Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0x06c] Add section Loaded Native Libraries #1948

Merged
merged 5 commits into from
Oct 30, 2021
Merged

[0x06c] Add section Loaded Native Libraries #1948

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c01ac80
0x6c - Add section Loaded Native Libraries
cpholguera Oct 22, 2021
6930f8f
fix markdown linting error
cpholguera Oct 22, 2021
daf10c4
fix lint error
cpholguera Oct 23, 2021
0b952d5
Update Document/0x06c-Reverse-Engineering-and-Tampering.md
cpholguera Oct 29, 2021
b618cb1
Update Document/0x06c-Reverse-Engineering-and-Tampering.md
cpholguera Oct 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Document/0x06c-Reverse-Engineering-and-Tampering.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,10 @@ iOweApp 2828 mobile txt REG 1,2 664848 234595 /usr/lib/dyld
...
```

#### Loaded Native Libraries

The file `/proc/<pid>/maps` contains the currently mapped memory regions and their access permissions. Using this file we can get the list of the libraries loaded in the process.
Copy link
Collaborator Author

@cpholguera cpholguera Oct 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the MSTG:

On Android, verifying this is pretty straightforward as you can simply grep for the string "frida" in the memory maps of the process ID in the proc directory (/proc/<pid>/maps). However, on iOS the proc directory is not available, but you can list the loaded dynamic libraries in an app with the function _dyld_image_count.

Is this still true? @sushi2k

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it refers to the app trying to get /proc/<pid>/maps, but as the (tester) root user we should be able to call that from the CLI. Please confirm using a device :)

Copy link
Collaborator

@sushi2k sushi2k Oct 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpholguera No /proc on iOS. Therefore we can close this PR!

image

cpholguera marked this conversation as resolved.
Show resolved Hide resolved

cpholguera marked this conversation as resolved.
Show resolved Hide resolved
#### Open Connections

`lsof` command when invoked with option `-i`, it gives the list of open network ports for all active processes on the device. To get a list of open network ports for a specific process, the `lsof -i -a -p <pid>` command can be used, where `-a` (AND) option is used for filtering. Below a filtered output for PID 1 is shown.
Expand Down