1. DYLD源碼
1.1 DYLD中加載動態庫的部分,在dyld.cpp的_main函數中
image.png
1.2 在加載動態庫之前有個if判斷
如果是限制動態庫插入的話就會調用下面的函數移除相關的環境變量,DYLD_INSERT_LIBRARIES就不會調用
image.png
1.3 gLinkContext.processIsRestricted = true 搜索這個條件是如何設置的
image.png
issetugid()是私有函數無法設置hasRestrictedSegment(mainExecutableMH)查看這個函數的實現
1.4 hasRestrictedSegment函數實現
image.png
這個判斷是查找Segment中__RESTRICT字段的值,如果__RESTRICT的sectname值跟__restrict相等的話就返回true
image.png
2. 工程中添加__RESTRICT
2.1 Other Linker Flags中添加-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null,固定寫法
image.png
2.2 編譯工程,MachOView查看可執行文件
image.png
這樣注入的動態庫就會失效
3. 破壞防護
可以通過修改Mach-O二進制,來達到破壞的目的,
MachOView打開可執行文件,在Load Commands里面可以直接修改__RESTRICT這個字段還有字段的值
image.png
修改完后重新簽名一下就可以運行了
4. 工程中檢查__RESTRICT的值
可以利用Dyld中檢查__RESTRICT的代碼來檢查是否修改了這個值
#import "ViewController.h"
#import <mach-o/loader.h>
#import <mach-o/dyld.h>
@interface ViewController ()
@end
#if __LP64__
#define macho_header mach_header_64
#define LC_SEGMENT_COMMAND LC_SEGMENT_64
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT
#define LC_ENCRYPT_COMMAND LC_ENCRYPTION_INFO
#define macho_segment_command segment_command_64
#define macho_section section_64
#else
#define macho_header mach_header
#define LC_SEGMENT_COMMAND LC_SEGMENT
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT_64
#define LC_ENCRYPT_COMMAND LC_ENCRYPTION_INFO_64
#define macho_segment_command segment_command
#define macho_section section
#endif
@implementation ViewController
+ (void)load
{
const struct mach_header_64 *header = (const struct mach_header_64 *)_dyld_get_image_header(0);//獲取自己
if (hasRestrictedSegment(header)) {
NSLog(@"防止Tweak注入狀態!!");
}else{
NSLog(@"被修改了!!");
}
}
static bool hasRestrictedSegment(const struct macho_header* mh)
{
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
const struct load_command* cmd = cmds;
for (uint32_t i = 0; i < cmd_count; ++i) {
switch (cmd->cmd) {
case LC_SEGMENT_COMMAND:
{
const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
printf("seg name: %s\n", seg->segname);
if (strcmp(seg->segname, "__RESTRICT") == 0) {
const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
if (strcmp(sect->sectname, "__restrict") == 0)
return true;
}
}
}
break;
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
return false;
}
@end
iOS10之后,dyld不再檢查__RESTRICT字段了
5. 檢查加載了多少動態庫
const char * libraries = "/var/mobile/Containers/Bundle/Application/AD8D84E6-E893-4C96-A29A-FBD13AF4B461/WhitelistDemo.app/WhitelistDemo/Library/MobileSubstrate/MobileSubstrate.dylib/Developer/usr/lib/libBacktraceRecording.dylib/Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib"
bool CheckWhitelist(){
int count = _dyld_image_count();//加載了多少數量
for (int i = 0; i < count; i++) {
//遍歷拿到庫名稱!
const char * imageName = _dyld_get_image_name(i);
//
if (!strstr(libraries, imageName)&&!strstr(imageName, "/var/mobile/Containers/Bundle/Application")) {
printf("該庫非白名單之內!!\n%s",imageName);
// return NO;
}
}
return YES;
}
strstr這個函數可以快速的檢查左邊的字符串是否包含右邊的字符串,
發布版本之前可以通過這個函數打印出所有的動態庫,然后放到libraries里面去,線上檢測libraries是否包含加載的庫就可以判斷是否有外部代碼注入。
