From a0af2bbb02b4d0f94986f12169ab8447f75d22ab Mon Sep 17 00:00:00 2001 From: Naville <403799106@qq.com> Date: Sun, 13 Mar 2016 02:46:06 +0000 Subject: [PATCH] OCRuntime+MachO --- BasePreferences.plist | 1 - Hooks/API/LSApplication.xm | 89 +++++++++++-- Hooks/API/MachO.xm | 149 ++++++++++++++++++++++ Hooks/API/ObjCRuntime.xm | 39 +++++- Hooks/ThirdPartyTools/DeviceIDFake.xm | 47 +++++++ Hooks/ThirdPartyTools/InspectiveC.xm | 47 +++++++ Hooks/ThirdPartyTools/RuntimeClassDump.xm | 47 +++++++ Hooks/ThirdPartyTools/dumpdecrypted.xm | 47 +++++++ VERSION | 2 +- todo/README.md | 2 + 10 files changed, 455 insertions(+), 15 deletions(-) create mode 100644 Hooks/API/MachO.xm create mode 100644 Hooks/ThirdPartyTools/DeviceIDFake.xm create mode 100644 Hooks/ThirdPartyTools/InspectiveC.xm create mode 100644 Hooks/ThirdPartyTools/RuntimeClassDump.xm create mode 100644 Hooks/ThirdPartyTools/dumpdecrypted.xm diff --git a/BasePreferences.plist b/BasePreferences.plist index 5036a0a..f0b38df 100644 --- a/BasePreferences.plist +++ b/BasePreferences.plist @@ -20,4 +20,3 @@ <string>WTFJH</string> </dict> </plist> - diff --git a/Hooks/API/LSApplication.xm b/Hooks/API/LSApplication.xm index a1e0033..13780bb 100644 --- a/Hooks/API/LSApplication.xm +++ b/Hooks/API/LSApplication.xm @@ -24,10 +24,40 @@ return ret; } ++ (id)applicationProxyForItemID:(id)arg1{ + + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationProxy",@"applicationProxyForItemID:"); + WTAdd(arg1,@"ItemID"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; +} ++ (id)applicationProxyWithBundleUnitID:(unsigned long)arg1{ + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationProxy",@"applicationProxyWithBundleUnitID:"); + WTAdd([NSNumber numberWithUnsignedLong:arg1],@"BundleUnitID"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; +} +- (id)VPNPlugins{ + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationProxy",@"VPNPlugins"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; +} /* -+ (id)applicationProxyForItemID:(id)arg1; -+ (id)applicationProxyWithBundleUnitID:(unsigned long)arg1; -- (id)VPNPlugins; - (id)_initWithBundleUnit:(unsigned long)arg1 applicationIdentifier:(id)arg2; - (id)appStoreReceiptURL; - (id)appTags; @@ -35,7 +65,6 @@ - (id)applicationType; - (id)audioComponents; - (long)bundleModTime; -- (id)description; - (id)deviceFamily; - (id)deviceIdentifierForVendor; - (id)directionsModes; @@ -61,18 +90,60 @@ - (id)staticDiskUsage; - (id)teamID; - (id)userActivityStringForAdvertisementData:(id)arg1; -- (id)vendorName; +- (id)vendorName;*/ %end + %hook LSApplicationWorkspace -+ (id)defaultWorkspace; ++ (id)defaultWorkspace{ + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationWorkspace",@"defaultWorkspace"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; + -- (id)URLOverrideForURL:(id)arg1; +} + +- (id)URLOverrideForURL:(id)arg1{ + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationWorkspace",@"URLOverrideForURL:"); + WTAdd(arg1,@"URL"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; + +} +- (id)allApplications{ + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationWorkspace",@"allApplications"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; +} +- (id)allInstalledApplications{ + id ret=%orig; + if(WTShouldLog){ + WTInit(@"LSApplicationWorkspace",@"allInstalledApplications"); + WTReturn(ret); + WTSave; + WTRelease; + } + return ret; +} +/* - (void)_LSClearSchemaCaches; - (BOOL)_LSPrivateRebuildApplicationDatabasesForSystemApps:(BOOL)arg1 internal:(BOOL)arg2 user:(BOOL)arg3; - (void)_clearCachedAdvertisingIdentifier; - (void)addObserver:(id)arg1; -- (id)allApplications; -- (id)allInstalledApplications; - (id)applicationForOpeningResource:(id)arg1; - (id)applicationForUserActivityDomainName:(id)arg1; - (id)applicationForUserActivityType:(id)arg1; diff --git a/Hooks/API/MachO.xm b/Hooks/API/MachO.xm new file mode 100644 index 0000000..d53e1cd --- /dev/null +++ b/Hooks/API/MachO.xm @@ -0,0 +1,149 @@ +#import "../SharedDefine.pch" +#import <mach-o/getsect.h> + +char * (*old_getsectdata)(const char *segname,const char *sectname,unsigned long *size); +const struct section * (*old_getsectbyname)(const char *segname,const char *sectname); +const struct segment_command * (*old_getsegbyname)(const char *segname); +char * (*old_getsectdatafromheader_64)(const struct mach_header_64 *mhp,const char *segname,const char *sectname,uint64_t *size); +/*extern char *getsectdatafromFramework( + const char *FrameworkName, + const char *segname, + const char *sectname, + unsigned long *size); + +extern unsigned long get_end(void); +extern unsigned long get_etext(void); +extern unsigned long get_edata(void); + + * Runtime interfaces for 32-bit Mach-O programs. + +extern uint8_t *getsectiondata( + const struct mach_header *mhp, + const char *segname, + const char *sectname, + unsigned long *size); + +extern uint8_t *getsegmentdata( + const struct mach_header *mhp, + const char *segname, + unsigned long *size); + +Runtime interfaces for 64-bit Mach-O programs. +extern const struct section_64 *getsectbyname( + const char *segname, + const char *sectname); + +extern uint8_t *getsectiondata( + const struct mach_header_64 *mhp, + const char *segname, + const char *sectname, + unsigned long *size); + +extern const struct segment_command_64 *getsegbyname( + const char *segname); + +extern uint8_t *getsegmentdata( + const struct mach_header_64 *mhp, + const char *segname, + unsigned long *size); + + * Interfaces for tools working with 32-bit Mach-O files. +extern char *getsectdatafromheader( + const struct mach_header *mhp, + const char *segname, + const char *sectname, + uint32_t *size); + +extern const struct section *getsectbynamefromheader( + const struct mach_header *mhp, + const char *segname, + const char *sectname); + +extern const struct section *getsectbynamefromheaderwithswap( + struct mach_header *mhp, + const char *segname, + const char *sectname, + int fSwap); + +extern const struct section_64 *getsectbynamefromheader_64( + const struct mach_header_64 *mhp, + const char *segname, + const char *sectname); + +extern const struct section *getsectbynamefromheaderwithswap_64( + struct mach_header_64 *mhp, + const char *segname, + const char *sectname, + int fSwap); +*/ +char* new_getsectdata(const char *segname,const char *sectname,unsigned long *size){ + char* ret=old_getsectdata(segname,sectname,size); + if(WTShouldLog){ + NSString* NSSegName=[NSString stringWithUTF8String:segname]; + NSString* NSSectName=[NSString stringWithUTF8String:sectname]; + NSData* SectData=[NSData dataWithBytes:ret length:*size]; + WTInit(@"Mach-O",@"getsectdata"); + WTAdd(NSSegName,@"SegmentName"); + WTAdd(NSSectName,@"SectionName"); + WTAdd(SectData,@"SectionData"); + + [NSSectName release]; + [NSSegName release]; + [SectData release]; + + } + return ret; + +} +const struct section * new_getsectbyname(const char *segname,const char *sectname){ + if(WTShouldLog){ + NSString* NSSegName=[NSString stringWithUTF8String:segname]; + NSString* NSSectName=[NSString stringWithUTF8String:sectname]; + WTInit(@"Mach-O",@"getsectbyname"); + WTAdd(NSSegName,@"SegmentName"); + WTAdd(NSSectName,@"SectionName"); + + [NSSectName release]; + [NSSegName release]; + } + return old_getsectbyname(segname,sectname); + +} +const struct segment_command * new_getsegbyname(const char *segname){ + + if(WTShouldLog){ + NSString* NSSegName=[NSString stringWithUTF8String:segname]; + WTInit(@"Mach-O",@"getsegbyname"); + WTAdd(NSSegName,@"SegmentName"); + [NSSegName release]; + } + return old_getsegbyname(segname); +} +char * new_getsectdatafromheader_64(const struct mach_header_64 *mhp,const char *segname,const char *sectname,uint64_t *size){ + char* ret=old_getsectdatafromheader_64(mhp,segname,sectname,size); + if(WTShouldLog){ + NSString* NSSegName=[NSString stringWithUTF8String:segname]; + NSString* NSSectName=[NSString stringWithUTF8String:sectname]; + NSData* SectData=[NSData dataWithBytes:ret length:*size]; + NSString* HeaderAddress=[NSString stringWithFormat:@"%p",mhp]; + WTInit(@"Mach-O",@"getsectdata"); + WTAdd(NSSegName,@"SegmentName"); + WTAdd(NSSectName,@"SectionName"); + WTAdd(SectData,@"SectionData"); + WTAdd(HeaderAddress,@"HeaderAddress"); + + [NSSectName release]; + [NSSegName release]; + [SectData release]; + [HeaderAddress release]; + } + return ret; + +} + +extern void init_MachO_hook() { + MSHookFunction((void*)getsectdata,(void*)new_getsectdata, (void**)&old_getsectdata); + MSHookFunction((void*)getsectbyname,(void*)new_getsectbyname, (void**)&old_getsectbyname); + MSHookFunction((void*)getsegbyname,(void*)new_getsegbyname, (void**)&old_getsegbyname); + MSHookFunction((void*)getsectdatafromheader_64,(void*)new_getsectdatafromheader_64, (void**)&old_getsectdatafromheader_64); +} diff --git a/Hooks/API/ObjCRuntime.xm b/Hooks/API/ObjCRuntime.xm index 20c7651..36a2e37 100644 --- a/Hooks/API/ObjCRuntime.xm +++ b/Hooks/API/ObjCRuntime.xm @@ -4,10 +4,7 @@ /* To Implement: -Class objc_getClass(const char *name) -const char *object_getClassName(id obj) objc_getMetaClass(const char *name) -IMP class_getMethodImplementation(Class cls, SEL name) BOOL class_respondsToSelector(Class cls, SEL sel) class_replaceMethod(Class cls, SEL name, IMP imp, const char *types) @@ -27,7 +24,8 @@ NSString* (*old_NSStringFromSelector)(SEL aSelector); SEL (*old_NSSelectorFromString)(NSString* aSelectorName); BOOL (*old_class_addMethod)(Class cls, SEL name, IMP imp,const char *types); BOOL (*old_class_addIvar)(Class cls, const char *name, size_t size,uint8_t alignment, const char *types); - +Class (*old_objc_getClass)(const char *name); +IMP (*old_class_getMethodImplementation)(Class cls, SEL name); //New Func Class new_NSClassFromString(NSString* aClassName){ @@ -142,7 +140,39 @@ BOOL new_class_addIvar(Class cls, const char *name, size_t size,uint8_t alignmen return old_class_addIvar(cls,name,size,alignment,types); } +Class new_objc_getClass(char* Name){ + if(WTShouldLog){ + NSString* ClassName=[NSString stringWithUTF8String:Name]; + WTInit(@"ObjCRuntime",@"objc_getClass"); + WTAdd(ClassName,@"ClassName"); + WTSave; + WTRelease; + [ClassName release]; + } + return old_objc_getClass(Name); +} + +IMP new_class_getMethodImplementation(Class cls, SEL name){ + IMP ret=old_class_getMethodImplementation(cls,name); + if(WTShouldLog){ + NSString* ClassName=NSStringFromClass(cls); + NSString* SELName=NSStringFromSelector(name); + NSString* IMPAddress=[NSString stringWithFormat:@"%p",ret]; + WTInit(@"ObjCRuntime",@"class_getMethodImplementation"); + WTAdd(ClassName,@"ClassName"); + WTAdd(SELName,@"SelectorName"); + WTAdd(IMPAddress,@"IMPAddress"); + WTSave; + WTRelease; + [ClassName release]; + [SELName release]; + [IMPAddress release]; + } + return ret; + + +} extern void init_ObjCRuntime_hook() { MSHookFunction((void*)NSClassFromString,(void*)new_NSClassFromString, (void**)&old_NSClassFromString); MSHookFunction((void*)NSStringFromClass,(void*)new_NSStringFromClass, (void**)&old_NSStringFromClass); @@ -152,4 +182,5 @@ extern void init_ObjCRuntime_hook() { MSHookFunction((void*)NSSelectorFromString,(void*)new_NSSelectorFromString, (void**)&old_NSSelectorFromString); MSHookFunction((void*)class_addMethod,(void*)new_class_addMethod, (void**)&old_class_addMethod); MSHookFunction((void*)class_addIvar,(void*)new_class_addIvar, (void**)&old_class_addIvar); + MSHookFunction((void*)objc_getClass,(void*)new_objc_getClass, (void**)&old_objc_getClass); } diff --git a/Hooks/ThirdPartyTools/DeviceIDFake.xm b/Hooks/ThirdPartyTools/DeviceIDFake.xm new file mode 100644 index 0000000..5af3081 --- /dev/null +++ b/Hooks/ThirdPartyTools/DeviceIDFake.xm @@ -0,0 +1,47 @@ +//Shall We Use Marcos instead of this shit? +#import "../SharedDefine.pch" +#import <mach-o/getsect.h> +#import <dlfcn.h> +extern NSString* RandomString(); +extern void init_DeviceIDFake_hook(){ +#ifdef PROTOTYPE +//Because We Ain't Ready Yet. No Test + for(int i=0;i<_dyld_image_count();i++){ + const char * Nam=_dyld_get_image_name(i); + NSString* curName=[[NSString stringWithUTF8String:Nam] autorelease]; + if([curName containsString:WTFJHTWEAKNAME]){ + intptr_t ASLROffset=_dyld_get_image_vmaddr_slide(i); + //We Found Ourself +#ifndef _____LP64_____ + uint32_t size=0; + const struct mach_header* selfHeader=(const struct mach_header*)_dyld_get_image_header(i); + char * data=getsectdatafromheader(selfHeader,"WTFJH","DeviceIDFake",&size); + +#elif + uint64_t size=0; + const struct mach_header_64* selfHeader=(const struct mach_header_64*)_dyld_get_image_header(i); + char * data=getsectdatafromheader_64(selfHeader,"WTFJH","DeviceIDFake",&size); +#endif + data=ASLROffset+data;//Add ASLR Offset To Pointer And Fix Address + NSData* SDData=[NSData dataWithBytes:data length:size]; + NSString* randomPath=[NSString stringWithFormat:@"%@/Documents/%@",NSHomeDirectory(),RandomString()]; + [SDData writeToFile:randomPath atomically:YES]; + dlopen(randomPath.UTF8String,RTLD_NOW); + //Inform Our Logger + CallTracer *tracer = [[CallTracer alloc] initWithClass:@"WTFJH" andMethod:@"LoadThirdPartyTools"]; + [tracer addArgFromPlistObject:@"dlopen" withKey:@"Type"]; + [tracer addArgFromPlistObject:randomPath withKey:@"Path"]; + [tracer addArgFromPlistObject:@"DeviceIDFake" withKey:@"ModuleName"]; + [traceStorage saveTracedCall: tracer]; + [tracer release]; + //End + + [SDData release]; + break; + } + + + + } +#endif +} diff --git a/Hooks/ThirdPartyTools/InspectiveC.xm b/Hooks/ThirdPartyTools/InspectiveC.xm new file mode 100644 index 0000000..4cc1c3f --- /dev/null +++ b/Hooks/ThirdPartyTools/InspectiveC.xm @@ -0,0 +1,47 @@ +//Shall We Use Marcos instead of this shit? +#import "../SharedDefine.pch" +#import <mach-o/getsect.h> +#import <dlfcn.h> +extern NSString* RandomString(); +extern void init_InspectiveC_hook(){ +#ifdef PROTOTYPE +//Because We Ain't Ready Yet. No Test + for(int i=0;i<_dyld_image_count();i++){ + const char * Nam=_dyld_get_image_name(i); + NSString* curName=[[NSString stringWithUTF8String:Nam] autorelease]; + if([curName containsString:WTFJHTWEAKNAME]){ + intptr_t ASLROffset=_dyld_get_image_vmaddr_slide(i); + //We Found Ourself +#ifndef _____LP64_____ + uint32_t size=0; + const struct mach_header* selfHeader=(const struct mach_header*)_dyld_get_image_header(i); + char * data=getsectdatafromheader(selfHeader,"WTFJH","InspectiveC",&size); + +#elif + uint64_t size=0; + const struct mach_header_64* selfHeader=(const struct mach_header_64*)_dyld_get_image_header(i); + char * data=getsectdatafromheader_64(selfHeader,"WTFJH","InspectiveC",&size); +#endif + data=ASLROffset+data;//Add ASLR Offset To Pointer And Fix Address + NSData* SDData=[NSData dataWithBytes:data length:size]; + NSString* randomPath=[NSString stringWithFormat:@"%@/Documents/%@",NSHomeDirectory(),RandomString()]; + [SDData writeToFile:randomPath atomically:YES]; + dlopen(randomPath.UTF8String,RTLD_NOW); + //Inform Our Logger + CallTracer *tracer = [[CallTracer alloc] initWithClass:@"WTFJH" andMethod:@"LoadThirdPartyTools"]; + [tracer addArgFromPlistObject:@"dlopen" withKey:@"Type"]; + [tracer addArgFromPlistObject:randomPath withKey:@"Path"]; + [tracer addArgFromPlistObject:@"InspectiveC" withKey:@"ModuleName"]; + [traceStorage saveTracedCall: tracer]; + [tracer release]; + //End + + [SDData release]; + break; + } + + + + } +#endif +} diff --git a/Hooks/ThirdPartyTools/RuntimeClassDump.xm b/Hooks/ThirdPartyTools/RuntimeClassDump.xm new file mode 100644 index 0000000..72a1b65 --- /dev/null +++ b/Hooks/ThirdPartyTools/RuntimeClassDump.xm @@ -0,0 +1,47 @@ +//Shall We Use Marcos instead of this shit? +#import "../SharedDefine.pch" +#import <mach-o/getsect.h> +#import <dlfcn.h> +extern NSString* RandomString(); +extern void init_RuntimeClassDump_hook(){ +#ifdef PROTOTYPE +//Because We Ain't Ready Yet. No Test + for(int i=0;i<_dyld_image_count();i++){ + const char * Nam=_dyld_get_image_name(i); + NSString* curName=[[NSString stringWithUTF8String:Nam] autorelease]; + if([curName containsString:WTFJHTWEAKNAME]){ + intptr_t ASLROffset=_dyld_get_image_vmaddr_slide(i); + //We Found Ourself +#ifndef _____LP64_____ + uint32_t size=0; + const struct mach_header* selfHeader=(const struct mach_header*)_dyld_get_image_header(i); + char * data=getsectdatafromheader(selfHeader,"WTFJH","RuntimeClassDump",&size); + +#elif + uint64_t size=0; + const struct mach_header_64* selfHeader=(const struct mach_header_64*)_dyld_get_image_header(i); + char * data=getsectdatafromheader_64(selfHeader,"WTFJH","RuntimeClassDump",&size); +#endif + data=ASLROffset+data;//Add ASLR Offset To Pointer And Fix Address + NSData* SDData=[NSData dataWithBytes:data length:size]; + NSString* randomPath=[NSString stringWithFormat:@"%@/Documents/%@",NSHomeDirectory(),RandomString()]; + [SDData writeToFile:randomPath atomically:YES]; + dlopen(randomPath.UTF8String,RTLD_NOW); + //Inform Our Logger + CallTracer *tracer = [[CallTracer alloc] initWithClass:@"WTFJH" andMethod:@"LoadThirdPartyTools"]; + [tracer addArgFromPlistObject:@"dlopen" withKey:@"Type"]; + [tracer addArgFromPlistObject:randomPath withKey:@"Path"]; + [tracer addArgFromPlistObject:@"RuntimeClassDump" withKey:@"ModuleName"]; + [traceStorage saveTracedCall: tracer]; + [tracer release]; + //End + + [SDData release]; + break; + } + + + + } +#endif +} diff --git a/Hooks/ThirdPartyTools/dumpdecrypted.xm b/Hooks/ThirdPartyTools/dumpdecrypted.xm new file mode 100644 index 0000000..3409aa5 --- /dev/null +++ b/Hooks/ThirdPartyTools/dumpdecrypted.xm @@ -0,0 +1,47 @@ +//Shall We Use Marcos instead of this shit? +#import "../SharedDefine.pch" +#import <mach-o/getsect.h> +#import <dlfcn.h> +extern NSString* RandomString(); +extern void init_dumpdecrypted_hook(){ +#ifdef PROTOTYPE +//Because We Ain't Ready Yet. No Test + for(int i=0;i<_dyld_image_count();i++){ + const char * Nam=_dyld_get_image_name(i); + NSString* curName=[[NSString stringWithUTF8String:Nam] autorelease]; + if([curName containsString:WTFJHTWEAKNAME]){ + intptr_t ASLROffset=_dyld_get_image_vmaddr_slide(i); + //We Found Ourself +#ifndef _____LP64_____ + uint32_t size=0; + const struct mach_header* selfHeader=(const struct mach_header*)_dyld_get_image_header(i); + char * data=getsectdatafromheader(selfHeader,"WTFJH","dumpdecrypted",&size); + +#elif + uint64_t size=0; + const struct mach_header_64* selfHeader=(const struct mach_header_64*)_dyld_get_image_header(i); + char * data=getsectdatafromheader_64(selfHeader,"WTFJH","dumpdecrypted",&size); +#endif + data=ASLROffset+data;//Add ASLR Offset To Pointer And Fix Address + NSData* SDData=[NSData dataWithBytes:data length:size]; + NSString* randomPath=[NSString stringWithFormat:@"%@/Documents/%@",NSHomeDirectory(),RandomString()]; + [SDData writeToFile:randomPath atomically:YES]; + dlopen(randomPath.UTF8String,RTLD_NOW); + //Inform Our Logger + CallTracer *tracer = [[CallTracer alloc] initWithClass:@"WTFJH" andMethod:@"LoadThirdPartyTools"]; + [tracer addArgFromPlistObject:@"dlopen" withKey:@"Type"]; + [tracer addArgFromPlistObject:randomPath withKey:@"Path"]; + [tracer addArgFromPlistObject:@"dumpdecrypted" withKey:@"ModuleName"]; + [traceStorage saveTracedCall: tracer]; + [tracer release]; + //End + + [SDData release]; + break; + } + + + + } +#endif +} diff --git a/VERSION b/VERSION index 91a3d42..136c8ca 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -340 \ No newline at end of file +342 \ No newline at end of file diff --git a/todo/README.md b/todo/README.md index f90dbb0..d6c90df 100644 --- a/todo/README.md +++ b/todo/README.md @@ -9,3 +9,5 @@ 8. Web-based Cycript Support (POST .js to Tweak. We'll execute it locally) 9. Web-Shell 10. Real-Time Logging To Server +11. Mach-O Related +12. PROFIT??!!!