咦,九月就耀过去了啊
找了份网易云课堂的视频看了看
工具链:Reveal/snoop-it/introspy -> Hopper/IDA -> GDB/LLDB
路线:OC/C/C++ -> iOS开发 -> runtime、mach-o -> 工具使用及原理 -> 实战技巧 -> 应用保护
-
安全启动链 系统启动过程的每一步包含的组件都经过苹果的签名,只有在验证了信任链之后才会被执行。 系统启动->Boot ROM->底层引导加载程序LLB->引导加载程序iBoot->kernel
-
系统软件授权 避免降级,刷固件时iTunes发送固件签名到苹果服务器,发布会验证许可+随机串后才可以
-
应用代码签名 防止应用被篡改
-
运行时进程安全性
- sandbox
- DEP
- ASLR 在lldb中使用
image list -o -f查看模块加载的基地址
- 数据加 密保护 要有硬件、密码密钥,加密的文件才能解密
引导式、不完美、完美 Cydia
后续在2018-10-02
基于ptrace系统调用来实现本地调试与远程调试
SYNOPSIS #include <sys/ptrace.h>
long ptrace(enum __ptrace_request request, pid_t pid,
void *addr, void *data);
DESCRIPTION The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. It is primarily used to imple- ment breakpoint debugging and system call tracing.
A tracee first needs to be attached to the tracer. Attachment and subsequent commands are per thread: in a multithreaded
process, every thread can be individually attached to a (potentially different) tracer, or left not attached and thus not
debugged. Therefore, "tracee" always means "(one) thread", never "a (possibly multithreaded) process". Ptrace commands
are always sent to a specific tracee using a call of the form
ptrace(PTRACE_foo, pid, ...)
where pid is the thread ID of the corresponding Linux thread.
使用attach时,gdb成为被调试进程的父进程,而被调试的进程使用了PTRACE_TRACEME,但是被调试的进程getppid得到的仍是原始父进程的pid。 使用参数为PTRACE_TRACEME或PTRACE_ATTACH的ptrace系统调用建立调试关系后,交付给目标程序的任何信号首先都会被gdb截获