iOS取证技能:如何完美导出SQLite数据库 | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

iOS取证技能:如何完美导出SQLite数据库

申博_安全工具 申博 332次浏览 已收录 0个评论

在上一篇文章中,我向人人引见了有关运用iOS DeveloperImage中一些特征的要领,个中包孕在已逃狱装备上启动带有自定义情况变量的App。说实话,我的最后效果是为了寻觅沙箱逻辑题目,但失利了。值得光荣的是我发现了另一个异常有用的技能,即经由过程运用个中的一些特征来提取SQLite数据库。该计划须要屏幕解锁和可托USB衔接。

为了运转完全的试验,你须要装置以下对象:

https://github.com/libimobiledevice/libimobiledevice

https://github.com/libimobiledevice/ideviceinstaller

https://github.com/emonti/afcclient(可选。若是你不想本身编写libimobiledevice的代码,就用这个)

SQLite日记纪录

iOS上以后内置的SQLite支撑调试选项:若是设置了SQLITE_SQLLOG_DIR情况,则每一个数据库在给定目次中都会有一个副本,且sql查询为纯文本情势。

sqlite文档:https://www.sqlite.org/src/doc/trunk/src/test_sqllog.c

我们的试验从一个逃狱装备最先。只需启动带有SQLITE_SQLLOG_DIR的Gmail运用程序,指向它有权写入的地位:

iOS取证技能:如何完美导出SQLite数据库

修改上一篇文章中的剧本,向情况增加一个新密钥:

const env = ObjC.classes.NSMutableDictionary.alloc().init();
env.setObject_forKey_(
  ObjC.classes.NSString.stringWithString_('/private/var/mobile/Containers/Data/Application/{THE_ACTUAL_UUID_ON_YOUR_DEVICE}/tmp'),
  ObjC.classes.NSString.stringWithString_('SQLITE_SQLLOG_DIR'));

以下是为目次天生的内容:

hello:/private/var/mobile/Containers/Data/Application/.../tmp root# ls
WebKit      sqllog_05860_00000.sql  sqllog_05860_00003.sql  sqllog_05860_01.db
sqllog_05860.idx    sqllog_05860_00001.sql  sqllog_05860_00004.sql  sqllog_05860_02.db
sqllog_05860_00.db  sqllog_05860_00002.sql  sqllog_05860_00005.sql  sqllog_05860_03.db

文件名中的05860是pid,花样化为流动的5位数。idx文件是原始数据库的映照索引。

root# cat sqllog_05860.idx
0 /private/var/mobile/Containers/Shared/AppGroup/21805C48-3DD1-4973-BDB8-F26441BE74B3/GIPPhenotype/phenotype.db
1 /var/mobile/Containers/Data/Application/E89CEF28-30BA-41F8-BDB3-BD05E0598D32/Library/Application Support/data/johnsmith@outlook.com/sqlitedb
2 /var/mobile/Containers/Data/Application/E89CEF28-30BA-41F8-BDB3-BD05E0598D32/Library/Application Support/data/johnsmith@outlook.com/imapsqlitedb
3 /private/var/mobile/Containers/Data/Application/E89CEF28-30BA-41F8-BDB3-BD05E0598D32/Library/Caches/com.google.Gmail/Cache.d

比方,一切 /var/mobile/Containers/Data/Application/E89CEF28–30BA-41F8-BDB3-BD05E0598D32/Library/Application Support/data/johnsmith@outlook.com/sqlitedb 的查询被纪录在了sqllog_05860_00000.sql文件中。

iOS取证技能:如何完美导出SQLite数据库

sqllog_05860_00.db是其副本。

iOS取证技能:如何完美导出SQLite数据库

————————————-

申博网络安全巴士站

申博-网络安全巴士站是一个专注于网络安全、系统安全、互联网安全、信息安全,全新视界的互联网安全新媒体。

————————————-

未逃狱装备

如今题目是,iOS上的运用程序被“羁系”在容器中,若是没有完全备份将依然没法接见这些容器。每一个划定规矩都有一个破例,沙箱配置文件也不破例。

某些内置运用程序有写入权限到 /var/mobile/Media/iTunes_Control/iTunes 目次。

iOS取证技能:如何完美导出SQLite数据库

和一些运用程序还具有 com.apple.security.exception.files.absolute-path.read-write 或 com.apple.security.exception.files.home-relative-path.read-write 权限。

你能够经由过程以下敕令读取这些权限。

ideviceinstaller -l -o list_system -o xml

VioceMemo:

<key>com.apple.security.exception.files.absolute-path.read-write</key>
<array>
    <string>/private/var/mobile/Media/Recordings/</string>
</array>
<key>platform-application</key>
<true/>

MobileSafari:

<key>com.apple.security.exception.files.home-relative-path.read-write</key>
   <array>
    <string>/Library/com.apple.itunesstored/</string>
    <string>/Library/com.apple.iTunesCloud/</string>
    <string>/Library/Caches/com.apple.Music/</string>
    <string>/Library/Cookies/</string>
    <string>/Media/</string>
    <string>/Library/Caches/com.apple.Radio/</string>
    <string>/Library/Caches/com.apple.iTunesStore/</string>
    <string>/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache/</string>
    <string>/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache/</string>
    <string>/Library/com.apple.MediaSocial/</string>
    <string>/Library/DeviceRegistry/</string>
    <string>/Library/Logs/MediaServices/</string>
   </array>

iOS许可在 /var/mobile/Media 中举行沙箱文件接见。很多第三方iPhone管理对象许可你直接操纵此地位,以至还会供应一个GUI界面。

➜  afcclient git:(master) ✗ ./afcclient mkdir Downloads/SQLite

另一个可读的地位是CrashReporter。你能够运用idevicecrashreport猎取文件。

iOS取证技能:如何完美导出SQLite数据库

但须要提示人人的是,并不是一切内置的运用程序都有这些破例,更别说是那些第三方运用了。

Demo

在测试时期启动Instruments,并运用上一篇文章中的frida剧本将bundle ID更改成目的。

/*
run Instruments.app, then
frida Instruments -l msg.js
*/
function getDevice() {
  const devices = ObjC.classes.XRDeviceDiscovery.availableDevices();
  const count = devices.count().valueOf();
  for (var i = 0; i < count; i++) {
    var device = devices.objectAtIndex_(i);
    if (device.platformName().toString() === 'iPhoneOS' && device.connection()) {
      return device;
    }
  }
  throw new Error('unable to find device');
}

const newMsgFunc = ObjC.classes.DTXMessage['+ messageWithSelector:objectArguments:'].implementation;
const newMsg = new NativeFunction(newMsgFunc, 'pointer',
  ['pointer', 'pointer', 'pointer', '...', 'pointer', 'pointer', 'pointer', 'pointer', 'pointer', 'pointer']);

const opt = ObjC.classes.NSMutableDictionary.alloc().init();
opt.setObject_forKey_(0, ObjC.classes.NSString.stringWithString_('StartSuspendedKey')); // required

const args = ObjC.classes.NSMutableArray.alloc().init();
args.addObject_(ObjC.classes.NSString.stringWithString_('--if-you-need-some-thing')); // argv

const env = ObjC.classes.NSMutableDictionary.alloc().init();
env.setObject_forKey_(
  ObjC.classes.NSString.stringWithString_('3'),
  ObjC.classes.NSString.stringWithString_('CFNETWORK_DIAGNOSTICS')); // environment variables

const msg = new ObjC.Object(newMsg(
  ObjC.classes.DTXMessage,
  ObjC.selector('+ messageWithSelector:objectArguments:'),
  ObjC.selector('launchSuspendedProcessWithDevicePath:bundleIdentifier:environment:arguments:options:'),

  ObjC.classes.NSString.stringWithString_('this makes no sense'), // path, SpringBoard simply ignores it
  ObjC.classes.NSString.stringWithString_('com.apple.calculator'), // bundle id, must be already installed
  ObjC.classes.NSDictionary.dictionaryWithDictionary_(env),
  args.copy(),
  ObjC.classes.NSDictionary.dictionaryWithDictionary_(opt),
  NULL
))

const channel = getDevice().connection().makeChannelWithIdentifier_(
  'com.apple.instruments.server.services.processcontrol.feature.deviceio') // channel id

channel.sendControlSync_replyHandler_(msg, new ObjC.Block({
  retType: 'void',
  argTypes: ['object', 'pointer'],
  implementation: function(reply, len) {
    console.log('reply', reply.payloadObject())
  }
}))

com.apple.mobilesafari

这里有Safari浏览器状况,书签,历史纪录,每一个站点首选项,HTML5当地存储以至缓存。请注意,一般Cache.db不会包含在备份中,而且它是以纯文本花样存储http要求的。

➜  afcclient git:(master) ✗ ./afcclient mkdir iTunes_Control/iTunes/safari
Created directory: iTunes_Control/iTunes/safari
➜  afcclient git:(master) ✗ ./afcclient cat iTunes_Control/iTunes/safari/sqllog_02343.idx
0 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Image Cache/Favicons/Favicons.db
1 /var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Safari/BrowserState.db
2 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Image Cache/Touch Icons/TouchIconCacheSettings.db
3 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Image Cache/Password Icons/TouchIconCacheSettings.db
4 /var/mobile/Library/Safari/Bookmarks.db
5 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Safari/History.db
6 /var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/WebKit/WebsiteData/LocalStorage/https_mobile.twitter.com_0.localstorage
7 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Safari/PerSitePreferences.db
8 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Caches/com.apple.mobilesafari/Cache.db

com.apple.mobilemail

➜  afcclient git:(master) ✗ ./afcclient cat Mail/sqllog_04465.idx
0 /var/mobile/Library/Mail/Envelope Index
1 /var/mobile/Library/Mail/Protected Index
2 /var/mobile/Library/DeviceRegistry/5CFB9E7E-C465-4A92-B3ED-C744367AB766/NanoMail/registry.sqlite
3 /var/mobile/Library/AddressBook/AddressBook.sqlitedb

com.apple.mobilephone

地点簿和通话纪录:

hello:~ root# procexp all fds | grep -i sms.db
IMDPersistenceA    812 FD  4u  /private/var/mobile/Library/SMS/sms.db @0x0
IMDPersistenceA    812 FD  5u  /private/var/mobile/Library/SMS/sms.db-wal @0x0
IMDPersistenceA    812 FD  6u  /private/var/mobile/Library/SMS/sms.db-shm @0x0
hello:~ root# ps aux | grep 812
mobile           812   0.0  0.0  1664672   1296   ??  Ss   22Oct18   0:01.77 /System/Library/PrivateFrameworks/IMDPersistence.framework/XPCServices/IMDPersistenceAgent.xpc/IMDPersistenceAgent
root            6008   0.0  0.1  1593504   1536 s000  S+    2:50PM   0:00.01 grep 812
hello:~ root#
➜  afcclient git:(master) ✗ ./afcclient mkdir iTunes_Control/iTunes/Phone
Created directory: iTunes_Control/iTunes/Phone
➜  afcclient git:(master) ✗./afcclient cat iTunes_Control/iTunes/Phone/sqllog_04322.idx
0 /var/mobile///Library/CallHistoryDB/CallHistory.storedata
1 /var/mobile///Library/CallHistoryDB/CallHistoryTemp.storedata
2 /var/mobile/Library/AddressBook/AddressBook.sqlitedb

但你没法提取sms.db,由于它属于xpc效劳IMDPersistenceAgent。音讯运用com.apple.MobileSMS经由过程XPC与其通讯,而不是翻开数据库。


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明iOS取证技能:如何完美导出SQLite数据库
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址