黄金网站app视频工信部网站备案登录

一、目标

一步步分析并编写一个短信自动转发的deb插件

二、工具

• mac系统
• 已越狱iOS设备：脱壳及frida调试
• IDA Pro：静态分析
• 测试设备：iphone6s-ios14.1.1

三、步骤

1、守护进程

​ 守护进程(daemon)是一类在后台运行的特殊进程，用于执行特定的系统任务。例如：推送服务、人脸解锁、iCloud、查找我的iPhone、iMessage等。

相应的配置目录：

• /Library/LaunchAgents：管理员控制特定用户的代理

• /Library/LaunchDaemons：管理员提供的系统级守护进程（cydia、filza、frida等就在这）

• /System/Library/LaunchDaemons：iOS提供的默认守护进程

本文的目的主要短信，所以关注的重点在iOS提供的守护进程，常见的进程配置文件有：

更多服务请参考https://www.theiphonewiki.com/wiki/Services

2、定位关键函数

在iPhone中使用文件管理工具查看/System/Library/LaunchDaemons/com.apple.imagent文件关键信息如下：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict><key>EnvironmentVariables</key><dict><key>NSRunningFromLaunchd</key><string>1</string></dict><key>ProgramArguments</key><array><string>/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent</string></array><key>RunAtLoad</key><true/>
</dict>
</plist>

ProgramArguments所对应的路径，就是该进程执行的二进制文件。执行frida-trace -U -m "*[IM* *]" imagent -o a.log后，当手机收到短信后的日志如下：

-[SMSServiceSession smsMessageReceived:0x10524abc0 msgID:0x80000006]
-[SMSServiceSession _processSMSorMMSMessageReceivedWithContext:0x10524abc0 messageID:0x80000006]
+[IMMetricsCollector sharedInstance]
-[IMMetricsCollector trackEvent:0x1d02ab1e8]
-[SMSServiceSession _convertCTMessageToDictionary:0x109a0e510 requiresUpload:0x16f832c2f]
-[IMMetricsCollector _trackEvent:0x1d02ab1e8]
-[SMSServiceSession _fixIncomingDate:0xd13d420d70d597e6]
-[SMSServiceSession shouldFixIncomingDate]
-[SMSServiceSession _myCTPhoneNumber]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
+[IMCTSMSUtilities IMMMSEmailAddressToMatchForPhoneNumber:0x100830240 simID:0x0]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
-[SMSServiceSession _convertCTMessagePartToDictionary:0x109a28610]
-[SMSServiceSession _shouldUploadToMMCS:0x10524aca0]
-[SMSServiceSession _receivedSMSDictionary:0x10524aca0 requiresUpload:0x0 isBeingReplayed:0x0]
-[SMSServiceSession _processReceivedDictionary:0x10524aca0 storageContext:0x0]
+[IMMessageNotificationTimeManager sharedInstance]
-[IMMessageNotificationTimeManager acquireAssertionToUnsuspendProcess]
+[IMLockdownManager sharedInstance]
-[IMLockdownManager isInternalInstall]
-[IMLockdownManager _calculateInstallType]
-[IMMessageItem initWithSender:0x100890210 time:0x1008831d0 body:0x10083ba80 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 error:0x0 guid:0x10524acc0]
-[IMMessageItem initWithSender:0x100890210 time:0x1008831d0 body:0x10083ba80 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 error:0x0 guid:0x10524acc0 type:0x0]
-[IMMessageItem initWithSenderInfo:0x10085c330 time:0x1008831d0 timeRead:0x0 timeDelivered:0x0 timePlayed:0x0 subject:0x0 body:0x10083ba80 bodyData:0x0 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 guid:0x10524acc0 messageID:0x0 account:0x0 accountID:0x0 service:0x0 handle:0x0 roomName:0x0 unformattedID:0x0 countryCode:0x0 expireState:0x0 balloonBundleID:0x0 payloadData:0x0 expressiveSendStyleID:0x0 timeExpressiveSendPlayed:0x0 bizIntent:0x0 locale:0x0 errorType:0x0 type:0x0]
-[IMItem initWithSenderInfo:0x10085c330 time:0x1008831d0 guid:0x10524acc0 messageID:0x0 account:0x0 accountID:0x0 service:0x0 handle:0x0 roomName:0x0 unformattedID:0x0 countryCode:0x0 type:0x0]
-[IMItem setSenderInfo:0x10085c330]

根据日志可看出关键函数-[SMSServiceSession smsMessageReceived:0x10524abc0 msgID:0x80000006]， 使用命令frida-trace -U -m "-[SMSServiceSession smsMessageReceived:msgID:]" imagent跟踪该函数，js代码如下:

{onEnter(log, args, state) {log(`-[SMSServiceSession smsMessageReceived:${ObjC.Object(args[2])} msgID:${args[3]}]`);},onLeave(log, retval, state) {}
}

当手机收到短信时，对应日志输出如下: