iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...

More documents

Recommendations

Info

Hardware Capture: Location• CoreLocation is cool, but requires user approval for GPS location− Can hijack a process that already has approval− … or go under the API layer that actually enforces approval− … or … hack approval with a patch.− Investigating lower CoreLocation layers.• Poor-mans approach:− Dump a recent LAT/LONG from the locationd cache file− Extracted from /var/root/Library/Caches/locationd/cache.plistWifiLoca9onNearby = { Al9tude = 0; HorizontalAccuracy = 80; La$tude = "41.882041"; Lifespan = 144; Longitude = "-‐87.628489"; Timestamp = "304907008.940135"; Type = 4; Ver9calAccuracy = "-‐1"; }; Copyright Trustwave 2010
Dumping Process DataSeveral interesting persistent Apple processes running• For example: “dataaccessd” handles email connectivity• Memory regions with ‘rw’ set are more likely to be program data• 0x100000 happened to be an interesting region in this caseiPhone:/var/mobile root# ps -hax |grep dataaccessd38 ?? 0:05.33 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd...iPhone:var/mobile root# gdb --quiet --pid=38Attaching to process 38.Reading symbols for shared libraries . doneReading symbols for shared libraries .............................................. done0x3404c658 in mach_msg_trap ()(gdb) info mach-regionsRegion from 0x0 to 0x1000 (---, max ---; copy, private, not-reserved)... from 0x1000 to 0x2000 (r-x, max r-x; copy, private, not-reserved)... from 0x2000 to 0x3000 (rw-, max rw-; copy, private, not-reserved)...... from 0xfe000 to 0xff000 (r--, max rwx; share, private, reserved)... from 0x100000 to 0x400000 (rw-, max rwx; copy, private, not-reserved) (3 sub-regions)...(gdb) dump memory dump_100000.bin 0x100000 0x400000Copyright Trustwave 2010
Page 5 and 6: iPhone/iOS Security Overview
Page 7 and 8: Architecture OverviewApplications P
Page 9 and 10: Application SecurityCode signing•
Page 11 and 12: Jailbreaking Overview
Page 13 and 14: Jailbreakme.com A Thing to Behold
Page 15 and 16: What it looks likeVisit h'p://jailb
Page 17 and 18: Weaponizing
Page 19 and 20: Patch PlanReversing the installui.d
Page 21 and 22: My “Big Fat Rootkit”… so farC
Page 23 and 24: Set-upA vanilla un-jailbroken iPhon
Page 25: Hardware: Mic and AudioAudio record
Page 29 and 30: Targeting iOS ApplicationsiOS isn
Page 31 and 32: Demo App Backdoor
Page 33 and 34: Binary Reversing Prep (continued…
Page 35 and 36: No More SecretsHint: find the LC
Page 37 and 38: Mach Binary Encryption (continued
Page 39 and 40: What’s your point?For starters…
Page 41 and 42: Objective-C Method HookingIt’s ca
Page 43 and 44: Objective-C Method Hook ExampleLets
Page 45 and 46: Injecting Our LibraryConventionally
Page 47 and 48: ConclusionsLots of security researc
Page 49 and 50: Reversing Redux: The Binary “star
Page 51 and 52: … continued: eggMalformed Times-
Page 53 and 54: class-dump on installui.dylib (aka

iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?