ios swift hook

作者: rainzhang | 来源:发表于2019-05-30 10:06 被阅读0次

ios swift hook
iOS逆向 ---- Hook方法及原理OC篇
ios 越狱hook 打开-关闭wifi的操作
Hook原理
HOOK
005——HOOK原理
iOS 一对多 delegate 的简单应用
ios逆向工程链接
iOS逆向-- Hook原理
iOS逆向之HOOK原理

下面这个文章介绍的很清楚,这里做搬运工，方便需要者查阅。

https://www.securify.nl/blog/SFY20150302/hooking-swift-methods-for-fun-and-profit.html

INTRODUCTION

During the past few years different hooking frameworks have been developed for iOS, which allows users to modify app behavior without applying binary patches. Hooking iOS methods can benefit many things during a (blackbox) security assessment. Hooking allows us to log methods calls, inspect the input and/or output of a method, and even circumvent security measures like SSL/TLS in order to view/manipulate network traffic. In order to hook methods using such a framework, the device needs to be Jailbroken.

Hooking C/C++ and Objective-C methods has become more common over the years. More tools and frameworks are available and are still being developed in order to perform (security) research and create custom app modifications. Apple introduced a new programming language called Swift that is built on top of the Objective-C runtime. Swift methods can be hooked in a similar, but slightly different way. This article will describe how Swift methods can be hooked.

METHOD AND SELECTOR SIGNATURES

In order to hook a method it is important to identify its signature; how many parameters does it require, what are the types, the symbol name, and what type it returns. In order to acquire this information the following tools can be used:

IDA - disassembler;

Hopper - disassembler;

otool - object file info tool;

nm - list symbols from object files;

class-dump - dump class signatures.

Swift symbols are mangled similar to C++ methods. Whenever the symbol table of a Swift app is dumped with a tool like nm, the Swift symbols are listed with a __T prefix whereas C++ symbols start with __Z. Similar to the C++ demangling tool c++filt, demangling Swift methods can be done using xcrun swift-demangle.

The following example shows the difference between a mangled and demangled symbol table:

$ nm<swift binary>[..]0000000100002840 T __TFC7DemoApp11AppDelegates6windowGSqCSo8UIWindow_00000001000019f0 T __TFC7DemoApp14ViewController11viewDidLoadfS0_FT_T_0000000100001af0 T __TFC7DemoApp14ViewController15mySuperFunctionfS0_FT_T_0000000100001d20 T __TFC7DemoApp14ViewController23didReceiveMemoryWarningfS0_FT_T_00000001000024a0 T __TFC7DemoApp14ViewControllerCfMS0_FT5coderCSo7NSCoder_S0_[..]

$ nm<swift binary>|xcrun swift-demangle[..]00000001000027b0 t _@objc DemoApp.AppDelegate.window.setter:ObjectiveC.UIWindow?0000000100001ac0 t _@objc DemoApp.ViewController.viewDidLoad(DemoApp.ViewController)()->()0000000100001cf0 t _@objc DemoApp.ViewController.mySuperFunction(DemoApp.ViewController)()->()0000000100001d80 t _@objc DemoApp.ViewController.didReceiveMemoryWarning(DemoApp.ViewController)()->()00000001000024e0 t _@objc DemoApp.ViewController.init(DemoApp.ViewController.Type)(coder:ObjectiveC.NSCoder)->DemoApp.ViewController[..]

Constructing a method hook requires both representations. The mangled symbol is the actual pointer to the method and is used during the hooking setup. The demangled version helps us to construct the actual hook since it contains parameters and return types. The following example shows a method of the DemoApp class:

funcmySuperFunction(){// do stuff}

The mangled method name looks like this:

0000000100001af0 T __TFC7DemoApp14ViewController15mySuperFunctionfS0_FT_T_

The mangled method name can be broken down in the following components:

__T - indicates a Swift method;

F - the symbol is a function/method;

C - the symbol is a class method;

7DemoApp - app name/module name;

14ViewController - class name;

15mySuperFunction - method name.

This method does not have a return type and does not have any parameters. Or to be more precise, it has one parameter called self. When demangled, the method looks like this:

0000000100001cf0 t _@objc DemoApp.ViewController.mySuperFunction (DemoApp.ViewController)() -> ()

This can be roughly translated into:

Module.classname.functionName (self) -> (no return type)

CONSTRUCTING THE HOOK

Now that we know how to obtain and demangle Swift symbols we can construct hooks for Swift methods. In the following example we will hook the constructor of the NSString class. Our hook will write the constructor value to NSLog. First we need to determine the NSString constructor symbol. Using nm we can see the following mangled symbol:

00000001000025c0 t __TFCSo8NSStringCfMS_FT6stringSS_S_

Demangling the symbol gives us:

00000001000025c0 t _ObjectiveC.NSString.__allocating_init (ObjectiveC.NSString.Type)(string : Swift.String) -> ObjectiveC.NSString

Since NSString is a member of Apple's Foundation framework we could also look the signature up in the developer API

The constructor takes a (Swift) string as parameter and will return an NSString object. With this information in mind we can construct our hook.

First, we need to declare a function pointer that will point to the original method we are going to hook. This will become handy when we want to call the original method from our hook.

staticid(*orig_nsstring_init)(id,id);

Since NSString is a Swift object we can use the id type when identifying parameters and return type. Note that we declared two parameters instead of one. In addition constructor value, we must also process the self parameter. This is different from hooking Objective-C methods where we also process the selector parameter. For example:

idmethod(idself,SELcmd,id param1)// Objective-C method signature

Now we can create the method hook.

idnsstring_init_hook(id str,idself)// hook signature{id orig_value=orig_nsstring_init(str,self);// invoke original constructor, save return valueNSLog(@"# %@ #",orig_value);// print constructor parameterreturnorig_value;// return the value to facilitate the original behaviour}

Important to note here is that in comparison to Objective-C methods, the self parameter is the last parameter instead of the first. As mentioned before, the selector parameter is not supplied. Using Cydia Substrate we can use the following method to tie this all together using MSHookFunction.

MSHookFunction(MSFindSymbol(NULL,"__TFCSo8NSStringCfMS_FT6stringSS_S_"),// find the mangled symbol(void*)nsstring_init_hook,// function pointer to our hook(void**)&orig_nsstring_init);// stores function pointer to original function

CODE LISTING

#import<Foundation/Foundation.h>#import<substrate.h>staticid(*orig_nsstring_init)(id,id)=NULL;idnsstring_init_hook(NSString*_str,id _self){id x=orig_nsstring_init(_str,_self);NSLog(@" ## %@ ##",x);returnx;}__attribute__((constructor))intmain(void){MSHookFunction(MSFindSymbol(NULL,"__TFCSo8NSStringCfMS_FT6stringSS_S_"),(void*)nsstring_init_hook,(void**)&orig_nsstring_init);return0;}