IOS - 抓包通杀篇

iOS中大多数情况，开发者都会使用OC提供的api函数，CFNetworkCopySystemProxySettings来进行代理检测；

CFNetworkCopySystemProxySettings

检测函数直接会检测这些ip和端口等：

采用直接附加页面进程：

frida -UF -l 通杀代理抓包.js

上通杀脚本：

var _imports = Process.findModuleByName("XXX").enumerateImports();var _CFNetworkCopySystemProxySettings = null;for (var i = 0; i < _imports.length; i++) {    //查找CFNetworkCopySystemProxySettings系统代理函数    if (_imports[i].name.indexOf("CFNetworkCopySystemProxySettings") !== -1) {        console.log(_imports[i].name, _imports[i].address);        _CFNetworkCopySystemProxySettings = _imports[i].address;    }}if (_CFNetworkCopySystemProxySettings) {    Interceptor.attach(_CFNetworkCopySystemProxySettings, {        onEnter: function (agrgs) {        }, onLeave: function (retval) {            console.log("retval: ", ObjC.Object(retval));            //将返回值全部nop            retval.replace(0);        }    })}

NSURL URLWithString:

> frida-trace -U -f 包名 -m "+[NSURL URLWithString:]"

更改url得传入得参数，及堆栈打印，也叫url定位

{    onEnter(log, args, state) {console.log('CCCryptorCreate called from:\n' +        Thread.backtrace(this.context, Backtracer.ACCURATE)        .map(DebugSymbol.fromAddress).join('\n') + '\n');log(`+[NSURL URLWithString:]` + ObjC.Object(args[2]));  },    onLeave(log, retval, state) {  }}

双向证书：

资源路径操作，可以入手关键函数；

> frida-trace  -UF  -m "-[NSBundle pathForResource*]"

{    onEnter(log, args, state) {console.log('NSBundle pathForResource called from:\n' +        Thread.backtrace(this.context, Backtracer.ACCURATE)        .map(DebugSymbol.fromAddress).join('\n') + '\n');    log(`-[NSBundle pathForResource:${ObjC.Object(args[2])} ofType:${ObjC.Object(args[3])}]`);  },    onLeave(log, retval, state) {  }}

HOOK抓包

基于底层ssl库来实现：

//请求var ssl_write = Module.findExportByName("libboringssl.dylib", "SSL_write");console.log("ssl_write", ssl_write);   //ssl input lenInterceptor.attach(ssl_write, {    onEnter: function (args) {        console.log("=================================================");        console.log("CurrentThreadId: ", Process.getCurrentThreadId(), ", ssl_write onEnter args[1]: ", hexdump(args[1], {length: args[2].toInt32()}));    }, onLeave: function (retval) {    }});//返回响应var ssl_read = Module.findExportByName("libboringssl.dylib", "SSL_read");console.log("ssl_read", ssl_read);  //ssl output lenInterceptor.attach(ssl_read, {    onEnter: function (args) {        this.args1 = args[1];        this.args2 = args[2];    }, onLeave: function (retval) {        console.log("=================================================");        console.log("CurrentThreadId: ", Process.getCurrentThreadId(), ", ssl_read onLeave args[1]: ",            this.args1.readByteArray(this.args2.toInt32())        );    }});

r0Capture 肉师傅的安卓应用层抓包通杀脚本

这个在之前安卓也说过，ios和安卓都通用的；
详见：https://codeooo.blog.csdn.net/article/details/127123371

function initializeGlobals() {  var resolver = new ApiResolver("module");  var exps = [    [Process.platfORM == "darwin" ? "*libboringssl*" : "*libssl*", ["SSL_read", "SSL_write", "SSL_get_fd", "SSL_get_session", "SSL_SESSION_get_id"]], // for ios and Android    [Process.platform == "darwin" ? "*libsystem*" : "*libc*", ["getpeername", "getsockname", "ntohs", "ntohl"]]  ];

源码里三目运算符，也说明了，ios用 libboringssl 动态库 ， 安卓 libssl库；

同时还hook了，”SSL_read", “SSL_write” ,等等~

Interceptor.attach(addresses["SSL_read"],  {    onEnter: function (args) {      var message = getPortsAndAddresses(SSL_get_fd(args[0]), true);      message["ssl_session_id"] = getSslSessionId(args[0]);      message["function"] = "SSL_read";      message["stack"] = SSLstackread;      this.message = message;      this.buf = args[1];    },    onLeave: function (retval) {      retval |= 0; // Cast retval to 32-bit integer.      if (retval <= 0) {        return;      }      send(this.message, Memory.readByteArray(this.buf, retval));    }  });Interceptor.attach(addresses["SSL_write"],  {    onEnter: function (args) {      var message = getPortsAndAddresses(SSL_get_fd(args[0]), false);      message["ssl_session_id"] = getSslSessionId(args[0]);      message["function"] = "SSL_write";      message["stack"] = SSLstackwrite;      send(message, Memory.readByteArray(args[1], parseInt(args[2])));    },    onLeave: function (retval) {    }  });

来源地址：https://blog.csdn.net/weixin_38927522/article/details/129129544