1. DYLD源码
1.1 DYLD中加载动态库的部分,在dyld.cpp的_main函数中
image.png
1.2 在加载动态库之前有个if判断
如果是限制动态库插入的话就会调用下面的函数移除相关的环境变量,DYLD_INSERT_LIBRARIES就不会调用
image.png
1.3 gLinkContext.processIsRestricted = true 搜索这个条件是如何设置的
image.png
issetugid()是私有函数无法设置hasRestrictedSegment(mainExecutableMH)查看这个函数的实现
1.4 hasRestrictedSegment函数实现
image.png
这个判断是查找Segment中__RESTRICT字段的值,如果__RESTRICT的sectname值跟__restrict相等的话就返回true
image.png
2. 工程中添加__RESTRICT
2.1 Other Linker Flags中添加-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null,固定写法
image.png
2.2 编译工程,MachOView查看可执行文件
image.png
这样注入的动态库就会失效
3. 破坏防护
可以通过修改Mach-O二进制,来达到破坏的目的,
MachOView打开可执行文件,在Load Commands里面可以直接修改__RESTRICT这个字段还有字段的值
image.png
修改完后重新签名一下就可以运行了
4. 工程中检查__RESTRICT的值
可以利用Dyld中检查__RESTRICT的代码来检查是否修改了这个值
#import "ViewController.h"
#import <mach-o/loader.h>
#import <mach-o/dyld.h>
@interface ViewController ()
@end
#if __LP64__
#define macho_header mach_header_64
#define LC_SEGMENT_COMMAND LC_SEGMENT_64
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT
#define LC_ENCRYPT_COMMAND LC_ENCRYPTION_INFO
#define macho_segment_command segment_command_64
#define macho_section section_64
#else
#define macho_header mach_header
#define LC_SEGMENT_COMMAND LC_SEGMENT
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT_64
#define LC_ENCRYPT_COMMAND LC_ENCRYPTION_INFO_64
#define macho_segment_command segment_command
#define macho_section section
#endif
@implementation ViewController
+ (void)load
{
const struct mach_header_64 *header = (const struct mach_header_64 *)_dyld_get_image_header(0);//获取自己
if (hasRestrictedSegment(header)) {
NSLog(@"防止Tweak注入状态!!");
}else{
NSLog(@"被修改了!!");
}
}
static bool hasRestrictedSegment(const struct macho_header* mh)
{
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
const struct load_command* cmd = cmds;
for (uint32_t i = 0; i < cmd_count; ++i) {
switch (cmd->cmd) {
case LC_SEGMENT_COMMAND:
{
const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
printf("seg name: %s\n", seg->segname);
if (strcmp(seg->segname, "__RESTRICT") == 0) {
const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
if (strcmp(sect->sectname, "__restrict") == 0)
return true;
}
}
}
break;
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
return false;
}
@end
iOS10之后,dyld不再检查__RESTRICT字段了
5. 检查加载了多少动态库
const char * libraries = "/var/mobile/Containers/Bundle/Application/AD8D84E6-E893-4C96-A29A-FBD13AF4B461/WhitelistDemo.app/WhitelistDemo/Library/MobileSubstrate/MobileSubstrate.dylib/Developer/usr/lib/libBacktraceRecording.dylib/Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib"
bool CheckWhitelist(){
int count = _dyld_image_count();//加载了多少数量
for (int i = 0; i < count; i++) {
//遍历拿到库名称!
const char * imageName = _dyld_get_image_name(i);
//
if (!strstr(libraries, imageName)&&!strstr(imageName, "/var/mobile/Containers/Bundle/Application")) {
printf("该库非白名单之内!!\n%s",imageName);
// return NO;
}
}
return YES;
}
strstr这个函数可以快速的检查左边的字符串是否包含右边的字符串,
发布版本之前可以通过这个函数打印出所有的动态库,然后放到libraries里面去,线上检测libraries是否包含加载的库就可以判断是否有外部代码注入。
