15 KiB
Mipangilio ya Frida kwenye iOS
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
WhiteIntel
WhiteIntel ni injini ya utaftaji inayotumia dark-web ambayo inatoa huduma za bure za kuangalia ikiwa kampuni au wateja wake wameathiriwa na malware za kuiba.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na malware za kuiba taarifa.
Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:
{% embed url="https://whiteintel.io" %}
Kusakinisha Frida
Hatua za kusakinisha Frida kwenye kifaa kilichofanyiwa Jailbreak:
- Fungua programu ya Cydia/Sileo.
- Nenda kwa Usimamizi -> Vyanzo -> Hariri -> Ongeza.
- Ingiza "https://build.frida.re" kama URL.
- Nenda kwenye chanzo cha Frida kilichoongezwa hivi karibuni.
- Sakinisha pakiti ya Frida.
Ikiwa unatumia Corellium utahitaji kupakua kutolewa kwa Frida kutoka https://github.com/frida/frida/releases (frida-gadget-[yourversion]-ios-universal.dylib.gz
) na kufungua na kunakili kwenye eneo la dylib ambalo Frida inahitaji, k.m.: /Users/[youruser]/.cache/frida/gadget-ios.dylib
Baada ya kusakinishwa, unaweza kutumia amri frida-ls-devices
kwenye PC yako na kuhakikisha kuwa kifaa kinaonekana (PC yako inahitaji kuweza kufikia).
Tumia pia frida-ps -Uia
kuchunguza michakato inayoendeshwa kwenye simu.
Frida bila kifaa kilichofanyiwa Jailbreak & bila kubadilisha programu
Angalia chapisho hili la blogu kuhusu jinsi ya kutumia Frida kwenye vifaa visivyofanyiwa Jailbreak bila kubadilisha programu: https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07
Usakinishaji wa Mteja wa Frida
Sakinisha zana za frida:
pip install frida-tools
pip install frida
Baada ya kusakinisha seva ya Frida na kifaa kikiwa kinaendeshwa na kimeunganishwa, angalia kama mteja anafanya kazi:
frida-ls-devices # List devices
frida-ps -Uia # Get running processes
Kufuatilia kwa Frida
# Functions
## Trace all functions with the word "log" in their name
frida-trace -U <program> -i "*log*"
frida-trace -U <program> -i "*log*" | swift demangle # Demangle names
# Objective-C
## Trace all methods of all classes
frida-trace -U <program> -m "*[* *]"
## Trace all methods with the word "authentication" from classes that start with "NE"
frida-trace -U <program> -m "*[NE* *authentication*]"
# Plug-In
## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binary
frida-trace -U -W <if-plugin-bin> -m '*[* *]'
Pata madarasa na njia zote
- Kukamilisha moja kwa moja: Tekeleza tu
frida -U <program>
- Pata madarasa yote yanayopatikana (pambanua kwa herufi)
// frida -U <program> -l /tmp/script.js
var filterClass = "filterstring";
if (ObjC.available) {
for (var className in ObjC.classes) {
if (ObjC.classes.hasOwnProperty(className)) {
if (!filterClass || className.includes(filterClass)) {
console.log(className);
}
}
}
} else {
console.log("Objective-C runtime is not available.");
}
{% endcode %}
- Pata njia zote za darasa (chuja kwa herufi)
// frida -U <program> -l /tmp/script.js
var specificClass = "YourClassName";
var filterMethod = "filtermethod";
if (ObjC.available) {
if (ObjC.classes.hasOwnProperty(specificClass)) {
var methods = ObjC.classes[specificClass].$ownMethods;
for (var i = 0; i < methods.length; i++) {
if (!filterMethod || methods[i].includes(filterClass)) {
console.log(specificClass + ': ' + methods[i]);
}
}
} else {
console.log("Class not found.");
}
} else {
console.log("Objective-C runtime is not available.");
}
{% endcode %}
- Piga simu kwa kazi
// Find the address of the function to call
const func_addr = Module.findExportByName("<Prog Name>", "<Func Name>");
// Declare the function to call
const func = new NativeFunction(
func_addr,
"void", ["pointer", "pointer", "pointer"], {
});
var arg0 = null;
// In this case to call this function we need to intercept a call to it to copy arg0
Interceptor.attach(wg_log_addr, {
onEnter: function(args) {
arg0 = new NativePointer(args[0]);
}
});
// Wait untill a call to the func occurs
while (! arg0) {
Thread.sleep(1);
console.log("waiting for ptr");
}
var arg1 = Memory.allocUtf8String('arg1');
var txt = Memory.allocUtf8String('Some text for arg2');
wg_log(arg0, arg1, txt);
console.log("loaded");
Frida Fuzzing
Frida Stalker
Kutoka kwa nyaraka: Stalker ni injini ya kufuatilia ya Frida. Inaruhusu nyuzi kufuatiliwa, kukamata kila kazi, kila kibodi, hata kila maagizo yanayotekelezwa.
Unayo mfano unaoendeleza Frida Stalker katika https://github.com/poxyran/misc/blob/master/frida-stalker-example.py
Huu ni mfano mwingine wa kuambatisha Frida Stalker kila wakati kazi inaitwa:
console.log("loading");
const wg_log_addr = Module.findExportByName("<Program>", "<function_name>");
const wg_log = new NativeFunction(
wg_log_addr,
"void", ["pointer", "pointer", "pointer"], {
});
Interceptor.attach(wg_log_addr, {
onEnter: function(args) {
console.log(`logging the following message: ${args[2].readCString()}`);
Stalker.follow({
events: {
// only collect coverage for newly encountered blocks
compile: true,
},
onReceive: function (events) {
const bbs = Stalker.parse(events, {
stringify: false,
annotate: false
});
console.log("Stalker trace of write_msg_to_log: \n" + bbs.flat().map(DebugSymbol.fromAddress).join('\n'));
}
});
},
onLeave: function(retval) {
Stalker.unfollow();
Stalker.flush(); // this is important to get all events
}
});
{% hint style="danger" %}
Hii ni ya kuvutia kwa madhumuni ya kutatua matatizo lakini kwa fuzzing, kuwa kila wakati .follow()
na .unfollow()
ni ya ufanisi sana.
{% endhint %}
Fpicker
fpicker ni zana ya kufanya fuzzing kwa kutumia Frida ambayo inatoa aina mbalimbali za modes za fuzzing kwa fuzzing ndani ya mchakato, kama vile mode ya AFL++ au mode ya ufuatiliaji wa kupita. Inapaswa kuendesha kwenye majukwaa yote yanayoungwa mkono na Frida.
- Sakinisha fpicker & radamsa
# Get fpicker
git clone https://github.com/ttdennis/fpicker
cd fpicker
# Get Frida core devkit and prepare fpicker
wget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz
tar -xf ./*tar.xz
cp libfrida-core.a libfrida-core-[yourOS].a #libfrida-core-macos.a
# Install fpicker
make fpicker-[yourOS] # fpicker-macos
# This generates ./fpicker
# Install radamsa (fuzzer generator)
brew install radamsa
- Jitayarisha FS:
# From inside fpicker clone
mkdir -p examples/wg-log # Where the fuzzing script will be
mkdir -p examples/wg-log/out # For code coverage and crashes
mkdir -p examples/wg-log/in # For starting inputs
# Create at least 1 input for the fuzzer
echo Hello World > examples/wg-log/in/0
- Skripti la Fuzzer (
mfano/wg-log/myfuzzer.js
):
{% code title="mfano/wg-log/myfuzzer.js" %}
// Import the fuzzer base class
import { Fuzzer } from "../../harness/fuzzer.js";
class WGLogFuzzer extends Fuzzer {
constructor() {
console.log("WGLogFuzzer constructor called")
// Get and declare the function we are going to fuzz
var wg_log_addr = Module.findExportByName("<Program name>", "<func name to fuzz>");
var wg_log_func = new NativeFunction(
wg_log_addr,
"void", ["pointer", "pointer", "pointer"], {
});
// Initialize the object
super("<Program nane>", wg_log_addr, wg_log_func);
this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super"
console.log("WGLogFuzzer in the middle");
// Prepare the second argument to pass to the fuzz function
this.tag = Memory.allocUtf8String("arg2");
// Get the first argument we need to pass from a call to the functino we want to fuzz
var wg_log_global_ptr = null;
console.log(this.wg_log_addr);
Interceptor.attach(this.wg_log_addr, {
onEnter: function(args) {
console.log("Entering in the function to get the first argument");
wg_log_global_ptr = new NativePointer(args[0]);
}
});
while (! wg_log_global_ptr) {
Thread.sleep(1)
}
this.wg_log_global_ptr = wg_log_global_ptr;
console.log("WGLogFuzzer prepare ended")
}
// This function is called by the fuzzer with the first argument being a pointer into memory
// where the payload is stored and the second the length of the input.
fuzz(payload, len) {
// Get a pointer to payload being a valid C string (with a null byte at the end)
var payload_cstring = payload.readCString(len);
this.payload = Memory.allocUtf8String(payload_cstring);
// Debug and fuzz
this.debug_log(this.payload, len);
// Pass the 2 first arguments we know the function needs and finally the payload to fuzz
this.target_function(this.wg_log_global_ptr, this.tag, this.payload);
}
}
const f = new WGLogFuzzer();
rpc.exports.fuzzer = f;
{% endcode %}
- Kusanya fuzzer:
# From inside fpicker clone
## Compile from "myfuzzer.js" to "harness.js"
frida-compile examples/wg-log/myfuzzer.js -o harness.js
- Piga fuzzer
fpicker
ukitumiaradamsa
:
{% code overflow="wrap" %}
# Indicate fpicker to fuzz a program with the harness.js script and which folders to use
fpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/
{% endcode %}
{% hint style="danger" %} Katika kesi hii hatuwezi kuanza upya programu au kurejesha hali baada ya kila mzigo. Kwa hivyo, ikiwa Frida inagundua kosa baada ya mzigo huo, matokeo ya kuingiza baada ya mzigo huo yanaweza pia kusababisha programu kugonga (kwa sababu programu iko katika hali isiyo thabiti) hata kama kuingiza haipaswi kusababisha programu kugonga.
Zaidi ya hayo, Frida itaunganisha ishara za kipekee za iOS, kwa hivyo wakati Frida inapogundua kosa, labda ripoti za kugonga za iOS hazitazalishwa.
Ili kuzuia hili, kwa mfano, tunaweza kuanza upya programu baada ya kila kugonga cha Frida. {% endhint %}
Kumbukumbu & Kugonga
Unaweza kuangalia konsoli ya macOS au cli ya log
kuangalia kumbukumbu za macOS.
Unaweza pia kuangalia kumbukumbu kutoka iOS kwa kutumia idevicesyslog
.
Baadhi ya kumbukumbu zitakosa taarifa kwa kuongeza <binafsi>
. Ili kuonyesha taarifa zote unahitaji kusakinisha wasifu fulani kutoka https://developer.apple.com/bug-reporting/profiles-and-logs/ kuwezesha taarifa hizo za binafsi.
Ikiwa hujui cha kufanya:
vim /Library/Preferences/Logging/com.apple.system.logging.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Enable-Private-Data</key>
<true/>
</dict>
</plist>
killall -9 logd
Unaweza kuangalia ajali katika:
- iOS
- Mipangilio → Faragha → Takwimu za Uchambuzi na Maboresho → Takwimu za Uchambuzi
/private/var/mobile/Library/Logs/CrashReporter/
- macOS:
/Library/Logs/DiagnosticReports/
~/Library/Logs/DiagnosticReports
{% hint style="warning" %} iOS inahifadhi ajali 25 za programu ile ile tu, hivyo unahitaji kusafisha hiyo au iOS itasita kuunda ajali. {% endhint %}
Mafunzo ya Frida kwa Android
{% content-ref url="../android-app-pentesting/frida-tutorial/" %} frida-tutorial {% endcontent-ref %}
Marejeo
WhiteIntel
WhiteIntel ni injini ya utaftaji inayotumia dark-web ambayo inatoa utendaji wa bure kuchunguza ikiwa kampuni au wateja wake wameathiriwa na malware za wizi.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na programu hasidi za wizi wa habari.
Unaweza kutembelea tovuti yao na kujaribu injini yao bure hapa:
{% embed url="https://whiteintel.io" %}
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs za kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.