Download - Sniffing Mach Messages
![Page 1: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/1.jpg)
Sniffing Mach Messages
Mikhail SosonkinSlides: http://www.slideshare.net/MikhailSosonkin
![Page 2: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/2.jpg)
ME! Employer!
![Page 3: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/3.jpg)
Challenge Review: loading Mach-O from memory
- Understand injectdyld_file.c- Figure out how to dynamically load a dylib- Can use injectdyld_file.c as a base
- Hint: you will need to read the DYLD sourcecode.
![Page 4: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/4.jpg)
Hint: you will need to read the DYLD sourcecode.ImageLoader* loadFromMemory(const uint8_t* mem, uint64_t len, const char* moduleName){
// if fat wrapper, find usable sub-fileconst fat_header* memStartAsFat = (fat_header*)mem;uint64_t fileOffset = 0;uint64_t fileLength = len;if ( memStartAsFat->magic == OSSwapBigToHostInt32(FAT_MAGIC) ) {
if ( fatFindBest(memStartAsFat, &fileOffset, &fileLength) ) {mem = &mem[fileOffset];len = fileLength;
dyld.cpp, not exported.
![Page 5: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/5.jpg)
Load from memory
Make part of process
Parse into class object
![Page 6: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/6.jpg)
Getting started with iOS
- Get iPhone 5s- Swappa
- Apply Jailbreak- Install OpenSSH via Cydia- Use tcprelay to SSH over USB
- Start exploring- Debugserver
- Objective-c: Phrack 0x42- http://phrack.org/issues/66/4.html
- https://github.com/iosre/iOSAppReverseEngineering- https://nabla-c0d3.github.io/blog/2014/12/30/tcprelay-multiple-devices/
![Page 8: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/8.jpg)
Before we begin...
Let’s cover some basics.
![Page 9: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/9.jpg)
ARM64 Registers
31 General purpose registers
X0 … X30 or W0 … W30
X31 - (zr) The Zero register
X30 - (lr) Procedure Link Register (RIP)
X29 - (fp) Frame pointer (RBP)
X18 - Reserved on iOS
![Page 10: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/10.jpg)
ARM64 Instructions
Conditional Branches
B.EQ, B.NE, TBNZ (Test bit and Branch if Nonzero), etc.
Unconditional Branches
B, RET, SVC
Conditional Select
CSEL W9, W9, W10, EQ
“W9 = EQ?W9:W10”
![Page 11: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/11.jpg)
Calling Convention
On ARM64:
X0 … X8 Contain function parameters
X16 has the system call number
Positive for Posix
Negative for Mach Ports
0x80000000 for thread_set_self
SVC 0x80; jumps to kernel
![Page 12: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/12.jpg)
Syscall numbers
OSX:
0x01000000 - mach calls
0x02000000 - Posix
0x03000003 - pthread_set_self
IOS
0x00000000 and below - mach calls
0x00000000 and above - Posix
0x80000000 - pthread_set_self
![Page 13: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/13.jpg)
More details
See the iOS ABI Function Call Guide
![Page 14: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/14.jpg)
What are Mach Messages?
![Page 15: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/15.jpg)
The OS X/iOS IPC mechanism
Auditing and Exploiting Apple IPC by Ian Beer
![Page 16: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/16.jpg)
The OS X/iOS IPC mechanism
● Message based communication○ Ports -> sockets○ Port numbers are dynamically assigned○ Port numbers are process specific
● Mechanism for sandbox enforcement○ Network comms go through mach ports○ Send messages to a broker to perform actions
![Page 17: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/17.jpg)
The messages
![Page 18: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/18.jpg)
Sending a message
https://opensource.apple.com/source/xnu/xnu-1456.1.26/libsyscall/mach/mach_msg.c
![Page 19: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/19.jpg)
Finding ports
● Launchd - the DNS of Mach Messages.○ Bootstrap.h
■ bootstrap_register(mach_port_t bp, name_t service_name, mach_port_t sp);
■ kern_return_t bootstrap_look_up(mach_port_t bp,const name_t service_name,mach_port_t *sp);
○ Rocketbootstrap - for jailbreaks■ kern_return_t rocketbootstrap_look_up(
mach_port_t bp,const name_t service_name,mach_port_t *sp);
![Page 20: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/20.jpg)
Let’s observe them!
![Page 21: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/21.jpg)
1. Allocate a page - a jump page
2. Set mach_msg readable and writable
3. Copy preamble bytes from mach_msg
4. Check for branch instructions in preamble
5. Modify mach_msg preamble
6. Set jump page to readable and executable
7. Set mach_msg readable and executable
Objc_Trace
Call Sequence
Hook Steps
Tracing ObjC messages
![Page 22: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/22.jpg)
Basic Process
1. Attach with LLDB2. Breakpoint on Bootstrap Lookups3. Breakpoint on mach_msg and friends4. Run the application and collect the messages5. Post process the results
I prefer to automate this!
![Page 23: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/23.jpg)
Attaching to a process
![Page 24: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/24.jpg)
Create an LLDB command
In ~/.lldbinit:
![Page 25: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/25.jpg)
“Let’s look at some code!”
mach_sniff.py
LLDB Python Reference
![Page 26: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/26.jpg)
First ret is the end of function
![Page 27: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/27.jpg)
1. Break point of symbol bootstrap_look_up2 (beginning of function)a. Expecting only one location
2. Set script function to executea. Python function rocketbootstrap_look_up
3. Find the end of functiona. First ret instruction within 100 instructionb. Use IDAPro reverse engineering to figure this one outc. Very specific to this function
4. Breakpoint on end of function5. Set script function to execute
a. Call python script function rocketbootstrap_look_up_end
![Page 28: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/28.jpg)
Get the port name, 2nd argument
Record the state for return of the function
![Page 29: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/29.jpg)
What’s the initial state of the call?
What the port number?
Once discovered, start sniffing!
![Page 30: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/30.jpg)
![Page 31: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/31.jpg)
Message to be sent
![Page 32: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/32.jpg)
Message response
![Page 33: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/33.jpg)
“Let’s look at some output!”
![Page 34: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/34.jpg)
Events from libsimulatetouch
![Page 35: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/35.jpg)
The header
![Page 36: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/36.jpg)
Message payload
![Page 38: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/38.jpg)
Parsed using mach_whale.py
![Page 39: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/39.jpg)
The Challenge
“Port LLDB scripts to MacOS and
identify various uses of mach messages”
“Try doing the same thing using Frida”
If you don’t have a mac challenge: Get a MacOS VM running on a windows host. Beware of malware!
![Page 40: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/40.jpg)
Where to learn about security?
- iOS Reverse Engineering Book- https://seccasts.com/- http://www.opensecuritytraining.info/- https://www.corelan.be- youtube for conference- Security meetups
- Just practice- Read/follow walkthroughs
- follow the reddits:- netsec- reverseengineering- malware- lowlevel- blackhat- securityCTF- rootkit- vrd
![Page 41: Sniffing Mach Messages](https://reader034.vdocuments.mx/reader034/viewer/2022042503/5874fffe1a28ab29208b59a7/html5/thumbnails/41.jpg)
Thank you!
Mikhail Sosonkin
Slides: http://www.slideshare.net/MikhailSosonkin