Chinaunix首页 | 论坛 | 博客
  • 博客访问: 373578
  • 博文数量: 89
  • 博客积分: 3178
  • 博客等级: 中校
  • 技术积分: 965
  • 用 户 组: 普通用户
  • 注册时间: 2008-07-09 15:31
文章分类

全部博文(89)

文章存档

2013年(10)

2012年(33)

2011年(41)

2008年(5)

分类: iOS平台

2013-03-28 10:45:18

检测越狱的方法:
Hacking and Securing iOS Applications
第十三章   

Jailbreak Detection有提到方法和代码

Sandbox Integrity Check 

 点击(此处)折叠或打开

  1. #include  #include 
  2. static inline int sandbox_integrity_compromised(void) __attribute__((always_inline));
  3. int sandbox_integrity_compromised(void) { int result = fork();
  4. if (!result)
  5. exit(0);
  6. if (result >= 0) return 1;
  7. return 0; }
  8. int main(int argc, char *argv[]) {
  9. if (sandbox_integrity_compromised())
  10. {
  11. /* Invoke tamper response here */
  12. }
  13. /* Your application code here */ }

我测试在越狱的机器上可以创建 

如果沙盒被破话,可以创建子进程,看碳基体的文章在越狱的机器上创建子进程失败了

Filesystem Tests :

1. 

Existence of Jailbreak Files  

点击(此处)折叠或打开

  1. struct stat s;
  2. int is_jailbroken = stat("/Applications/Cydia.app", &s) == 0;


以下文件如果存在,证明是jailbroken的ios:

/Library/MobileSubstrate/MobileSubstrate.dylib

This is probably the most important file to check for. Almost every consumer jail- break available installs MobileSubstrate, which provides a foundation for preload- ing code directly into applications. In cases where it is not installed by the jailbreak tool, it is often installed at a later time to support many applications one might install using Cydia or other jailbreak software installers.

/Applications/Cydia.app

The path to the Cydia application installer, installed by most jailbreaking tools.

/var/cache/apt

The path to the apt repository, used by most third-party software installers in- cluding Cydia.

/var/lib/apt

Apt-related data files used by the apt repository.

/var/lib/cydia

Cydia-related data files used by Cydia.

/var/log/syslog

The syslog log file, created when syslog is redirected by some jailbreaking tools.

/var/tmp/cydia.log

A temporary logfile written when Cydia runs.

/bin/bash /bin/sh

The bash shell interpreter, almost always installed when a device is jailbroken using end user jailbreaking tools.

/usr/sbin/sshd

The SSH daemon, installed whenever SSH is installed on the device after jailbreak- ing.

/usr/libexec/ssh-keysign

A key signing utility for SSH, installed whenever SSH is installed on the device after jailbreaking.

/etc/ssh/sshd_config
Configuration file for sshd, installed whenever SSH is installed on the device after jailbreaking.

/etc/apt 

2.Size of /etc/fstab 

点击(此处)折叠或打开

  1. struct stat s; stat("/etc/fstab", &s); return s.st_size;

The file is commonly 80 bytes on an iOS 5 device, whereas the copy of the file installed by many jailbreaking tools is only 65 bytes. 

我执行的结果为67字节

3.Evidence of Symbolic Linking 

App in /Applications then it was moved to (usually in /var/stash)  if it was jailbroken

点击(此处)折叠或打开

  1. struct stat s;
  2. if (lstat("/Applications", &s)!=0) {
  3. if (s.st_mode & S_IFLNK) {
  4. /* Device is jailbroken */
  5. exit(-1); }
  6. }


4.Page Execution Check 

4.3.3及以前版本可以作为是否越狱的判断标准,新的ios会更改,这倒可以作为内核完整性校验
如果内核验证是完整的
 


vm_protect function should fail

点击(此处)折叠或打开

  1. #include <mach/mach_init.h> #include <mach/vm_map.h> #include <sys/stat.h>
  2. void *mem = malloc(getpagesize() + 15);
  3. void *ptr = (void *)(((uintptr_t)mem+15) & ~ 0x0F);
  4. vm_address_t pagePtr = (uintptr_t)ptr / getpagesize() * getpagesize();
  5. int is_jailbroken = vm_protect(mach_task_self(), (vm_address_t) pagePtr, getpagesize(), FALSE, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE) == 0;

其他的检测方法可以参看碳基体的文章:

http://danqingdani.blog.163.com/blog/static/1860941952012102122847478/
xcon的分析也在其中,具体xcon可以查看官网链接:

xCon位置:

/Library/MobileSubstrate/DynamicLibraries
DQ430teki-iPad:/Library/MobileSubstrate/DynamicLibraries root# ls -ls xCon.*
104 -rwxr-xr-x 1 root mobile 103256 Oct 16 06:38 xCon.dylib*
   8 -rwxr-xr-x 1 root mobile     56 Oct 16 06:38 xCon.plist*


阅读(2052) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~