execute
|
||
@interface NSString (SwizzleString)
|
||
|
||
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from;
|
||
|
||
@end
|
||
|
||
@implementation NSString (SwizzleString)
|
||
|
||
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {
|
||
NSLog(@"Custom implementation of substringFromIndex:");
|
||
|
||
// Call the original method
|
||
return [self swizzledSubstringFromIndex:from];
|
||
}
|
||
|
||
@end
|
||
|
||
int main(int argc, const char * argv[]) {
|
||
// Perform method swizzling
|
||
Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:));
|
||
Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:));
|
||
method_exchangeImplementations(originalMethod, swizzledMethod);
|
||
|
||
// We changed the address of one method for the other
|
||
// Now when the method substringFromIndex is called, what is really coode is swizzledSubstringFromIndex
|
||
// And when swizzledSubstringFromIndex is called, substringFromIndex is really colled
|
||
|
||
// Example usage
|
||
NSString *myString = @"Hello, World!";
|
||
NSString *subString = [myString substringFromIndex:7];
|
||
NSLog(@"Substring: %@", subString);
|
||
|
||
return 0;
|
||
}
|
||
```
|
||
### 使用method\_setImplementation进行方法交换
|
||
|
||
之前的格式很奇怪,因为你正在改变一个方法的实现方式,将其替换为另一个方法。使用函数**`method_setImplementation`**,你可以将一个方法的实现方式**更改为另一个方法**。
|
||
|
||
只需记住,如果你打算在新的实现方式中调用原始方法的实现方式,**请先存储原始方法实现方式的地址**,因为稍后要定位该地址将变得更加复杂。
|
||
```objectivec
|
||
#import <Foundation/Foundation.h>
|
||
#import <objc/runtime.h>
|
||
#import <objc/message.h>
|
||
|
||
static IMP original_substringFromIndex = NULL;
|
||
|
||
@interface NSString (Swizzlestring)
|
||
|
||
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from;
|
||
|
||
@end
|
||
|
||
@implementation NSString (Swizzlestring)
|
||
|
||
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {
|
||
NSLog(@"Custom implementation of substringFromIndex:");
|
||
|
||
// Call the original implementation using objc_msgSendSuper
|
||
return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from);
|
||
}
|
||
|
||
@end
|
||
|
||
int main(int argc, const char * argv[]) {
|
||
@autoreleasepool {
|
||
// Get the class of the target method
|
||
Class stringClass = [NSString class];
|
||
|
||
// Get the swizzled and original methods
|
||
Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:));
|
||
|
||
// Get the function pointer to the swizzled method's implementation
|
||
IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:)));
|
||
|
||
// Swap the implementations
|
||
// It return the now overwritten implementation of the original method to store it
|
||
original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP);
|
||
|
||
// Example usage
|
||
NSString *myString = @"Hello, World!";
|
||
NSString *subString = [myString substringFromIndex:7];
|
||
NSLog(@"Substring: %@", subString);
|
||
|
||
// Set the original implementation back
|
||
method_setImplementation(originalMethod, original_substringFromIndex);
|
||
|
||
return 0;
|
||
}
|
||
}
|
||
```
|
||
## 钩子攻击方法论
|
||
|
||
在本页面中,讨论了不同的函数钩子方式。然而,它们都涉及到在进程内运行代码来进行攻击。
|
||
|
||
为了做到这一点,最简单的技术是通过环境变量或劫持来注入[Dyld](../macos-dyld-hijacking-and-dyld\_insert\_libraries.md)。然而,我猜这也可以通过[Dylib进程注入](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port)来实现。
|
||
|
||
然而,这两种选项都**限制**于**未受保护**的二进制文件/进程。请查看每种技术以了解更多限制信息。
|
||
|
||
然而,函数钩子攻击非常具体,攻击者会使用这种方法来从进程内部窃取敏感信息(如果不是这样,你只会进行进程注入攻击)。而这些敏感信息可能位于用户下载的应用程序中,如MacPass。
|
||
|
||
因此,攻击者的方式要么是找到一个漏洞,要么是剥离应用程序的签名,通过应用程序的Info.plist注入**`DYLD_INSERT_LIBRARIES`**环境变量,添加类似以下内容:
|
||
```xml
|
||
<key>LSEnvironment</key>
|
||
<dict>
|
||
<key>DYLD_INSERT_LIBRARIES</key>
|
||
<string>/Applications/MacPass.app/Contents/malicious.dylib</string>
|
||
</dict>
|
||
```
|
||
在该库中添加挂钩代码以窃取信息:密码、消息...
|
||
|
||
## 参考资料
|
||
|
||
* [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/)
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一家**网络安全公司**工作吗?想要在 HackTricks 中**宣传你的公司**吗?或者想要**获取最新版本的 PEASS 或下载 PDF 格式的 HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
|
||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||
* **通过向**[**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**
|
||
|
||
</details>
|