如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一) | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

申博_安全防护 申博 68次浏览 未收录 0个评论

我们本次研讨的目的是让iOS体系在无需事前或在启动历程当中修复内核的情况下顺遂启动,运用新模块扩大QEMU实行arm64 XNU体系的功用,并取得交互式bash shell。我们会在本文中引见如安在QEMU上实行iOS并启动一个交互式bash shell。在第二篇文章中,我们将细致引见为完成这些目的所举行的一些研讨。在本次研讨中,我们挑选的iOS版本和装备是iOS 12.1和iPhone 6s Plus,因为与一般删除大多数标记的其他iOS内核映像比拟,这个特定的iOS 12映像在内核映像中导出了很多标记。这带来了一些更大的应战,因为它是一个运用平安监控器映像的非KTRR装备(Kernel Text Readonly Region,内核文本只读地区)。须要申明的是本文的研讨是在这个项目的研讨基础上举行的。另一个变化是我愿望这个功用在外部模块中,今后可以扩大并用于为其他iOS装备和版本建立模块,而不是将代码放在中心QEMU代码中。

原有项目的引见

你可以点此,猎取包含qemu-scripts-aleph-git所需的剧本。该剧本许可运用只读装置的ram盘启动到用户形式,可以增加新的可实行文件和启动项(启动之前),而且经由历程模仿UART通道与用户通讯,还可以运用复制到ram盘的主盘映像中的dyld缓存举行通讯。以下是运用原有项目运转交互式bash shell的演示历程:

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

这使你可以运用你挑选的任何权限实行你想要的任何用户形式历程,并运用内核调试器调试历程或内核:

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

原有项目的一些限定:

1.在装置ram盘之前,有一个很长的挂起历程(也许几秒);

2.该面目的要领仅适用于以只读体式格局装置的ram盘映像,而且大小最高为2GB;

3.我们只能经由历程UART与Guest iOS通讯,如今没有其他通讯渠道可用;

4.没有基础的硬件支撑:屏幕,触摸,wifi,BT或其他任何东西;

5.如今仅支撑单个CPU的模仿。

革新历程

要启动该历程,我们起首须要预备内核映像、平安监控器映像,装备树(device tree),静态信托缓存和ram盘映像。要猎取映像,我们须要起首猎取iOS 12.1更新文件。这实际上是一个zip文件,我们可以提取的内容以下:

Downloads jonathanafek$ unzip iPhone_5.5_12.1_16B92_Restore.ipsw
Archive:  iPhone_5.5_12.1_16B92_Restore.ipsw
   creating: Firmware/
  inflating: Restore.plist           
   creating: Firmware/usr/
   creating: Firmware/usr/local/
  inflating: BuildManifest.plist     
  inflating: Firmware/Mav10-7.21.00.Release.plist  
   creating: Firmware/all_flash/
  inflating: Firmware/all_flash/DeviceTree.n66ap.im4p.plist  
  inflating: Firmware/all_flash/LLB.n56.RELEASE.im4p  
  inflating: Firmware/all_flash/[email protected]~iphone.im4p  
  inflating: Firmware/all_flash/[email protected]~iphone.im4p  
  inflating: Firmware/all_flash/LLB.n66.RELEASE.im4p  
  inflating: Firmware/all_flash/sep-firmware.n56.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/iBoot.n56.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/[email protected]~iphone.im4p  
  inflating: Firmware/all_flash/iBoot.n66m.RELEASE.im4p  
  inflating: Firmware/all_flash/iBoot.n56.RELEASE.im4p  
  inflating: Firmware/all_flash/DeviceTree.n66ap.im4p  
  inflating: Firmware/all_flash/sep-firmware.n66m.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/[email protected]~iphone.im4p  
  inflating: Firmware/all_flash/[email protected]~iphone-lightning.im4p  
   creating: Firmware/dfu/
  inflating: Firmware/dfu/iBSS.n56.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/[email protected]~iphone-lightning.im4p  
  inflating: Firmware/all_flash/[email protected]~iphone.im4p  
  inflating: Firmware/dfu/iBEC.n66m.RELEASE.im4p.plist  
  inflating: Firmware/dfu/iBSS.n66.RELEASE.im4p  
  inflating: Firmware/048-32459-105.dmg.trustcache  
  inflating: Firmware/dfu/iBSS.n66m.RELEASE.im4p  
  inflating: Firmware/dfu/iBEC.n56.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/sep-firmware.n56.RELEASE.im4p  
  inflating: Firmware/Mav13-5.21.00.Release.bbfw  
  inflating: Firmware/all_flash/sep-firmware.n66m.RELEASE.im4p  
  inflating: Firmware/all_flash/LLB.n66m.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/iBoot.n66.RELEASE.im4p.plist  
  inflating: Firmware/dfu/iBSS.n56.RELEASE.im4p  
  inflating: Firmware/all_flash/DeviceTree.n66map.im4p.plist  
  inflating: Firmware/all_flash/DeviceTree.n56ap.im4p.plist  
  inflating: Firmware/all_flash/LLB.n66.RELEASE.im4p.plist  
   creating: Firmware/AOP/
  inflating: Firmware/AOP/aopfw-s8000aop.im4p  
  inflating: Firmware/dfu/iBEC.n56.RELEASE.im4p  
  inflating: Firmware/all_flash/LLB.n66m.RELEASE.im4p  
  inflating: Firmware/all_flash/iBoot.n66.RELEASE.im4p  
  inflating: Firmware/all_flash/sep-firmware.n66.RELEASE.im4p  
  inflating: Firmware/048-31952-103.dmg.trustcache  
  inflating: Firmware/all_flash/sep-firmware.n66.RELEASE.im4p.plist  
  inflating: Firmware/dfu/iBSS.n66.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/DeviceTree.n66map.im4p  
  inflating: Firmware/dfu/iBSS.n66m.RELEASE.im4p.plist  
  inflating: Firmware/all_flash/[email protected]~iphone.im4p  
  inflating: Firmware/all_flash/iBoot.n66m.RELEASE.im4p.plist  
  inflating: 048-32651-104.dmg       
  inflating: Firmware/all_flash/LLB.n56.RELEASE.im4p.plist  
  inflating: Firmware/dfu/iBEC.n66.RELEASE.im4p  
  inflating: Firmware/dfu/iBEC.n66.RELEASE.im4p.plist  
  inflating: Firmware/dfu/iBEC.n66m.RELEASE.im4p  
  inflating: kernelcache.release.iphone7  
  inflating: Firmware/048-32651-104.dmg.trustcache  
  inflating: Firmware/Mav13-5.21.00.Release.plist  
  inflating: Firmware/all_flash/DeviceTree.n56ap.im4p  
  inflating: Firmware/Mav10-7.21.00.Release.bbfw  
  inflating: 048-32459-105.dmg       
  inflating: kernelcache.release.n66  
 extracting: 048-31952-103.dmg

接下来,我们须要复制用来支撑项目继续举行的剧本存储库:

Downloads jonathanafek$ git clone [email protected]:alephsecurity/xnu-qemu-arm64-scripts.git
Cloning into 'xnu-qemu-arm64-scripts'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 4), reused 16 (delta 4), pack-reused 0
Receiving objects: 100% (16/16), 5.16 KiB | 5.16 MiB/s, done.
Resolving deltas: 100% (4/4), done.

并提取ASN1的内核映像:

Downloads jonathanafek$ python xnu-qemu-arm64-scripts/asn1kerneldecode.py kernelcache.release.n66 kernelcache.release.n66.asn1decoded

该解码映像如今就包含紧缩内核和平安监控器映像,把它们都提取出来:

Downloads jonathanafek$ python xnu-qemu-arm64-scripts/decompress_lzss.py kernelcache.release.n66.asn1decoded kernelcache.release.n66.out
Downloads jonathanafek$ python xnu-qemu-arm64-scripts/kernelcompressedextractmonitor.py kernelcache.release.n66.asn1decoded securemonitor.out

如今,让我们预备一个我们可以启动的装备树(关于装备树的更多细节将在第二篇文章中引见)。起首,从ASN1编码文件中提取它:

Downloads jonathanafek$ python xnu-qemu-arm64-scripts/asn1dtredecode.py Firmware/all_flash/DeviceTree.n66ap.im4p Firmware/all_flash/DeviceTree.n66ap.im4p.out

然后,剖析它并修正它,以使我们的内核在QEMU上启动:

Downloads jonathanafek$ python xnu-qemu-arm64-scripts/read_device_tree.py Firmware/all_flash/DeviceTree.n66ap.im4p.out Firmware/all_flash/DeviceTree.n66ap.im4p.out.mod

如今我们必需设置ram盘,起首,用ASN1解码它:

Downloads jonathanafek$ python xnu-qemu-arm64-scripts/asn1rdskdecode.py ./048-32651-104.dmg ./048-32651-104.dmg.out

接下来,调解它的大小,使其具有动态加载顺序缓存文件的空间(bash和其他可实行文件须要这些空间),装置它,并强迫运用它的文件权限:

Downloads jonathanafek$ hdiutil resize -size 1.5G -imagekey diskimage-class=CRawDiskImage 048-32651-104.dmg.out
Downloads jonathanafek$ hdiutil attach -imagekey diskimage-class=CRawDiskImage 048-32651-104.dmg.out
Downloads jonathanafek$ sudo diskutil enableownership /Volumes/PeaceB16B92.arm64UpdateRamDisk/

如今,让我们经由历程双击通例更新磁盘映像来装置它:048-31952-103.dmg。

在ram磁盘中建立一个动态加载器缓存目次,将缓存从更新映像复制到root:

Downloads jonathanafek$ sudo mkdir -p /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/
Downloads jonathanafek$ sudo cp /Volumes/PeaceB16B92.N56N66OS/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/
Downloads jonathanafek$ sudo chown root /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64

从rootlessJB或iOSBinaries猎取适用于iOS的预编译用户形式东西,包含bash。或许,根据此处的形貌编译本身的iOS掌握台二进制文件。

Downloads jonathanafek$ git clone https://github.com/jakeajames/rootlessJB
Cloning into 'rootlessJB'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 253 (delta 2), reused 0 (delta 0), pack-reused 247
Receiving objects: 100% (253/253), 7.83 MiB | 3.03 MiB/s, done.
Resolving deltas: 100% (73/73), done.
Downloads jonathanafek$ cd rootlessJB/rootlessJB/bootstrap/tars/
tars jonathanafek$ tar xvf iosbinpack.tar
tars jonathanafek$ sudo cp -R iosbinpack64 /Volumes/PeaceB16B92.arm64UpdateRamDisk/
tars jonathanafek$ cd -

设置launchd以不实行任何效劳:

CVE-2019-13354 :Ruby strong_password库劫持

安全更新和升级是常见的确保安全的方式,但是供应链攻击也瞄准了这个方向。最近,研究人员发现新版本的strong_password中存在漏洞,Rubygems.org网站统计显示0.0.7恶意版本下载量共为537次。研究人员建议使用0.0.7版本的用户尽快回滚到之前版本。 漏洞分析 该漏洞是withatwist.dev博客作者安全研究人员Tute Costa发现的,Tute Costa在手动查看更新后的依赖关系时发现了该问题。 通过比较发布版本和源代码的变更日志,研究人员发现新发布的0.0.7版本与GitHub上发布的上一版本源代码并没有进行改变。 在分析0

Downloads jonathanafek$ sudo rm /Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/*

如今,经由历程在/Volumes/PeaceB16B92.arm64UpdateRamDisk/System/Library/LaunchDaemons/com.apple.bash.plist下建立一个新文件,来,将其设置为启动交互式bash shell,个中包含以下内容:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>EnablePressuredExit</key>
        <false/>
        <key>Label</key>
        <string>com.apple.bash</string>
        <key>POSIXSpawnType</key>
        <string>Interactive</string>
        <key>ProgramArguments</key>
        <array>
                <string>/iosbinpack64/bin/bash</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>StandardErrorPath</key>
        <string>/dev/console</string>
        <key>StandardInPath</key>
        <string>/dev/console</string>
        <key>StandardOutPath</key>
        <string>/dev/console</string>
        <key>Umask</key>
        <integer>0</integer>
        <key>UserName</key>
        <string>root</string>
</dict>
</plist>

附带申明一下,你可以将iOS映像中找到的二进制plist文件转换成文本xml花样,然后用以下敕令返回二进制花样:

Downloads jonathanafek$ plutil -convert xml1 file.plist
Downloads jonathanafek$ vim file.plist
Downloads jonathanafek$ plutil -convert binary1 file.plist

关于启动保卫历程,iOS同时接收xml和二进制plist文件。

因为新二进制文件不是由Apple署名的,因而它们须要被我们将要建立的静态信托缓存所信托。为此,我们须要取得jtool(也可以经由历程Homebrew :brew cask install jtool)。一旦有了该东西,我们就必需在愿望被信托的每一个二进制文件上运转它,提取其CDHash的前40个字符,并将其放在一个名为tchashes的新文件中。 以下是jtool的实行历程:

Downloads jonathanafek$ jtool --sig --ent /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64/bin/bash
Blob at offset: 1308032 (10912 bytes) is an embedded signature
Code Directory (10566 bytes)
                Version:     20001
                Flags:       none
                CodeLimit:   0x13f580
                Identifier:  /Users/jakejames/Desktop/jelbreks/multi_path/multi_path/iosbinpack64/bin/bash (0x58)
                CDHash:      7ad4d4c517938b6fdc0f5241cd300d17fbb52418b1a188e357148f8369bacad1 (computed)
                # of Hashes: 320 code + 5 special
                Hashes @326 size: 32 Type: SHA-256
 Empty requirement set (12 bytes)
Entitlements (279 bytes) :
--
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.container-required</key>
    <false/>
</dict>
</plist>

在上面的实行历程当中,我们须要在tchashes中写入7ad4d4c517938b6fdc0f5241cd300d17fbb52418。为轻易起见,以下敕令将从我们放入映像的每一个二进制文件中提取准确的哈希部份:

Downloads jonathanafek$ for filename in $(find /Volumes/PeaceB16B92.arm64UpdateRamDisk/iosbinpack64 -type f); do jtool --sig --ent $filename 2&>/dev/null; done | grep CDHash | cut -d' ' -f6 | cut -c 1-40
ebe945ddbb4dbeb1ee9624e6ba1932d2ec61cfde
7ad4d4c517938b6fdc0f5241cd300d17fbb52418
0cf1b00e3bf76ab51c56da7ca888e89359f1d1c4
c9c1e21c3f3593c99f4e7c91c64d7f3106ad29ce
522dda7f40fe6aa6e2038bc66c9cb31660a43429
dc040d340f1fcfb493394e77d9944aa164e23ca3
f975cd0eec230299d1b8d9b0e3b54ae7cf660d92
728be7f7a78f400742e887f7ac93306145f822c0
4f4ca5aa3e506d145f344d59504630b85ddefffc
0d274c72cefbff705db0ed0fda29fb6f4cacf4c9
ebcf9073fd59db7c59a5212b0824faf1d7b30e39
cf784ea216e6b49f66a3cc81aeceaf7ac39b71d7
9d625c7eaadc8fd3eb57d9facca294b1a5afab8a
90c02c153e636cac74ca09e7e3dc89c0508a1393
59cba1c5ce169d4cd454d43e3a3c6fa824cf2764
9ff1194d135e979a632033ec2df63ba0cfe4682a
d11b49576e0f6645c4c9f234497f51219173dce8
7a01f3e7bcda18b26297c3936c9e256ddf8f9fe3
b7fd47df9b6652f2810cc789d5903a082af2570d
68a32f0a35bbb23f4f272ca99186521618c08d21
e04fa65a33c4b69d2338688ee72ea13d624a4255
b400373e16a7f82fa56d318038ec7b4b28e2593f
65859385e11b910de3841e53a833ab4c4b855282
2eae1b42c4f6bb95e3226aff8cb93a539c0a6263
c305e094747ba274f37e3063b826a5e41e5e2549
41620d4632bf6f071388033f8cf267123df16489
3bf1f6c49e3bcd775041864085893bf9b1ab3870
bb2d9c166635fc693e99355e84984aa61692c6f3
3bb79fd3568c3620a2bd7bad004ab759bec4e331
7c60ae6060d7bf2772c6b4b0c04b605c4e62a7a7
b904a692d548c3323621c17212121aca0c733088
6fe1d88bcbdd97d273533d695c04279f8ddf5e32
4165a869f1b35bdff90b74116499c1c210f27ddb
414ebc5e48c94d60b2018e4c83a323426bc0ac74
62b2b303c31e5fc9d5210b736d8d632eee28d24f
871e0ea84b71cd01e45e261542e9b2dd08fb81ab
0912c647e222bd04f05b837a8286519bd8ae2393
bd6d7d7f51b639da99e0581096534273b4f040ed
27ed9a3b21392bc459619293a6b36fe2c3b8ddac
e92565cbfdb0bd41d069384689ffae715e61b216
164fc2d96f9decd643ac33fc279b2078e51f5c88
3e0529b705d666af4f25c8c18fc7992f6934cf6f
176f273cb276085052519054d042508dc8d562b4
18762f5c54d935759f02248b032576bdc93be260
22d2f02d3be49da4819534553ad5ac37c0ace28c
e76bf6e8e84b656ee61b1ff10b38eab23607ae82
84bbc455477d6737f738b649c5afd3d4a069abee
57fe14db863b48f19cdec3c884c5dfad1bff6a12
e6ee59194bd768c3e3cc140009b6a729c7700a11
f1c25d5ac4e3924deaa3418a9ba309e15c09f502
e962bfddead7da46f23b6f4dc448df085e946940
26d34ca63bc69c8e81c15672258f3b8cbaf4ba4c
7fc69d2fc1f57ca555b07d6de51c82f74915c6bd
85f3c5263835d90b776886f92e8536ceb2f46036
0f1214d8a6138f170c2654a6f81c40586fbebaac
dc995e91bc0b67c52b969c91c1d68b09bbf94ec2
5d46a9681b4a3cc84a69083288e76aa969ec3a43
3c0db01f7aaf0a5b935dfcc51f6b2534013795ad
8422f07e41b2951e4138b88e013eab5773ae52f7
f9c4cca6b141064b7ae97131ff3969386d624718
259733b48f2f4fa88ba4f2e5f519bd40a6a3750d
8e06a919d28c3c0376b1207981d70b3bda99b6bc
68cd528c435b417c6f0022a132d459fc25d6e039
d176fa07a7ea5bfe88b9d2d703f3c65b4298b2e6
30f3d6e1d00614a0a9e8e8a3d4f31b8c68066091
698587325d71b9d51c22ae26e0c2de8ca70f6dc8
ccf27e4d7b62f1f839cfb9d70340efd1a2b77532
928a02f17cef27a5528ae055a467a18528f2aff5
4d24ada94fa70d27a684867541266f264261ce36
ab3e7808ee41f4536ece24091d1f166c5f0e9b63
e492332b87adc07406503ca857b6f3e2a3f0625d
d121b2de1778563183087238c4675316176f159d
12fe31a31132f7c0bab2857c0b3ac3c71cdb9dae
d6bc5428d129dd76695519b9b7f201daa9eb87de
685660477e1f851a90ace593670e5288d2168a24
94a493c2909f8b563e0076956bec7a1941455ed3
13c2e0251ba0469f2e1ec3d61da61c664822c791
e6332fc916f9b06f4987ecbaa23bbf4fa374c68f
1f6f82bcc994a4559d891d3a9e187268632da0b9
f864bd7891b9a0970f3ea05f13f7769289e62803
ba84abbeb198b91cbefec678096c8fd17387657d
d537ff6ab7d2bf38b0f18e964ad3525f2761b535
1acf88c15c1a08b3387b62969a34a95196632932
345d3b92a7f8a11c0872ec9ec439b5a6a2ada104
067b54e23cd6bc5b007113929dc4e2d2868228b6
11794790670afe1b651ed838362bb955e1503706
973674b1cf5f51119fa655ad2393df3dee9f44cc
c59738382faa4b7f803359d0c92dd53d6479ffb8
e3285e8252c44404675876ae0104f02cdc36574c
41c139fa86a3e67d49566d11a7d1d14fe375b564
b52692291cc4d9c9f09bc0ba650904d889674218
65713ffe304718b3b6a8b710b7db0467e52ca5aa
f2e77f5600970036ffdd5a06067491c5799a2ebd
cb08034d4647f2cc921b62ea648a76b5635fcc13
a9fc0262a6925ec1c18b0bf627c04c60fa5b5ecf
3736f93cc5f88d138f58016fdce2c3c3af979c43
183cd29cea8ba53f6e5d28d87e37b0cc603106c6
cd0281c8fa808c3f0f0b74db8c262a6997f52d03
e3016edd7acfa4d24d2eacec4918f3018d9d2449
ddd943f2a4192b3eabbb0580c64ff23ea7c31387
e3285e8252c44404675876ae0104f02cdc36574c
41c139fa86a3e67d49566d11a7d1d14fe375b564
b52692291cc4d9c9f09bc0ba650904d889674218
8af0e498ca73e05155f10fe7c26cfbdd9762ff24
73657606cb288c85f909da3ec4b92d7f8819ae79
918a3cf30a9c9d6ee2872c670421e528883221ae
dcf5eeaefc7ec3e7a0166676f6ee564761f78bc6
994ada738587ba622bfe36b987e9bfa246ff3858
d6f9c9107eb6dc237040d18debd4244c3e4c1320
f0e0c6a7e5c4545bac0d9ebf7811997f5c7076ad
38a790a40cca659fb8a0942ba140aa07309a17aa
070472831955773d78c9f33aff696c0a67b06bda
4ca98aac5e3b9174beaa2e4175e33fdcddee6866
44bd100692ded0637a763d324490db7435216f8c
a28a364092033230a6045fd288cb503aedbdd072
bbbe8ea84bdc4f3004398895ee58979a55b744c0
a09ee84582821397aa68d81350ed07b9902d09cb
8f8f612996a91e4fb26deacf2c88b8eda42da7a2
504d7c5b0a0e72a3dc5177ec571f591f3dae2ade
c0b0dea10a283f9d904bad52c53e20b129ae278c
5b089432710347242dfb6ccfdfea6fc523d9fe60
40af3f97ae3dc743f638c82f4ed78bce13687c83
7b3d463b62ce306c86d88e7ec0e52964c073c223
580eb965a96782a1fd005bd8a27100abca8430e1
330efc667ea608575d863b10a41a73e49f31d1c6
5827c3ef16144d298fd04342fc7041dd3b20d35e
f9bce1706a98b2492750aaa977806549f7d010f7
eeeaeb163512c31c6462f41c6bc3b6a228224bee
2ae51c0fac8b5656ec91693e7f9846a9c4af8069
92c89c47a734cad1a36756155ea3043e406ae565
be0e71c532033d79d519951f0450cdca44f835c3
feff0ce891c71c69f581b19a70b30ffd4c407205
8b0f3f0c620f008d4b85b7aff69933d3aae6098e
296124c76c9f0201480678a012a1df2e6835c521
a1876907ad59843dc5ed1390c78c88698504b9d8
e3190fc3865f02092ab6725b25c485ea5c143e3b
8bbd9944ebc23ce2001a4837732ba082c040d0f4
6408ed0d9df71e7bdde2faa985e5c07911a43503
ca2b47f582135e00a9720215cc09881dd9b49b85
e7e478f2e7f9715d9b540c9f8d12993c83ece0c1
25ac265b51c484680decaf8903b0b3c12c5ff81c
5a37eb16c2eaba8dcb55d9edb3ba98a0ee09afd0

上面的输出应保存在tchashes中,然后我们可以建立静态信托缓存blob:

Downloads jonathanafek$ python xnu-qemu-arm64-scripts/create_trustcache.py tchashes static_tc

因为我们如今已预备好了一切映像和文件,如今是卸载这两个卷的好时机。卸载后,我们可以获得QEMU代码(有关QEMU事情的更细致信息将在本系列的第二篇文章中引见):

Downloads jonathanafek$ git clone [email protected]:alephsecurity/xnu-qemu-arm64.git
Cloning into 'xnu-qemu-arm64'...
remote: Enumerating objects: 377340, done.
remote: Total 377340 (delta 0), reused 0 (delta 0), pack-reused 377340
Receiving objects: 100% (377340/377340), 187.68 MiB | 5.32 MiB/s, done.
Resolving deltas: 100% (304400/304400), done.
Checking out files: 100% (6324/6324), done.

编译它:

Downloads jonathanafek$ cd xnu-qemu-arm64
xnu-qemu-arm64 jonathanafek$ ./configure --target-list=aarch64-softmmu --disable-capstone
Install prefix    /usr/local
BIOS directory    /usr/local/share/qemu
firmware path     /usr/local/share/qemu-firmware
binary directory  /usr/local/bin
library directory /usr/local/lib
module directory  /usr/local/lib/qemu
libexec directory /usr/local/libexec
include directory /usr/local/include
config directory  /usr/local/etc
local state directory   /usr/local/var
Manual directory  /usr/local/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path       /Users/jonathanafek/Downloads/xnu-qemu-arm64
GIT binary        git
GIT submodules    ui/keycodemapdb dtc
C compiler        cc
Host C compiler   cc
C++ compiler      c++
Objective-C compiler clang
ARFLAGS           rv
CFLAGS            -O2 -g
QEMU_CFLAGS       -I/opt/local/include/pixman-1 -I$(SRC_PATH)/dtc/libfdt -D_REENTRANT -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include -I/opt/local/include -m64 -mcx16 -DOS_OBJECT_USE_OBJC=0 -arch x86_64 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv  -Wno-error=address-of-packed-member -Wno-string-plus-int -Wno-initializer-overrides -Wexpansion-to-defined -Wendif-labels -Wno-shift-negative-value -Wno-missing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-definition -Wtype-limits -fstack-protector-strong -I/opt/local/include -I/opt/local/include/p11-kit-1 -I/opt/local/include  -I/opt/local/include/libpng16 -I/opt/local/include
LDFLAGS           -framework Hypervisor -m64 -framework CoreFoundation -framework IOKit -arch x86_64 -g
QEMU_LDFLAGS      -L$(BUILD_DIR)/dtc/libfdt
make              make
install           install
python            python -B
smbd              /usr/sbin/smbd
module support    no
host CPU          x86_64
host big endian   no
target list       aarch64-softmmu
gprof enabled     no
sparse enabled    no
strip binaries    yes
profiler          no
static build      no
Cocoa support     yes
SDL support       no
GTK support       no
GTK GL support    no
VTE support       no
TLS priority      NORMAL
GNUTLS support    yes
GNUTLS rnd        yes
libgcrypt         no
libgcrypt kdf     no
nettle            yes (3.4.1)
nettle kdf        yes
libtasn1          yes
curses support    yes
virgl support     no
curl support      yes
mingw32 support   no
Audio drivers     coreaudio
Block whitelist (rw)
Block whitelist (ro)
VirtFS support    no
Multipath support no
VNC support       yes
VNC SASL support  yes
VNC JPEG support  no
VNC PNG support   yes
xen support       no
brlapi support    no
bluez  support    no
Documentation     yes
PIE               no
vde support       no
netmap support    no
Linux AIO support no
ATTR/XATTR support no
Install blobs     yes
KVM support       no
HAX support       yes
HVF support       yes
WHPX support      no
TCG support       yes
TCG debug enabled no
TCG interpreter   no
malloc trim support no
RDMA support      no
fdt support       git
membarrier        no
preadv support    no
fdatasync         no
madvise           yes
posix_madvise     yes
posix_memalign    yes
libcap-ng support no
vhost-net support no
vhost-crypto support no
vhost-scsi support no
vhost-vsock support no
vhost-user support yes
Trace backends    log
spice support     no
rbd support       no
xfsctl support    no
smartcard support no
libusb            no
usb net redir     no
OpenGL support    no
OpenGL dmabufs    no
libiscsi support  no
libnfs support    no
build guest agent yes
QGA VSS support   no
QGA w32 disk info no
QGA MSI support   no
seccomp support   no
coroutine backend sigaltstack
coroutine pool    yes
debug stack usage no
mutex debugging   no
crypto afalg      no
GlusterFS support no
gcov              gcov
gcov enabled      no
TPM support       yes
libssh2 support   no
TPM passthrough   no
TPM emulator      yes
QOM debugging     yes
Live block migration yes
lzo support       no
snappy support    no
bzip2 support     yes
NUMA host support no
libxml2           yes
tcmalloc support  no
jemalloc support  no
avx2 optimization no
replication support yes
VxHS block device no
capstone          no
docker            no

xnu-qemu-arm64 jonathanafek$ make -j16
xnu-qemu-arm64 jonathanafek$ cd -

接下来要做的就是实行:

Downloads jonathanafek$ ./xnu-qemu-arm64/aarch64-softmmu/qemu-system-aarch64 -M iPhone6splus-n66-s8000,kernel-filename=kernelcache.release.n66.out,dtb-filename=Firmware/all_flash/DeviceTree.n66ap.im4p.out.mod,secmon-filename=securemonitor.out,ramdisk-filename=048-32651-104.dmg.out,tc-filename=static_tc,kern-cmd-args="debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2" -cpu max -m 6G -serial mon:stdio
iBoot version:
corecrypto_kext_start called
FIPSPOST_KEXT [38130750] fipspost_post:156: PASSED: (6 ms) - fipspost_post_integrity
FIPSPOST_KEXT [38201250] fipspost_post:162: PASSED: (2 ms) - fipspost_post_hmac
FIPSPOST_KEXT [38233562] fipspost_post:163: PASSED: (0 ms) - fipspost_post_aes_ecb
FIPSPOST_KEXT [38275375] fipspost_post:164: PASSED: (1 ms) - fipspost_post_aes_cbc
FIPSPOST_KEXT [41967250] fipspost_post:165: PASSED: (153 ms) - fipspost_post_rsa_sig
FIPSPOST_KEXT [44373250] fipspost_post:166: PASSED: (99 ms) - fipspost_post_ecdsa
FIPSPOST_KEXT [44832437] fipspost_post:167: PASSED: (18 ms) - fipspost_post_ecdh
FIPSPOST_KEXT [44861312] fipspost_post:168: PASSED: (0 ms) - fipspost_post_drbg_ctr
FIPSPOST_KEXT [44922625] fipspost_post:169: PASSED: (2 ms) - fipspost_post_aes_ccm
FIPSPOST_KEXT [44994250] fipspost_post:171: PASSED: (2 ms) - fipspost_post_aes_gcm
FIPSPOST_KEXT [45042125] fipspost_post:172: PASSED: (1 ms) - fipspost_post_aes_xts
FIPSPOST_KEXT [45109687] fipspost_post:173: PASSED: (2 ms) - fipspost_post_tdes_cbc
FIPSPOST_KEXT [45167062] fipspost_post:174: PASSED: (1 ms) - fipspost_post_drbg_hmac
FIPSPOST_KEXT [45178250] fipspost_post:197: all tests PASSED (300 ms)
Darwin Image4 Validation Extension Version 1.0.0: Tue Oct 16 21:46:27 PDT 2018; root:AppleImage4-1.200.18~1853/AppleImage4/RELEASE_ARM64
AppleS8000IO::start: chip-revision: A0
AppleS8000IO::start: this: <ptr>, TCC virt addr: <ptr>, TCC phys addr: 0x202240000
AUC[<ptr>]::init(<ptr>)
AUC[<ptr>]::probe(<ptr>, <ptr>)
AppleCredentialManager: init: called, instance = <ptr>.
ACMRM: init: called, ACMDRM_ENABLED=YES, ACMDRM_STATE_PUBLISHING_ENABLED=YES, ACMDRM_KEYBAG_OBSERVING_ENABLED=YES.
ACMRM: _loadRestrictedModeForceEnable: restricted mode force-enabled = 0 .
ACMRM-A: init: called, .
ACMRM-A: _loadAnalyticsCollectionPeriod: analytics collection period = 86400 .
ACMRM: _loadStandardModeTimeout: standard mode timeout = 259200 .
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMRM: _loadGracePeriodTimeout: device lock timeout = 3600 .
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AUC[<ptr>]::start(<ptr>)
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleKeyStore starting (BUILT: Oct 17 2018 20:34:07)
AppleSEPKeyStore::start: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleCredentialManager: start: initializing power management, instance = <ptr>.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleARMPE::getGMTTimeOfDay can not provide time of day: RTC did not show up
: apfs_module_start:1277: load: com.apple.filesystems.apfs, v748.220.3, 748.220.3, 2018/10/16
com.apple.AppleFSCompressionTypeZlib kmod start
IOSurfaceRoot::installMemoryRegions()
IOSurface disallowing global lookups
apfs_sysctl_register:911: done registering sysctls.
com.apple.AppleFSCompressionTypeZlib load succeeded
L2TP domain init
L2TP domain init complete
PPTP domain init
BSD root: md0, major 2, minor 0
apfs_vfsop_mountroot:1468: apfs: mountroot called!
apfs_vfsop_mount:1231: unable to root from devvp <ptr> (root_device): 2
apfs_vfsop_mountroot:1472: apfs: mountroot failed, error: 2
hfs: mounted PeaceB16B92.arm64UpdateRamDisk on device b(2, 0)
: : Darwin Bootstrapper Version 6.0.0: Tue Oct 16 22:26:06 PDT 2018; root:libxpc_executables-1336.220.5~209/launchd/RELEASE_ARM64
boot-args = debug=0x8 kextlog=0xfff cpus=1 rd=md0 serial=2
Thu Jan  1 00:01:05 1970 localhost com.apple.xpc.launchd[1] <Notice>: Restore environment starting.
Thu Jan  1 00:01:05 1970 localhost com.apple.xpc.launchd[1] <Notice>: Early boot complete. Continuing system boot.
Thu Jan  1 00:01:06 1970 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Could not read path: path = /AppleInternal/Library/LaunchDaemons, error = 2: No such file or directory
Thu Jan  1 00:01:06 1970 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Could not read path: path = /System/Library/NanoLaunchDaemons, error = 2: No such file or directory
Thu Jan  1 00:01:06 1970 localhost com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.system) <Error>: Failed to bootstrap path: path = /System/Library/NanoLaunchDaemons, error = 2: No such file or directory
bash-4.4# export PATH=$PATH:/iosbinpack64/usr/bin:/iosbinpack64/bin:/iosbinpack64/usr/sbin:/iosbinpack64/sbin
bash-4.4# id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)
bash-4.4# pwd
/
bash-4.4# ls -la
total 18
drwxr-xr-x  17 root    wheel  748 Jun 10  2019 .
drwxr-xr-x  17 root    wheel  748 Jun 10  2019 ..
-rw-r--r--   1 root    wheel    0 Oct 20  2018 .Trashes
drwx------   2 mobile  staff  170 Jun 10  2019 .fseventsd
drwxr-xr-x   4 root    wheel  136 Oct 20  2018 System
drwxr-xr-x   2 root    wheel  272 Oct 20  2018 bin
dr-xr-xr-x   3 root    wheel  660 Jan  1 00:01 dev
lrwxr-xr-x   1 root    wheel   11 Oct 20  2018 etc -> private/etc
drwxr-xr-x   7 root    wheel  374 Jun 10  2019 iosbinpack64
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt1
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt2
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt3
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt4
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt5
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt6
drwxr-xr-x   2 root    wheel   68 Oct 20  2018 mnt7
drwxr-xr-x   4 root    wheel  136 Oct 20  2018 private
drwxr-xr-x   2 root    wheel  510 Oct 20  2018 sbin
drwxr-xr-x   9 root    wheel  306 Oct 20  2018 usr
lrwxr-xr-x   1 root    admin   11 Oct 20  2018 var -> private/var
bash-4.4#

此时,我们就会获得一个交互式bash shell!

请注意,末了一个标志(-serial mon:stdio)会将一切shell组合(比方Ctrl + C)转发给shell。要封闭QEMU,请封闭其(空)窗口。

要取得内核调试器,应将-S -s增加到QEMU敕令行中,然后可以在支撑此体系结构的gdb掌握台中实行target remote :1234 。有关怎样猎取此gdb并实行此操纵的更多细致信息,请拜见此处。你还可以在OSX上运用mac端口猎取相干的gdb,同时将multiarch和python27选项增加到gdb端口。

总的来说,我们对本来的项目举行了以下革新

1.在装置ram盘之前,无需长时间吊挂即可疾速启动。

2.增加支撑,以将iOS模仿为USB装备并经由历程usbmuxd举行通讯。这将使我们可以经由历程SSH衔接,因而运用scp复制文件,具有更壮大的终端,对收集协定举行平安研讨,运用gdbserver调试用户形式应用顺序等。

3.增加对模仿物理存储的支撑,以运用r/w装置的盘,该盘不是ram盘,供应的空间大于2GB。

4.增加对装备的支撑,如屏幕,触摸,wifi, BT等。

5.增加对更多苹果产物和iOS版本的支撑。

因为ASLR的存在,用户应用顺序在每次启动时都邑加载到差别的地点,而且可以相互同享虚拟地点,因而在调试用户形式应用顺序时,在gdb中的静态虚拟地点上运用通例断点可能会具有应战性。因而,我增加了另一个风趣的功用来协助调试此内核调试器中的用户形式应用顺序。当QEMU碰到HLT aarch64指令时,它会在gdb中中缀,就好像它是一个gdb断点一样。所以在内核调试器中调试用户形式应用顺序时,您所要做的就是运用HLT指令对应用顺序举行修补,比方运用ghidra。

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

然后运用带有任何所需权限的jtool举行署名:

Downloads jonathanafek$ ./jtool/jtool --sign --ent ent.xml --inplace bin

以后,你须要将新的CDHash增加到tchashes文件中,并重新建立静态信托缓存。

如许,当gdb在用户形式应用顺序中碰到HLT指令时,就会触发断点,我们就可以在内核调试器中调试应用顺序了:

如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)

原文地点: https://www.4hou.com/web/18800.html


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明如安在QEMU上实行iOS并启动一个交互式bash shell,内含全部装置流程而且供应了相干东西(一)
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址