juliangrtz/frida-antiantijb

# frida-antiantijb 基于 Frida 的几个简单的越狱检测绕过方法。目前还远未完善。 真正的 RASP 软件会对此一笑置之。 ## 安装说明 ``` npm install frida-objc-bridge npm install ``` 需要 `frida-objc-bridge` 来 hook 某些 ObjC 函数（参见 `agent/hooks/objc.ts`）。 ## 使用方法 ``` frida -Uf target -l main.js ``` ## 示例输出 ``` [*] access("/var/containers/Bundle/Application/OhNo/OhNo.app") [*] snprintf("/private/var/mobile/Containers/Data/Application/OhNo/tmp/") [*] symlink("/", "/private/var/mobile/Containers/Data/Application/OhNo/tmp/OhNo") [*] snprintf("/private/var/mobile/Containers/Data/Application/OhNo/tmp/OhNo/usr/sbin/frida-server") [!!!] Found suspicious string: /private/var/mobile/Containers/Data/Application/OhNo/tmp/OhNo/usr/sbin/frida-server 0x1039a2cd0 OhNo!0x34dacd0 (0x1034dacd0) 0x1039960b8 OhNo!0x34ce0b8 (0x1034ce0b8) 0x10396d460 OhNo!0x34a5460 (0x1034a5460) 0x10395f268 OhNo!0x3497268 (0x103497268) 0x10396d6d4 OhNo!0x34a56d4 (0x1034a56d4) 0x103a324dc OhNo!0x356a4dc (0x10356a4dc) 0x103a31c60 OhNo!0x3569c60 (0x103569c60) 0x103a35eec OhNo!+[OhNo load] 0x1984007cc libobjc.A.dylib!load_images 0x10506d9d4 dyld!dyld4::RuntimeState::notifyObjCInit(dyld4::Loader const*) 0x105071b54 dyld!dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array&) const 0x105077840 dyld!dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const 0x10509494c dyld!dyld4::APIs::runAllInitializersForMain() 0x105081c5c dyld!dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) 0x1050804b0 dyld!start [!!!] Replaced "/private/var/mobile/Containers/Data/Application/OhNo/tmp/OhNo/usr/sbin/frida-server" ``` ## 待办事项 - 更健壮的系统调用处理 - 实现较少已知/私有的检测方法 - 添加更多检测字符串 - 改进 dyld 检测 - 尝试检测即将到来的故意崩溃

标签：Docker支持, dyld检测, Frida, frida-objc-bridge, Hook工具, iOS安全, MITM代理, ObjC运行时, RASP, 云资产清单, 代码生成, 动态 instrumentation, 数据可视化, 检测规避, 渗透测试工具, 目录枚举, 移动安全, 自动化攻击, 越狱检测绕过, 逆向工程