_dyld系列hook

最新推荐文章于 2024-10-10 08:31:35 发布

原创

最新推荐文章于 2024-10-10 08:31:35 发布 · 1.3k 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#ios #xcode #ui

TODO：

【已解决】iOS反越狱检测：优化findRealImageCount改为调用_dyld_get_image_vmaddr_slide计算逻辑
【已解决】iOS反越狱检测：_dyld_image_count和_dyld_get_image_name返回hook后的值
【已解决】iOS反越狱检测：如何hook绕过_dyld_image_count和_dyld_get_image_name
【已解决】iOS反越狱检测：优化findRealImageCount改为调用_dyld_get_image_vmaddr_slide计算逻辑
【已解决】iOS反越狱检测：_dyld_get_image_name的hook绕过
【已解决】iOS反越狱检测：_dyld_image_count和_dyld_get_image_name改为普通hook逻辑
【已解决】iOS反越狱检测：dyld的_dyld_image_count和_dyld_get_image_name
【已解决】iOS反越狱检测：_dyld_register_func_for_add_image和_dyld_register_func_for_remove_image

/*==============================================================================
Hook: _dyld_image_count(), _dyld_get_image_name(), _dyld_get_image_header(), _dyld_get_image_vmaddr_slide()
==============================================================================*/

/*
https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/dyld.3.html
   _dyld_image_count,
   _dyld_get_image_header,
   _dyld_get_image_vmaddr_slide,
   _dyld_get_image_name,
   _dyld_register_func_for_add_image,
   _dyld_register_func_for_remove_image,
   NSVersionOfRunTimeLibrary,
   NSVersionOfLinkTimeLibrary,
   _NSGetExecutablePath
*/

uint32_t _dyld_image_count(void);
//uint32_t orig__dyld_image_count(void);
//uint32_t _logos_orig$_ungrouped$_dyld_image_count(void);
//uint32_t (*_logos_orig$_ungrouped$_dyld_image_count)(void);
//static uint32_t (*_logos_orig$_ungrouped$_dyld_image_count)(void);

const struct mach_header* _dyld_get_image_header(uint32_t image_index);
const char* _dyld_get_image_name(uint32_t image_index);
intptr_t _dyld_get_image_vmaddr_slide(uint32_t image_index);

void _dyld_register_func_for_add_image(void (*func)(const struct mach_header* mh, intptr_t vmaddr_slide));
void _dyld_register_func_for_remove_image(void (*func)(const struct mach_header* mh, intptr_t vmaddr_slide));

int32_t NSVersionOfRunTimeLibrary(const char* libraryName);

int32_t NSVersionOfLinkTimeLibrary(const char* libraryName);

int _NSGetExecutablePath(char* buf, uint32_t* bufsize);

const int IMAGE_INDEX_FAKE_END = IMAGE_INDEX_FAKE_START + IMAGE_INDEX_MAX_VALID_NUMBER;

// Global Variable
int gOrigImageCount = -1;
int gHookedImageCount = -1;
int gRealOrigImageCount = -1; // after hooked, image name/header/slide got hooked image count -> so need find real original image count

int* gJbDylibIdxList = NULL;
int gJbDylibIdxListLen = -1;

int* gHookedImgIdxList = NULL;
int gHookedImgIdxListLen = -1;

static int generateFakeImageIndex(int origImageIndex){
   
   
   int fakeImgIdx = origImageIndex + IMAGE_INDEX_FAKE_START;
   iosLogDebug("generateFakeImageIndex: origImageIndex=%d -> fakeImgIdx=%d", origImageIndex, fakeImgIdx);
   return fakeImgIdx;
}

static bool isFakeImageIndex(int curImageIndex){
   
   
   bool isFakeIdx = (curImageIndex >= IMAGE_INDEX_FAKE_START) && (curImageIndex < IMAGE_INDEX_FAKE_END);
   iosLogDebug("curImageIndex=%d -> isFakeIdx=%s", curImageIndex, boolToStr(isFakeIdx));
   return isFakeIdx;
}

static int fakeToRealImageIndex(int fakeImgageIndex){
   
   
   int realImageIndex = fakeImgageIndex - IMAGE_INDEX_FAKE_START;
   iosLogDebug("fakeImgageIndex=%d -> realImageIndex=%d", fakeImgageIndex, realImageIndex);
   return realImageIndex;
}

static void dbgPrintImgIdxList(int* imgIdxList){
   
   
   iosLogDebug("imgIdxList=%p", imgIdxList);

   if (NULL != imgIdxList){
   
   
       int curListIdx = 0;
       int curIdxValue = DYLD_IMAGE_INDEX_INVALID;
       curIdxValue = imgIdxList[curListIdx];
       if (DYLD_IMAGE_INDEX_INVALID == curIdxValue) {
   
   
           iosLogDebug("[%d] %d", curListIdx, curIdxValue);
       }

       while(DYLD_IMAGE_INDEX_INVALID != curIdxValue){
   
   
           iosLogDebug("[%d] %d", curListIdx, curIdxValue);

           ++curListIdx;
           curIdxValue = imgIdxList[curListIdx];
       }

       int listCount = curListIdx;
       iosLogDebug("end listCount=%d", listCount);
   }
}

static void getJbDylibImgIdxList(int origImageCount, int** outJbDylibIdxList,  int* jbDylibIdxListLen){
   
   
   iosLogDebug("origImageCount=%d", origImageCount);

   int intSize = sizeof(int);
   int mallocCount = IMAGE_INDEX_MAX_JAILBREAK + 1;
   int mallocSize = intSize * mallocCount;
   iosLogDebug("intSize=%d, mallocCount=%d, mallocSize=%d", intSize, mallocCount, mallocSize);

   int curListIdx = 0;

   int* jbDylibIdxList = (int *)malloc(mallocSize);
   iosLogDebug("jbDylibIdxList=%p", jbDylibIdxList);

   if (NULL != jbDylibIdxList) {
   
   
       for (int origImgIdx = 0 ; origImgIdx < origImageCount; ++origImgIdx) {
   
   
           int fakeImgIdx = generateFakeImageIndex(origImgIdx);
           iosLogDebug("origImgIdx=%d, fakeImgIdx=%d", origImgIdx, fakeImgIdx);
           const char* curImageName = _dyld_get_image_name(fakeImgIdx);
           iosLogDebug("curImageName=%{public}s", curImageName);

           bool isJbDylib = isJailbreakDylib(curImageName);
           iosLogDebug("isJbDylib=%s", boolToStr(isJbDylib));

           if(isJbDylib){
   
   
               jbDylibIdxList[curListIdx] = origImgIdx;
               iosLogInfo("curImageNam