Afrikaans - Ht
HackTricks Training Twitter Linkedin Sponsor

iOS Frida Configuration

Leer AWS hakwerk vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

WhiteIntel

WhiteIntel is 'n dark-web aangedrewe soekenjin wat gratis funksies bied om te kyk of 'n maatskappy of sy kliënte deur steelmalware gekompromiteer is.

Die primêre doel van WhiteIntel is om rekening-oorneem en lospryse-aanvalle te bekamp wat voortspruit uit inligtingsteelmalware.

Jy kan hul webwerf besoek en hul enjin vir gratis probeer by:

LogoWhiteIntel

Frida Installeer

Stappe om Frida op 'n Jailbroken-toestel te installeer:

  1. Maak die Cydia/Sileo-toep oop.

  2. Navigeer na Bestuur -> Bronne -> Wysig -> Voeg by.

  3. Voer "https://build.frida.re" as die URL in.

  4. Gaan na die nuut bygevoegde Frida-bron.

  5. Installeer die Frida-pakket.

As jy Corellium gebruik, moet jy die Frida vrystelling aflaai vanaf https://github.com/frida/frida/releases (frida-gadget-[jouversie]-ios-universal.dylib.gz) en uitpak en kopieer na die dylib-plek wat Frida vir vra, bv.: /Gebruikers/[jougebruiker]/.cache/frida/gadget-ios.dylib

Nadat dit geïnstalleer is, kan jy op jou rekenaar die opdrag frida-ls-devices gebruik en sien dat die toestel verskyn (jou rekenaar moet daartoe in staat wees om dit te kan bereik). Voer ook frida-ps -Uia uit om die lopende prosesse van die foon te kontroleer.

Frida sonder Jailbroken-toestel & sonder om die app te patch

Kyk na hierdie blogpos oor hoe om Frida te gebruik in nie-jailbroken-toestelle sonder om die app te patch: https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07

Frida Klient Installasie

Installeer frida gereedskap:

pip install frida-tools
pip install frida

Met die Frida-bediener geïnstalleer en die toestel wat loop en gekoppel is, kontroleer of die klient werk:

frida-ls-devices  # List devices
frida-ps -Uia     # Get running processes

Frida Spoor

# Functions
## Trace all functions with the word "log" in their name
frida-trace -U <program> -i "*log*"
frida-trace -U <program> -i "*log*" | swift demangle # Demangle names

# Objective-C
## Trace all methods of all classes
frida-trace -U <program> -m "*[* *]"

## Trace all methods with the word "authentication" from classes that start with "NE"
frida-trace -U <program> -m "*[NE* *authentication*]"

# Plug-In
## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binary
frida-trace -U -W <if-plugin-bin> -m '*[* *]'

Kry alle klasse en metodes

  • Outovoltooi: Voer net frida -U <program> uit

  • Kry alle beskikbare klasse (filter op string)

/tmp/script.js
// frida -U <program> -l /tmp/script.js

var filterClass = "filterstring";

if (ObjC.available) {
for (var className in ObjC.classes) {
if (ObjC.classes.hasOwnProperty(className)) {
if (!filterClass || className.includes(filterClass)) {
console.log(className);
}
}
}
} else {
console.log("Objective-C runtime is not available.");
}

  • Kry alle metodes van 'n klas (filter op string)

/tmp/script.js
// frida -U <program> -l /tmp/script.js

var specificClass = "YourClassName";
var filterMethod = "filtermethod";

if (ObjC.available) {
if (ObjC.classes.hasOwnProperty(specificClass)) {
var methods = ObjC.classes[specificClass].$ownMethods;
for (var i = 0; i < methods.length; i++) {
if (!filterMethod || methods[i].includes(filterClass)) {
console.log(specificClass + ': ' + methods[i]);
}
}
} else {
console.log("Class not found.");
}
} else {
console.log("Objective-C runtime is not available.");
}

  • Roep 'n funksie aan

// Find the address of the function to call
const func_addr = Module.findExportByName("<Prog Name>", "<Func Name>");
// Declare the function to call
const func = new NativeFunction(
func_addr,
"void", ["pointer", "pointer", "pointer"], {
});

var arg0 = null;

// In this case to call this function we need to intercept a call to it to copy arg0
Interceptor.attach(wg_log_addr, {
onEnter: function(args) {
arg0 = new NativePointer(args[0]);
}
});

// Wait untill a call to the func occurs
while (! arg0) {
Thread.sleep(1);
console.log("waiting for ptr");
}


var arg1 = Memory.allocUtf8String('arg1');
var txt = Memory.allocUtf8String('Some text for arg2');
wg_log(arg0, arg1, txt);

console.log("loaded");

Frida Fuzzing

Frida Stalker

Van die dokumente: Stalker is Frida se kode naspeurings-enjin. Dit maak dit moontlik om drade te volg, elke funksie vas te lê, selfs elke instruksie wat uitgevoer word.

Jy het 'n voorbeeld wat Frida Stalker implementeer in https://github.com/poxyran/misc/blob/master/frida-stalker-example.py

Hierdie is 'n ander voorbeeld om Frida Stalker aan te heg elke keer as 'n funksie geroep word:

console.log("loading");
const wg_log_addr = Module.findExportByName("<Program>", "<function_name>");
const wg_log = new NativeFunction(
wg_log_addr,
"void", ["pointer", "pointer", "pointer"], {
});

Interceptor.attach(wg_log_addr, {
onEnter: function(args) {
console.log(`logging the following message: ${args[2].readCString()}`);

Stalker.follow({
events: {
// only collect coverage for newly encountered blocks
compile: true,
},
onReceive: function (events) {
const bbs = Stalker.parse(events, {
stringify: false,
annotate: false
});
console.log("Stalker trace of write_msg_to_log: \n" + bbs.flat().map(DebugSymbol.fromAddress).join('\n'));
}
});
},
onLeave: function(retval) {
Stalker.unfollow();
Stalker.flush();  // this is important to get all events
}
});

Dit is interessant vir foutopsporingsdoeleindes, maar vir fuzzing is dit baie ondoeltreffend om voortdurend .follow() en .unfollow() te gebruik.

Fpicker

fpicker is 'n Frida-gebaseerde fuzzing-pakket wat 'n verskeidenheid fuzzing-modusse bied vir in-process fuzzing, soos 'n AFL++-modus of 'n passiewe naspeurmodus. Dit behoort te werk op alle platforms wat deur Frida ondersteun word.

# Get fpicker
git clone https://github.com/ttdennis/fpicker
cd fpicker

# Get Frida core devkit and prepare fpicker
wget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz
tar -xf ./*tar.xz
cp libfrida-core.a libfrida-core-[yourOS].a #libfrida-core-macos.a

# Install fpicker
make fpicker-[yourOS] # fpicker-macos
# This generates ./fpicker

# Install radamsa (fuzzer generator)
brew install radamsa

  • Maak die FS gereed:

# From inside fpicker clone
mkdir -p examples/wg-log # Where the fuzzing script will be
mkdir -p examples/wg-log/out # For code coverage and crashes
mkdir -p examples/wg-log/in # For starting inputs

# Create at least 1 input for the fuzzer
echo Hello World > examples/wg-log/in/0

  • Fuzzer-skrip (voorbeelde/wg-log/myfuzzer.js):

voorbeelde/wg-log/myfuzzer.js
// Import the fuzzer base class
import { Fuzzer } from "../../harness/fuzzer.js";

class WGLogFuzzer extends Fuzzer {

constructor() {
console.log("WGLogFuzzer constructor called")

// Get and declare the function we are going to fuzz
var wg_log_addr = Module.findExportByName("<Program name>", "<func name to fuzz>");
var wg_log_func = new NativeFunction(
wg_log_addr,
"void", ["pointer", "pointer", "pointer"], {
});

// Initialize the object
super("<Program nane>", wg_log_addr, wg_log_func);
this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super"

console.log("WGLogFuzzer in the middle");

// Prepare the second argument to pass to the fuzz function
this.tag = Memory.allocUtf8String("arg2");

// Get the first argument we need to pass from a call to the functino we want to fuzz
var wg_log_global_ptr = null;
console.log(this.wg_log_addr);
Interceptor.attach(this.wg_log_addr, {
onEnter: function(args) {
console.log("Entering in the function to get the first argument");
wg_log_global_ptr = new NativePointer(args[0]);
}
});

while (! wg_log_global_ptr) {
Thread.sleep(1)
}
this.wg_log_global_ptr = wg_log_global_ptr;
console.log("WGLogFuzzer prepare ended")
}


// This function is called by the fuzzer with the first argument being a pointer into memory
// where the payload is stored and the second the length of the input.
fuzz(payload, len) {
// Get a pointer to payload being a valid C string (with a null byte at the end)
var payload_cstring = payload.readCString(len);
this.payload = Memory.allocUtf8String(payload_cstring);

// Debug and fuzz
this.debug_log(this.payload, len);
// Pass the 2 first arguments we know the function needs and finally the payload to fuzz
this.target_function(this.wg_log_global_ptr, this.tag, this.payload);
}
}

const f = new WGLogFuzzer();
rpc.exports.fuzzer = f;

  • Kompilering van die fuzzer:

# From inside fpicker clone
## Compile from "myfuzzer.js" to "harness.js"
frida-compile examples/wg-log/myfuzzer.js -o harness.js

  • Roep fuzzer fpicker aan met behulp van radamsa:

# Indicate fpicker to fuzz a program with the harness.js script and which folders to use
fpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/

In hierdie geval herlaai ons nie die app of herstel die toestand na elke lading. So, as Frida 'n crash vind, kan die volgende insette na daardie lading ook die app laat crash (omdat die app in 'n onstabiele toestand is), selfs al behoort die inset die app nie te laat crash nie.

Verder sal Frida in die uitsondering seine van iOS inklink, so wanneer Frida 'n crash vind, sal daar waarskynlik nie 'n iOS crash verslag gegenereer word nie.

Om dit te voorkom, byvoorbeeld, kan ons die app herlaai na elke Frida crash.

Logs & Crashes

Jy kan die macOS konsole of die log cli gebruik om macOS logs te kontroleer. Jy kan ook die logs van iOS kontroleer deur idevicesyslog te gebruik. Sommige logs sal inligting uitsluit deur <private> by te voeg. Om al die inligting te sien, moet jy 'n profiel van https://developer.apple.com/bug-reporting/profiles-and-logs/ installeer om daardie private inligting te aktiveer.

As jy nie weet wat om te doen nie:

vim /Library/Preferences/Logging/com.apple.system.logging.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Enable-Private-Data</key>
<true/>
</dict>
</plist>

killall -9 logd

Jy kan die crashes in:

  • iOS

  • Instellings → Privaatheid → Analitika & Verbeterings → Analitika Data

  • /private/var/mobile/Library/Logs/CrashReporter/

  • macOS:

  • /Library/Logs/DiagnosticReports/

  • ~/Library/Logs/DiagnosticReports

iOS stoor slegs 25 crashes van dieselfde program, so jy moet dit skoonmaak anders sal iOS ophou om crashes te skep.

Frida Android Tutoriale

pageFrida Tutorial

Verwysings

WhiteIntel

WhiteIntel is 'n dark-web aangedrewe soekenjin wat gratis funksies bied om te kyk of 'n maatskappy of sy kliënte deur stealer malware gekompromitteer is.

Die primêre doel van WhiteIntel is om rekening-oorneemname en lospryse-aanvalle te bekamp wat voortspruit uit inligtingsteel-malware.

Jy kan hul webwerf besoek en hul enjin gratis probeer by:

LogoWhiteIntel
Leer AWS hak van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

PreviousiOS Extracting Entitlements From Compiled ApplicationNextiOS Hooking With Objection

Last updated