From c76f1ce7dacbcbd53c98ca75cf4448142daecdeb Mon Sep 17 00:00:00 2001 From: iddoeldor Date: Thu, 28 Jun 2018 18:55:25 +0300 Subject: [PATCH] Create ios.md --- scripts/ios.md | 369 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 369 insertions(+) create mode 100644 scripts/ios.md diff --git a/scripts/ios.md b/scripts/ios.md new file mode 100644 index 0000000..ffef5e5 --- /dev/null +++ b/scripts/ios.md @@ -0,0 +1,369 @@ + +On the iDevice the file `/System/Library/Backup/Domains.plist` determines what files to backup. + +There is a differentiation between "domains" and relative files. + +For [More Info](https://www.theiphonewiki.com/wiki/ITunes_Backup). + +From `Domains.plist` : +``` +... +RelativePathsToBackupAndRestore = ( + "Demo.mov", + "Library/com.apple.itunesstored", + "Library/AddressBook", + "Library/Accounts # Twitter account isn't backed up (or restored)", + "Library/Application Support/Front Row # ATV: paths that need to be backed up on AppleTV", + "Library/Application Support/com.apple.Home/Wallpapers # ", + "Library/BackBoard # App Push notification settings don't seem to be backed up/restored", + "Library/BulletinBoard # Backup /var/mobile/Library/BulletinBoard", + "Library/Caches/com.apple.WebAppCache # Should back up offline application cache and databases for WebKit", + "Library/Calendar", + >> "Library/CallHistoryDB # Backup request for CallHistory.framework.", + >> "Library/CallHistoryTransactions # Backup request for CallHistory.framework.", + ... +RootPath = "/var/mobile"; +.. +... +``` + +List device daemons w/ `$ launchctl list` +``` +PID Status Label +2696 0 com.apple.CoreAuthentication.daemon +3719 0 com.apple.cloudphotod +535 0 com.apple.homed +513 0 com.apple.dataaccess.dataaccessd +- 0 com.apple.iapauthd +618 0 com.apple.cache_delete +- 0 com.apple.BTServer.avrcp +518 0 com.apple.CallHistorySyncHelper +3568 0 UIKitApplication:com.apple.InCallService[0x287] +502 0 com.apple.icloud.findmydeviced +443 0 com.apple.telephonyutilities.callservicesd +549 0 com.apple.icloud.fmfd +.... +``` + +launchctl manual +``` +Usage: launchctl ... | help [subcommand] + Many subcommands take a target specifier that refers to a domain or service within that domain. + The available specifier forms are: + + system/[service-name] + Targets the system-wide domain or service within. Root privileges are required to make modifications. + + user//[service-name] + Targets the user domain or service within. + A process running as the target user may make modifications. Root may modify any user's domain. + User domains do not exist on iOS. + + gui//[service-name] + Targets the GUI domain or service within. Each GUI domain is associated with a user domain, and a process running as + the owner of that user domain may make modifications. + Root may modify any GUI domain. GUI domains do not exist on iOS. + + session//[service-name] + Targets a session domain or service within. A process running within the target security audit session may make + modifications. Root may modify any session domain. + + pid//[service-name] + Targets a process domain or service within. Only the process which owns the domain may modify it. + Even root may not do so. + + When using a legacy subcommand which manipulates a domain, the target domain is assumed to be the system domain. + On iOS, there is no support for per-user domains, even though there is a mobile user. + + Subcommands: + .. + debug Configures the next invocation of a service for debugging. + kill Sends a signal to the service instance. + blame Prints the reason a service is running. + print Prints a description of a domain or service. + print-cache Prints information about the service cache. + print-disabled Prints which services are disabled. + plist Prints a property list embedded in a binary (targets the Info.plist by default). + procinfo Prints port information about a process. + hostinfo Prints port information about the host. + runstats Prints performance statistics for a service. + examine Runs the specified analysis tool against launchd in a non-reentrant manner. + config Modifies persistent configuration parameters for launchd domains. + dumpstate Dumps launchd state to stdout. + list Lists information about services. + start Starts the specified service. + .. + or a given subcommand. +``` +Output of proccess info for CallHistorySyncHelper +`$ launchctl procinfo 549` + +Added the content of referenced files (com.apple.CallHistorySyncHelper.plist) + +``` + com.apple.CallHistorySyncHelper = { + active count = 5 + path = /System/Library/LaunchDaemons/com.apple.CallHistorySyncHelper.plist + state = running + program = /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper + arguments = { + /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper + } + default environment = { + PATH => /usr/bin:/bin:/usr/sbin:/sbin + } + environment = { + XPC_SERVICE_NAME => com.apple.CallHistorySyncHelper + } + domain = com.apple.xpc.launchd.domain.system + username = mobile + minimum runtime = 10 + exit timeout = 5 + runs = 1 + successive crashes = 0 + excessive crashing = 0 + pid = 518 + immediate reason = ipc (mach) + forks = 1 + execs = 1 + trampolined = 1 + started suspended = 0 + proxy started suspended = 0 + last exit code = (never exited) + event triggers = { + com.apple.callhistorysync.idslaunchnotification => { + state = 0 + service = com.apple.CallHistorySyncHelper + stream = com.apple.notifyd.matching + descriptor = { + "Notification" => "com.apple.callhistorysync.idslaunchnotification" + } + } + } + endpoints = { + "com.apple.callhistory.pairedsync" = { + port = 0x46907 + active = 1 + managed = 1 + reset = 0 + hide = 0 + } + "com.apple.CallHistorySyncHelper" = { + port = 0x46607 + active = 1 + managed = 1 + reset = 0 + hide = 0 + } + "com.apple.CallHistorySyncHelper.aps" = { + port = 0x4627b + active = 1 + managed = 1 + reset = 0 + hide = 0 + } + } + dynamic endpoints = { + } + pid-local endpoints = { + } + instance-specific endpoints = { + } + event channels = { + "com.apple.notifyd.matching" = { + port = 0x46707 + active = 1 + managed = 1 + reset = 0 + hide = 0 + } + } + sockets = { + } + spawn type = adaptive + jetsam priority = 3 + jetsam memory limit (active) = 6 MB + jetsam memory limit (inactive) = 6 MB + jetsamproperties category = daemon + allowed to execute = 1 + submitted job. ignore execute allowed + cpumon = default + properties = { + partial import = 0 + launchd bundle = 0 + xpc bundle = 0 + keepalive = 0 + runatload = 0 + dirty at shutdown = 0 + low priority i/o = 0 + low priority background i/o = 0 + exception handler = 0 + multiple instances = 0 + supports transactions = 1 + supports pressured exit = 1 + enter kdp before kill = 0 + wait for debugger = 0 + app = 0 + system app = 0 + inetd-compatible = 0 + inetd listener = 0 + abandon process group = 0 + one-shot = 0 + requires reap = 0 + event monitor = 0 + penalty box = 0 + pended non-demand spawn = 0 + role account = 0 + launch only once = 0 + system support = 0 + app-like = 0 + inferred program = 1 + ios home screen app = 0 + abandon coalition = 0 + extension = 0 + nano allocator = 0 + no initgroups = 0 + endpoints initialized = 1 + platform binary = 1 + disallow all lookups = 0 + } + } + program path = /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper + Could not print Mach info for pid 518: 0x5 + bsd proc info = { + pid = 518 + unique pid = 518 + ppid = 1 + pgid = 518 + status = stopped + flags = 64-bit|session leader + uid = 501 + svuid = 501 + ruid = 501 + gid = 501 + svgid = 501 + ruid = 501 + comm name = CallHistorySync + long name = CallHistorySyncHelper + controlling tty devnode = 0xffffffff + controlling tty pgid = 0 + } + pressured exit info = { + dirty state tracked = 1 + dirty = 0 + pressured-exit capable = 1 + } + jetsam priority = 0: idle + jetsam memory limit = 6 + jetsam flags = (none) + jetsam state = tracked,idle-exit + entitlements = { + "com.apple.private.ids.messaging" = ( + "com.apple.private.alloy.callhistorysync"; + ); + "com.apple.developer.icloud-services" = ( + "CloudKit"; + ); + "com.apple.application-identifier" = "CALLSYNCDB.com.apple.callhistory.sync-helper"; + "com.apple.developer.icloud-container-environment" = "production"; + "com.apple.private.aps-environment" = "production"; + "application-identifier" = "CALLSYNCDB.com.apple.callhistory.sync-helper"; + "aps-connection-initiate" = true; + "com.apple.private.aps-connection-initiate" = true; + "com.apple.private.ids.messaging.high-priority" = ( + "com.apple.private.alloy.callhistorysync"; + ); + "com.apple.accounts.appleaccount.fullaccess" = true; + "aps-environment" = "production"; + "com.apple.private.tcc.allow" = ( + "kTCCServiceLiverpool"; + "kTCCServiceAddressBook"; + ); + }; + code signing info = valid + ad-hoc signed + get-task-allow entitlement + installer entitlement + require enforcement + allowed mach-o + platform dyld + entitlements validated + platform binary +``` +Content of /System/Library/LaunchDaemons/com.apple.CallHistorySyncHelper.plist +``` +{ + EnablePressuredExit = 1; + EnableTransactions = 1; + Label = "com.apple.CallHistorySyncHelper"; + LaunchEvents = { + "com.apple.notifyd.matching" = { + "com.apple.callhistorysync.idslaunchnotification" = { + Notification = "com.apple.callhistorysync.idslaunchnotification"; + }; + }; + }; + MachServices = { + "com.apple.CallHistorySyncHelper" = 1; + "com.apple.CallHistorySyncHelper.aps" = 1; + "com.apple.callhistory.pairedsync" = 1; + }; + POSIXSpawnType = Adaptive; + ProgramArguments = ( + "/System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper" + ); + UserName = mobile; +} +``` +Info about `CallHistorySyncHelper` +``` +$ ls -la /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper +-rwxr-xr-x 1 root wheel 279392 Aug 29 2016 CallHistorySyncHelper + +$ file CallHistorySyncHelper +Mach-O 64-bit 64-bit architecture=12 executable +``` + +Frida REPL w/ `$ frida -U 518` + +[Dump ios class hierarchy](https://github.com/iddoeldor/frida-snippets#dump-ios-class-hierarchy) +``` +[iOS Device::PID::518]-> tree +{ + "NSObject": { + "CHLogger": { + "ApplyLocalTransactions": {}, + "CHPairedSyncCoordinator": {}, + "CHPushConnectionDelegate": {}, + "MergeTransactions": {}, + "SignalHandler": {}, + "SyncXPCServer": {} + }, + "CHSynchronizedLoggable": { + "AutoSync": {}, + "CHIDSPeerDevice": {}, + "CHIDSServiceDelegate": {}, + "CloudKit": {}, + "SyncEngine": {}, + "TransactionLog": {} + }, + "PBCodable": { + "CHRecentCallPb": {}, + "TransactionsPb": {} + } + } +} +``` + +Tried to print `ObjC.classes.AutoSync` and the daemon shut down +``` +PID Status Label +- -43 com.apple.CallHistorySyncHelper +``` +Get binary w/ Frida +``` +cmd = Shell(['/bin/sh', '-c', "cat /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper"], None) +cmd.exec()/push +with open('~/CallHistorySyncHelper', 'wb+') as f: + f.writelines(cmd.output) +```