一、目標

一步步分析并編寫一個短信自動轉發的deb插件

二、工具

• mac系統
• 已越獄iOS設備：脫殼及frida調試
• IDA Pro：靜態分析
• 測試設備：iphone6s-ios14.1.1

三、步驟

1、守護進程

? 守護進程(daemon)是一類在后臺運行的特殊進程，用于執行特定的系統任務。例如：推送服務、人臉解鎖、iCloud、查找我的iPhone、iMessage等。

相應的配置目錄：

• /Library/LaunchAgents：管理員控制特定用戶的代理

• /Library/LaunchDaemons：管理員提供的系統級守護進程（cydia、filza、frida等就在這）

• /System/Library/LaunchDaemons：iOS提供的默認守護進程

本文的目的主要短信，所以關注的重點在iOS提供的守護進程，常見的進程配置文件有：

名稱	描述
com.apple.apsd	推送服務
com.apple.biometrickitd.pearl	人臉解鎖
com.apple.cloudd	iCloud
com.apple.icloud.findmydeviced	查找我的iPhone
com.apple.imagent	即時消息代理 (iMessage)

更多服務請參考https://www.theiphonewiki.com/wiki/Services

2、定位關鍵函數

在iPhone中使用文件管理工具查看/System/Library/LaunchDaemons/com.apple.imagent文件關鍵信息如下：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict><key>EnvironmentVariables</key><dict><key>NSRunningFromLaunchd</key><string>1</string></dict><key>ProgramArguments</key><array><string>/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent</string></array><key>RunAtLoad</key><true/>
</dict>
</plist>

ProgramArguments所對應的路徑，就是該進程執行的二進制文件。執行frida-trace -U -m "*[IM* *]" imagent -o a.log后，當手機收到短信后的日志如下：

-[SMSServiceSession smsMessageReceived:0x10524abc0 msgID:0x80000006]
-[SMSServiceSession _processSMSorMMSMessageReceivedWithContext:0x10524abc0 messageID:0x80000006]
+[IMMetricsCollector sharedInstance]
-[IMMetricsCollector trackEvent:0x1d02ab1e8]
-[SMSServiceSession _convertCTMessageToDictionary:0x109a0e510 requiresUpload:0x16f832c2f]
-[IMMetricsCollector _trackEvent:0x1d02ab1e8]
-[SMSServiceSession _fixIncomingDate:0xd13d420d70d597e6]
-[SMSServiceSession shouldFixIncomingDate]
-[SMSServiceSession _myCTPhoneNumber]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
+[IMCTSMSUtilities IMMMSEmailAddressToMatchForPhoneNumber:0x100830240 simID:0x0]
+[IMCTSubscriptionUtilities sharedInstance]
-[IMCTSubscriptionUtilities deviceSupportsMultipleSubscriptions]
-[SMSServiceSession _convertCTMessagePartToDictionary:0x109a28610]
-[SMSServiceSession _shouldUploadToMMCS:0x10524aca0]
-[SMSServiceSession _receivedSMSDictionary:0x10524aca0 requiresUpload:0x0 isBeingReplayed:0x0]
-[SMSServiceSession _processReceivedDictionary:0x10524aca0 storageContext:0x0]
+[IMMessageNotificationTimeManager sharedInstance]
-[IMMessageNotificationTimeManager acquireAssertionToUnsuspendProcess]
+[IMLockdownManager sharedInstance]
-[IMLockdownManager isInternalInstall]
-[IMLockdownManager _calculateInstallType]
-[IMMessageItem initWithSender:0x100890210 time:0x1008831d0 body:0x10083ba80 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 error:0x0 guid:0x10524acc0]
-[IMMessageItem initWithSender:0x100890210 time:0x1008831d0 body:0x10083ba80 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 error:0x0 guid:0x10524acc0 type:0x0]
-[IMMessageItem initWithSenderInfo:0x10085c330 time:0x1008831d0 timeRead:0x0 timeDelivered:0x0 timePlayed:0x0 subject:0x0 body:0x10083ba80 bodyData:0x0 attributes:0x0 fileTransferGUIDs:0x1007081d0 flags:0x1 guid:0x10524acc0 messageID:0x0 account:0x0 accountID:0x0 service:0x0 handle:0x0 roomName:0x0 unformattedID:0x0 countryCode:0x0 expireState:0x0 balloonBundleID:0x0 payloadData:0x0 expressiveSendStyleID:0x0 timeExpressiveSendPlayed:0x0 bizIntent:0x0 locale:0x0 errorType:0x0 type:0x0]
-[IMItem initWithSenderInfo:0x10085c330 time:0x1008831d0 guid:0x10524acc0 messageID:0x0 account:0x0 accountID:0x0 service:0x0 handle:0x0 roomName:0x0 unformattedID:0x0 countryCode:0x0 type:0x0]
-[IMItem setSenderInfo:0x10085c330]

根據日志可看出關鍵函數-[SMSServiceSession smsMessageReceived:0x10524abc0 msgID:0x80000006]， 使用命令frida-trace -U -m "-[SMSServiceSession smsMessageReceived:msgID:]" imagent跟蹤該函數，js代碼如下:

{onEnter(log, args, state) {log(`-[SMSServiceSession smsMessageReceived:${ObjC.Object(args[2])} msgID:${args[3]}]`);},onLeave(log, retval, state) {}
}

當手機收到短信時，對應日志輸出如下: