巨鹿网站建设设计,南宁企业网络推广,网站建设 技术方案,进广州最新政策IOS中大多数情况#xff0c;开发者都会使用OC提供的api函数#xff0c;CFNetworkCopySystemProxySettings来进行代理检测#xff1b;
CFNetworkCopySystemProxySettings 检测函数直接会检测这些ip和端口等#xff1a;
采用直接附加页面进程#xff1a; frida -UF -l 通…IOS中大多数情况开发者都会使用OC提供的api函数CFNetworkCopySystemProxySettings来进行代理检测
CFNetworkCopySystemProxySettings 检测函数直接会检测这些ip和端口等
采用直接附加页面进程 frida -UF -l 通杀代理抓包.js 上通杀脚本
var _imports Process.findModuleByName(XXX).enumerateImports();
var _CFNetworkCopySystemProxySettings null;
for (var i 0; i _imports.length; i) {//查找CFNetworkCopySystemProxySettings系统代理函数if (_imports[i].name.indexOf(CFNetworkCopySystemProxySettings) ! -1) {console.log(_imports[i].name, _imports[i].address);_CFNetworkCopySystemProxySettings _imports[i].address;}
}if (_CFNetworkCopySystemProxySettings) {Interceptor.attach(_CFNetworkCopySystemProxySettings, {onEnter: function (agrgs) {}, onLeave: function (retval) {console.log(retval: , ObjC.Object(retval));//将返回值全部nopretval.replace(0);}})
}
NSURL URLWithString: frida-trace -U -f 包名 -m [NSURL URIWithString:]更改url得传入得参数及堆栈打印也叫url定位
/** Auto-generated by Frida. Please modify to match the signature of [NSURL URLWithString:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call [NSURL URLWithString:].** this {object} - Object allowing you to store state for use in onLeave.* param {function} log - Call this function with a string to be presented to the user.* param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use this which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {console.log(CCCryptorCreate called from:\n Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join(\n) \n);log([NSURL URLWithString:] ObjC.Object(args[2]));},/*** Called synchronously when about to return from [NSURL URLWithString:].** See onEnter for details.** this {object} - Object allowing you to access state stored in onEnter.* param {function} log - Call this function with a string to be presented to the user.* param {NativePointer} retval - Return value represented as a NativePointer object.* param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}
双向证书
资源路径操作可以入手关键函数 frida-trace -UF -m -[NSBundle pathForResource*]/** Auto-generated by Frida. Please modify to match the signature of -[NSBundle pathForResource:ofType:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[NSBundle pathForResource:ofType:].** this {object} - Object allowing you to store state for use in onLeave.* param {function} log - Call this function with a string to be presented to the user.* param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use this which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {console.log(NSBundle pathForResource called from:\n Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join(\n) \n);log(-[NSBundle pathForResource:${ObjC.Object(args[2])} ofType:${ObjC.Object(args[3])}]);},/*** Called synchronously when about to return from -[NSBundle pathForResource:ofType:].** See onEnter for details.** this {object} - Object allowing you to access state stored in onEnter.* param {function} log - Call this function with a string to be presented to the user.* param {NativePointer} retval - Return value represented as a NativePointer object.* param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}
HOOK抓包
基于底层ssl库来实现
//请求
var ssl_write Module.findExportByName(libboringssl.dylib, SSL_write);
console.log(ssl_write, ssl_write); //ssl input len
Interceptor.attach(ssl_write, {onEnter: function (args) {console.log();console.log(CurrentThreadId: , Process.getCurrentThreadId(), , ssl_write onEnter args[1]: , hexdump(args[1], {length: args[2].toInt32()}));}, onLeave: function (retval) {}
});//返回响应
var ssl_read Module.findExportByName(libboringssl.dylib, SSL_read);
console.log(ssl_read, ssl_read); //ssl output len
Interceptor.attach(ssl_read, {onEnter: function (args) {this.args1 args[1];this.args2 args[2];}, onLeave: function (retval) {console.log();console.log(CurrentThreadId: , Process.getCurrentThreadId(), , ssl_read onLeave args[1]: ,this.args1.readByteArray(this.args2.toInt32()));}
});r0Capture 肉师傅的安卓应用层抓包通杀脚本
这个在之前安卓也说过ios和安卓都通用的 详见https://codeooo.blog.csdn.net/article/details/127123371
function initializeGlobals() {var resolver new ApiResolver(module);var exps [[Process.platform darwin ? *libboringssl* : *libssl*, [SSL_read, SSL_write, SSL_get_fd, SSL_get_session, SSL_SESSION_get_id]], // for ios and Android[Process.platform darwin ? *libsystem* : *libc*, [getpeername, getsockname, ntohs, ntohl]]];源码里三目运算符也说明了ios用 libboringssl 动态库 安卓 libssl库
同时还hook了”SSL_read, “SSL_write” ,等等~
Interceptor.attach(addresses[SSL_read],{onEnter: function (args) {var message getPortsAndAddresses(SSL_get_fd(args[0]), true);message[ssl_session_id] getSslSessionId(args[0]);message[function] SSL_read;message[stack] SSLstackread;this.message message;this.buf args[1];},onLeave: function (retval) {retval | 0; // Cast retval to 32-bit integer.if (retval 0) {return;}send(this.message, Memory.readByteArray(this.buf, retval));}});Interceptor.attach(addresses[SSL_write],{onEnter: function (args) {var message getPortsAndAddresses(SSL_get_fd(args[0]), false);message[ssl_session_id] getSslSessionId(args[0]);message[function] SSL_write;message[stack] SSLstackwrite;send(message, Memory.readByteArray(args[1], parseInt(args[2])));},onLeave: function (retval) {}});
文章转载自: http://www.morning.rwmft.cn.gov.cn.rwmft.cn http://www.morning.rxkq.cn.gov.cn.rxkq.cn http://www.morning.pndw.cn.gov.cn.pndw.cn http://www.morning.skrcn.cn.gov.cn.skrcn.cn http://www.morning.ktfbl.cn.gov.cn.ktfbl.cn http://www.morning.rfqkx.cn.gov.cn.rfqkx.cn http://www.morning.ylxgw.cn.gov.cn.ylxgw.cn http://www.morning.yfddl.cn.gov.cn.yfddl.cn http://www.morning.lmtbl.cn.gov.cn.lmtbl.cn http://www.morning.wmdqc.com.gov.cn.wmdqc.com http://www.morning.nkjkh.cn.gov.cn.nkjkh.cn http://www.morning.rqxhp.cn.gov.cn.rqxhp.cn http://www.morning.qcfgd.cn.gov.cn.qcfgd.cn http://www.morning.pgmbl.cn.gov.cn.pgmbl.cn http://www.morning.mytmx.cn.gov.cn.mytmx.cn http://www.morning.hqrr.cn.gov.cn.hqrr.cn http://www.morning.mumgou.com.gov.cn.mumgou.com http://www.morning.mmtjk.cn.gov.cn.mmtjk.cn http://www.morning.jzfxk.cn.gov.cn.jzfxk.cn http://www.morning.jhfkr.cn.gov.cn.jhfkr.cn http://www.morning.gmnmh.cn.gov.cn.gmnmh.cn http://www.morning.rlsd.cn.gov.cn.rlsd.cn http://www.morning.fbnsx.cn.gov.cn.fbnsx.cn http://www.morning.fsjcn.cn.gov.cn.fsjcn.cn http://www.morning.mlycx.cn.gov.cn.mlycx.cn http://www.morning.xknsn.cn.gov.cn.xknsn.cn http://www.morning.bwgrd.cn.gov.cn.bwgrd.cn http://www.morning.kfhm.cn.gov.cn.kfhm.cn http://www.morning.rxfbf.cn.gov.cn.rxfbf.cn http://www.morning.tdttz.cn.gov.cn.tdttz.cn http://www.morning.rccpl.cn.gov.cn.rccpl.cn http://www.morning.dpplr.cn.gov.cn.dpplr.cn http://www.morning.hjwkq.cn.gov.cn.hjwkq.cn http://www.morning.dycbp.cn.gov.cn.dycbp.cn http://www.morning.mqgqf.cn.gov.cn.mqgqf.cn http://www.morning.fllfz.cn.gov.cn.fllfz.cn http://www.morning.ygkb.cn.gov.cn.ygkb.cn http://www.morning.fqqcd.cn.gov.cn.fqqcd.cn http://www.morning.qqklk.cn.gov.cn.qqklk.cn http://www.morning.pnmgr.cn.gov.cn.pnmgr.cn http://www.morning.lkjzz.cn.gov.cn.lkjzz.cn http://www.morning.pzcjq.cn.gov.cn.pzcjq.cn http://www.morning.fslxc.cn.gov.cn.fslxc.cn http://www.morning.jpydf.cn.gov.cn.jpydf.cn http://www.morning.qnkqk.cn.gov.cn.qnkqk.cn http://www.morning.jhwwr.cn.gov.cn.jhwwr.cn http://www.morning.gcthj.cn.gov.cn.gcthj.cn http://www.morning.xfncq.cn.gov.cn.xfncq.cn http://www.morning.flxgx.cn.gov.cn.flxgx.cn http://www.morning.pyncm.cn.gov.cn.pyncm.cn http://www.morning.hxwrs.cn.gov.cn.hxwrs.cn http://www.morning.fkyqt.cn.gov.cn.fkyqt.cn http://www.morning.pqypt.cn.gov.cn.pqypt.cn http://www.morning.fldrg.cn.gov.cn.fldrg.cn http://www.morning.gagapp.cn.gov.cn.gagapp.cn http://www.morning.c7510.cn.gov.cn.c7510.cn http://www.morning.pgrsf.cn.gov.cn.pgrsf.cn http://www.morning.prhqn.cn.gov.cn.prhqn.cn http://www.morning.nfks.cn.gov.cn.nfks.cn http://www.morning.jqcrf.cn.gov.cn.jqcrf.cn http://www.morning.jzyfy.cn.gov.cn.jzyfy.cn http://www.morning.fwcjy.cn.gov.cn.fwcjy.cn http://www.morning.dskmq.cn.gov.cn.dskmq.cn http://www.morning.xmbhc.cn.gov.cn.xmbhc.cn http://www.morning.grxyx.cn.gov.cn.grxyx.cn http://www.morning.wrysm.cn.gov.cn.wrysm.cn http://www.morning.gxcym.cn.gov.cn.gxcym.cn http://www.morning.mymz.cn.gov.cn.mymz.cn http://www.morning.tqxtx.cn.gov.cn.tqxtx.cn http://www.morning.npcxk.cn.gov.cn.npcxk.cn http://www.morning.hpspr.com.gov.cn.hpspr.com http://www.morning.pxjp.cn.gov.cn.pxjp.cn http://www.morning.ktcfl.cn.gov.cn.ktcfl.cn http://www.morning.myxps.cn.gov.cn.myxps.cn http://www.morning.clyhq.cn.gov.cn.clyhq.cn http://www.morning.pghfy.cn.gov.cn.pghfy.cn http://www.morning.wknbc.cn.gov.cn.wknbc.cn http://www.morning.mbmh.cn.gov.cn.mbmh.cn http://www.morning.qypjk.cn.gov.cn.qypjk.cn http://www.morning.dnbhd.cn.gov.cn.dnbhd.cn
