【iOS逆向与安全】sms短信转发插件开发

前言

经过之前的分享,相信大家已经掌握了用户级的插件开发。勤奋好学的你是否对系统级的插件也有着浓厚的性趣,本篇文章将和大家一起学习如何分析并编写一款系统级的插件。


一、目标

一步步分析并编写一个短信自动转发的deb插件

二、工具

  • mac系统
  • 已越狱iOS设备:脱壳及frida调试
  • IDA Pro:静态分析
  • 测试设备:iphone6-ios12.5.5

三、步骤

1、守护进程

守护进程(daemon)是一类在后台运行的特殊进程,用于执行特定的系统任务。例如:推送服务、人脸解锁、iCloud、查找我的iPhone、iMessage等。

相应的配置目录:

  • /Library/LaunchAgents:管理员控制特定用户的代理
  • /Library/LaunchDaemons:管理员提供的系统级守护进程(cydia、filza、frida等就在这)
  • /System/Library/LaunchDaemons:iOS提供的默认守护进程

本文的目的主要短信,所以关注的重点在iOS提供的守护进程,常见的进程配置文件有:

名称 描述
com.apple.apsd 推送服务
com.apple.biometrickitd.pearl 人脸解锁
com.apple.cloudd iCloud
com.apple.icloud.findmydeviced 查找我的iPhone
com.apple.imagent 即时消息代理 (iMessage)

更多服务请参考www.theiphonewiki.com/wiki/Servic...

2、定位关键函数

在iPhone中使用文件管理工具查看/System/Library/LaunchDaemons/com.apple.imagent文件关键信息如下:

xml 复制代码
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>EnvironmentVariables</key>
  <dict>
    <key>NSRunningFromLaunchd</key>
    <string>1</string>
  </dict>
  <key>ProgramArguments</key>
  <array>
    <string>/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>
​

ProgramArguments所对应的路径,就是该进程执行的二进制文件。执行frida-trace -U -m "*[IM* *]" imagent -o a.log后,当手机收到短信后的日志如下:

css 复制代码
-[SMSServiceSession smsMessageReceived:0x10524abc0 msgID:0x80000006]
-[SMSServiceSession _processSMSorMMSMessageReceivedWithContext:0x10524abc0 messageID:0x80000006]
+[IMMetricsCollector sharedInstance]
-[IMMetricsCollector trackEvent:0x1d02ab1e8]
-[SMSServiceSession _convertCTMessageToDictionary:0x109a0e510 requiresUpload:0x16f832c2f]
-[IMMetricsCollector _trackEvent:0x1d02ab1e8]
-[SMSServiceSession _fixIncomingDate:0xd13d420d70d597e6]
-[SMSServiceSession shouldFixIncomingDate]
-[SMSServiceSession _myCTPhoneNumber]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
+[IMCTSMSUtilities IMMMSEmailAddressToMatchForPhoneNumber:0x100830240 simID:0x0]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
-[SMSServiceSession _convertCTMessagePartToDictionary:0x109a28610]
-[SMSServiceSession _shouldUploadToMMCS:0x10524aca0]
-[SMSServiceSession _receivedSMSDictionary:0x10524aca0 requiresUpload:0x0 isBeingReplayed:0x0]
-[SMSServiceSession _processReceivedDictionary:0x10524aca0 storageContext:0x0]
+[IMMessageNotificationTimeManager sharedInstance]
-[IMMessageNotificationTimeManager acquireAssertionToUnsuspendProcess]
+[IMLockdownManager sharedInstance]
-[IMLockdownManager isInternalInstall]
-[IMLockdownManager _calculateInstallType]
-[IMMessageItem initWithSender:0x100890210 time:0x1008831d0 body:0x10083ba80 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 error:0x0 guid:0x10524acc0]
-[IMMessageItem initWithSender:0x100890210 time:0x1008831d0 body:0x10083ba80 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 error:0x0 guid:0x10524acc0 type:0x0]
-[IMMessageItem initWithSenderInfo:0x10085c330 time:0x1008831d0 timeRead:0x0 timeDelivered:0x0 timePlayed:0x0 subject:0x0 body:0x10083ba80 bodyData:0x0 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 guid:0x10524acc0 messageID:0x0 account:0x0 accountID:0x0 service:0x0 handle:0x0 roomName:0x0 unformattedID:0x0 countryCode:0x0 expireState:0x0 balloonBundleID:0x0 payloadData:0x0 expressiveSendStyleID:0x0 timeExpressiveSendPlayed:0x0 bizIntent:0x0 locale:0x0 errorType:0x0 type:0x0]
-[IMItem initWithSenderInfo:0x10085c330 time:0x1008831d0 guid:0x10524acc0 messageID:0x0 account:0x0 accountID:0x0 service:0x0 handle:0x0 roomName:0x0 unformattedID:0x0 countryCode:0x0 type:0x0]
-[IMItem setSenderInfo:0x10085c330]

根据日志可看出关键函数-[SMSServiceSession smsMessageReceived:0x10524abc0 msgID:0x80000006], 使用命令frida-trace -U -m "-[SMSServiceSession smsMessageReceived:msgID:]" imagent跟踪该函数,js代码如下:

javascript 复制代码
{
  onEnter(log, args, state) {
    log(`-[SMSServiceSession smsMessageReceived:${ObjC.Object(args[2])} msgID:${args[3]}]`);
  },
  onLeave(log, retval, state) {
  }
}

当手机收到短信时,对应日志输出如下:

javascript 复制代码
-[SMSServiceSession smsMessageReceived:<CTXPCServiceSubscriptionContext 0x10bfd1240 slotID=CTSubscriptionSlotOne, uuid=00000000-0000-0000-0000-000000000001, labelID="90D990CE-3484-4310-9F39-49A66EB80541", label="USER_LABEL_PRIMARY", phoneNumber="+861812186xxxx", userDataPreferred=1, userDefaultVoice=1> msgID:0x80000010]

根据日志信息可看出,该方法里除了msgID,并没有包含我们需要的短信及发件人相关信息。那我们继续按日志的顺序往下看,-[SMSServiceSession _convertCTMessageToDictionary:requiresUpload:] 这函数看着比较亲切。trace该函数得到日志如下:

ini 复制代码
-[SMSServiceSession _convertCTMessageToDictionary:<[CTMessageAddress: 1898000xxxx/TYPE=PLMN]
  [Recipients: (
)]
  [Items: (
    "<CTMessagePart: 0x10be7f340>"
)]
  [Raw Headers: (null)]
  [Date: 2023-07-30 14:43:23 +0000]
  [message ID: -2147483630]
  [message Type: 1]
  [service center: (null)]
  [Content-type: (null)]
  [Content-type params: {
}]
  [replace message: 0]
 requiresUpload:0x16edaec2f]
-[SMSServiceSession _convertCTMessageToDictionary:requiresUpload:]={
    co = "+861812186xxxx";
    g = "00ECAC3B-0790-8674-CAD5-58DD07F4DEBA";
    h = 1898000xxxx;
    k =     (
                {
            data = <e58fa6>;
            type = "text/plain";
        }
    );
    l = 0;
    m = sms;
    n = 460;
    re =     (
    );
    sV = 1;
    w = "2023-07-30 14:43:25 +0000";
}}=

从日志可以看出。该方法就是我们要hook方法,收件人:co,发件人:h,短信内容:k

3、编写deb插件

具体的创建流程请参考之前的文章,源码如下:

scss 复制代码
#import <Foundation/Foundation.h>
#import "CaptainHook/CaptainHook.h"
​
@interface SMSServiceSession
​
@end
​
@interface IMDService
​
-(void)loadServiceBundle;
@property (nonatomic,retain,readonly) NSBundle * bundle;
​
@end
​
CHDeclareClass(SMSServiceSession); // declare class
CHOptimizedMethod2(self, id, SMSServiceSession, _convertCTMessageToDictionary, NSDictionary *, arg1, requiresUpload, BOOL*, arg2) {
    id result = CHSuper2(SMSServiceSession, _convertCTMessageToDictionary, arg1, requiresUpload, arg2);
    
    @try {
        NSString *from = result[@"h"];
        NSString *to = result[@"co"];
        NSArray *msgList = result[@"k"];
        if (msgList.count > 0) {
            NSData *data = msgList[0][@"data"];
            NSString *content = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSLog(@"witwit =from %@=to %@=content %@=",from, to, content);
        } else {
            NSLog(@"witwit =sms为空=");
        }
    } @catch (NSException *exception) {
        NSLog(@"witwit =SMSServiceSession _convertCTMessageToDictionary=err=%@=", exception);
​
    } @finally {
        
    }
    
    return result;
}
​
CHDeclareClass(IMDService)
CHOptimizedMethod0(self, void, IMDService, loadServiceBundle) {
​
    CHSuper0(IMDService, loadServiceBundle);
    NSString *bundleId = [[self bundle] bundleIdentifier];
    NSLog(@"witwit =IMDService loadServiceBundle=%@=", bundleId);
    
    if ([bundleId isEqualToString:@"com.apple.imservice.sms"]) {
        CHLoadLateClass(SMSServiceSession);
        CHHook2(SMSServiceSession, _convertCTMessageToDictionary, requiresUpload);
    }
}
​
​
CHConstructor // code block that runs immediately upon load
{
  @autoreleasepool
  {
        NSLog(@"witwit SMSForward load success");
​
        CHLoadLateClass(IMDService);
        CHHook0(IMDService, loadServiceBundle);
    }
}

info.plist文件配置如下:

xml 复制代码
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Filter</key>
  <dict>
    <key>Bundles</key>
    <array>
      <string>com.apple.imagent</string>
    </array>
  </dict>
</dict>
</plist>

注:插件安装完成后。请重启imagent:

bash 复制代码
launchctl unload /System/Library/LaunchDaemons/com.apple.imagent.plist
launchctl load /System/Library/LaunchDaemons/com.apple.imagent.plist

总结

本篇文章主要对短信转发器的核心方法进行了分析及试验,拿到短信内容后,具体的转发逻辑请自行实现。

提示:阅读此文档的过程中遇到任何问题,请关住工众好【移动端Android和iOS开发技术分享 】或+99 君羊【812546729

相关推荐
Gworg5 分钟前
创建HTTPS网站
安全·https·ssl
Smartdaili China1 小时前
如何在 Microsoft Edge 中设置代理: 快速而简单的方法
前端·爬虫·安全·microsoft·edge·社交·动态住宅代理
儒道易行2 小时前
【DVWA】RCE远程命令执行实战
网络·安全·网络安全
Hacker_LaoYi3 小时前
网络安全与加密
安全·web安全
Koi慢热3 小时前
路由基础(全)
linux·网络·网络协议·安全
hzyyyyyyyu5 小时前
内网安全隧道搭建-ngrok-frp-nps-sapp
服务器·网络·安全
网络研究院5 小时前
国土安全部发布关键基础设施安全人工智能框架
人工智能·安全·框架·关键基础设施
Daniel 大东6 小时前
BugJson因为json格式问题OOM怎么办
java·安全
EasyNVR11 小时前
NVR管理平台EasyNVR多个NVR同时管理:全方位安防监控视频融合云平台方案
安全·音视频·监控·视频监控
黑客Ash13 小时前
【D01】网络安全概论
网络·安全·web安全·php