iOS取證技巧：在無損的情況下完整導出SQLite資料庫

新聞 01-19

在上一篇文章中，我向大家介紹了有關利用iOS DeveloperImage中一些特性的方法，其中包括在已越獄設備上啟動帶有自定義環境變數的App。說實話，我的最初動機是為了尋找沙箱邏輯問題，但失敗了。值得慶幸的是我發現了另一個非常實用的技巧，即通過利用其中的一些特性來提取SQLite資料庫。該方案需要屏幕解鎖和可信USB連接。

為了運行完整的實驗，你需要安裝以下工具：

https://github.com/libimobiledevice/libimobiledevice

https://github.com/libimobiledevice/ideviceinstaller

https://github.com/emonti/afcclient（可選。如果你不想自己編寫libimobiledevice的代碼，就用這個）

SQLite日誌記錄

iOS上當前內置的SQLite支持調試選項：如果設置了SQLITE_SQLLOG_DIR環境，則每個資料庫在給定目錄中都會有一個副本，且sql查詢為純文本形式。

sqlite文檔：https://www.sqlite.org/src/doc/trunk/src/test_sqllog.c

我們的實驗從一個越獄設備開始。只需啟動帶有SQLITE_SQLLOG_DIR的Gmail應用程序，指向它有權寫入的位置：

修改上一篇文章中的腳本，向環境添加一個新密鑰：

const env = ObjC.classes.NSMutableDictionary.alloc().init(); env.setObject_forKey_( ObjC.classes.NSString.stringWithString_("/private/var/mobile/Containers/Data/Application/{THE_ACTUAL_UUID_ON_YOUR_DEVICE}/tmp"), ObjC.classes.NSString.stringWithString_("SQLITE_SQLLOG_DIR"));

以下是為目錄生成的內容：

hello:/private/var/mobile/Containers/Data/Application/.../tmp root# ls WebKit sqllog_05860_00000.sql sqllog_05860_00003.sql sqllog_05860_01.db sqllog_05860.idx sqllog_05860_00001.sql sqllog_05860_00004.sql sqllog_05860_02.db sqllog_05860_00.db sqllog_05860_00002.sql sqllog_05860_00005.sql sqllog_05860_03.db

文件名中的05860是pid，格式化為固定的5位數。idx文件是原始資料庫的映射索引。

root# cat sqllog_05860.idx 0 /private/var/mobile/Containers/Shared/AppGroup/21805C48-3DD1-4973-BDB8-F26441BE74B3/GIPPhenotype/phenotype.db 1 /var/mobile/Containers/Data/Application/E89CEF28-30BA-41F8-BDB3-BD05E0598D32/Library/Application Support/data/johnsmith@outlook.com/sqlitedb 2 /var/mobile/Containers/Data/Application/E89CEF28-30BA-41F8-BDB3-BD05E0598D32/Library/Application Support/data/johnsmith@outlook.com/imapsqlitedb 3 /private/var/mobile/Containers/Data/Application/E89CEF28-30BA-41F8-BDB3-BD05E0598D32/Library/Caches/com.google.Gmail/Cache.d

例如，所有 /var/mobile/Containers/Data/Application/E89CEF28–30BA-41F8-BDB3-BD05E0598D32/Library/Application Support/data/johnsmith@outlook.com/sqlitedb 的查詢被記錄在了sqllog_05860_00000.sql文件中。

sqllog_05860_00.db是其副本。

未越獄設備

現在問題是，iOS上的應用程序被「監禁」在容器中，如果沒有完整備份將仍然無法訪問這些容器。每個規則都有一個例外，沙箱配置文件也不例外。

某些內置應用程序有寫入許可權到 /var/mobile/Media/iTunes_Control/iTunes 目錄。

以及一些應用程序還擁有 com.apple.security.exception.files.absolute-path.read-write 或 com.apple.security.exception.files.home-relative-path.read-write 許可權。

你可以通過以下命令讀取這些許可權。

ideviceinstaller -l -o list_system -o xml

VioceMemo：

<key>com.apple.security.exception.files.absolute-path.read-write</key> <array> <string>/private/var/mobile/Media/Recordings/</string> </array> <key>platform-application</key> <true/>

MobileSafari：

<key>com.apple.security.exception.files.home-relative-path.read-write</key> <array> <string>/Library/com.apple.itunesstored/</string> <string>/Library/com.apple.iTunesCloud/</string> <string>/Library/Caches/com.apple.Music/</string> <string>/Library/Cookies/</string> <string>/Media/</string> <string>/Library/Caches/com.apple.Radio/</string> <string>/Library/Caches/com.apple.iTunesStore/</string> <string>/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache/</string> <string>/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache/</string> <string>/Library/com.apple.MediaSocial/</string> <string>/Library/DeviceRegistry/</string> <string>/Library/Logs/MediaServices/</string> </array>

iOS允許在 /var/mobile/Media 中進行沙箱文件訪問。許多第三方iPhone管理工具允許你直接操作此位置，甚至還會提供一個GUI界面。

? afcclient git:(master) ? ./afcclient mkdir Downloads/SQLite

另一個可讀的位置是CrashReporter。你可以使用idevicecrashreport獲取文件。

但需要提醒大家的是，並非所有內置的應用程序都有這些例外，更別說是那些第三方應用了。

Demo

在測試期間啟動Instruments，並使用上一篇文章中的frida腳本將bundle ID更改為目標。

/* run Instruments.app, then frida Instruments -l msg.js */ function getDevice() { const devices = ObjC.classes.XRDeviceDiscovery.availableDevices(); const count = devices.count().valueOf(); for (var i = 0; i < count; i++) { var device = devices.objectAtIndex_(i); if (device.platformName().toString() === "iPhoneOS" && device.connection()) { return device; } } throw new Error("unable to find device"); }


const newMsgFunc = ObjC.classes.DTXMessage["+ messageWithSelector:objectArguments:"].implementation;

const newMsg = new NativeFunction(newMsgFunc, "pointer",

  ["pointer", "pointer", "pointer", "...", "pointer", "pointer", "pointer", "pointer", "pointer", "pointer"]);
const opt = ObjC.classes.NSMutableDictionary.alloc().init();

opt.setObject_forKey_(0, ObjC.classes.NSString.stringWithString_("StartSuspendedKey")); // required
const args = ObjC.classes.NSMutableArray.alloc().init();

args.addObject_(ObjC.classes.NSString.stringWithString_("--if-you-need-some-thing")); // argv
const env = ObjC.classes.NSMutableDictionary.alloc().init();

env.setObject_forKey_(

  ObjC.classes.NSString.stringWithString_("3"),

  ObjC.classes.NSString.stringWithString_("CFNETWORK_DIAGNOSTICS")); // environment variables
const msg = new ObjC.Object(newMsg(

  ObjC.classes.DTXMessage,

  ObjC.selector("+ messageWithSelector:objectArguments:"),

  ObjC.selector("launchSuspendedProcessWithDevicePath:bundleIdentifier:environment:arguments:options:"),
  ObjC.classes.NSString.stringWithString_("this makes no sense"), // path, SpringBoard simply ignores it

  ObjC.classes.NSString.stringWithString_("com.apple.calculator"), // bundle id, must be already installed

  ObjC.classes.NSDictionary.dictionaryWithDictionary_(env),

  args.copy(),

  ObjC.classes.NSDictionary.dictionaryWithDictionary_(opt),

  NULL

))
const channel = getDevice().connection().makeChannelWithIdentifier_(

  "com.apple.instruments.server.services.processcontrol.feature.deviceio") // channel id

channel.sendControlSync_replyHandler_(msg, new ObjC.Block({ retType: "void", argTypes: ["object", "pointer"], implementation: function(reply, len) { console.log("reply", reply.payloadObject()) } }))

com.apple.mobilesafari

這裡有Safari瀏覽器狀態，書籤，歷史記錄，每個站點首選項，HTML5本地存儲甚至緩存。請注意，通常Cache.db不會包含在備份中，並且它是以純文本格式存儲http請求的。

? afcclient git:(master) ? ./afcclient mkdir iTunes_Control/iTunes/safari Created directory: iTunes_Control/iTunes/safari ? afcclient git:(master) ? ./afcclient cat iTunes_Control/iTunes/safari/sqllog_02343.idx 0 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Image Cache/Favicons/Favicons.db 1 /var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Safari/BrowserState.db 2 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Image Cache/Touch Icons/TouchIconCacheSettings.db 3 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Image Cache/Password Icons/TouchIconCacheSettings.db 4 /var/mobile/Library/Safari/Bookmarks.db 5 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Safari/History.db 6 /var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/WebKit/WebsiteData/LocalStorage/https_mobile.twitter.com_0.localstorage 7 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Safari/PerSitePreferences.db 8 /private/var/mobile/Containers/Data/Application/9210B36C-89E2-4728-9831-40CAA961C15E/Library/Caches/com.apple.mobilesafari/Cache.db

com.apple.mobilemail

? afcclient git:(master) ? ./afcclient cat Mail/sqllog_04465.idx 0 /var/mobile/Library/Mail/Envelope Index 1 /var/mobile/Library/Mail/Protected Index 2 /var/mobile/Library/DeviceRegistry/5CFB9E7E-C465-4A92-B3ED-C744367AB766/NanoMail/registry.sqlite 3 /var/mobile/Library/AddressBook/AddressBook.sqlitedb

com.apple.mobilephone

地址簿和通話記錄：

hello:~ root# procexp all fds | grep -i sms.db IMDPersistenceA 812 FD 4u /private/var/mobile/Library/SMS/sms.db @0x0 IMDPersistenceA 812 FD 5u /private/var/mobile/Library/SMS/sms.db-wal @0x0 IMDPersistenceA 812 FD 6u /private/var/mobile/Library/SMS/sms.db-shm @0x0 hello:~ root# ps aux | grep 812 mobile 812 0.0 0.0 1664672 1296 ?? Ss 22Oct18 0:01.77 /System/Library/PrivateFrameworks/IMDPersistence.framework/XPCServices/IMDPersistenceAgent.xpc/IMDPersistenceAgent root 6008 0.0 0.1 1593504 1536 s000 S+ 2:50PM 0:00.01 grep 812 hello:~ root# ? afcclient git:(master) ? ./afcclient mkdir iTunes_Control/iTunes/Phone Created directory: iTunes_Control/iTunes/Phone ? afcclient git:(master) ?./afcclient cat iTunes_Control/iTunes/Phone/sqllog_04322.idx 0 /var/mobile///Library/CallHistoryDB/CallHistory.storedata 1 /var/mobile///Library/CallHistoryDB/CallHistoryTemp.storedata 2 /var/mobile/Library/AddressBook/AddressBook.sqlitedb

但你無法提取sms.db，因為它屬於xpc服務IMDPersistenceAgent。消息應用com.apple.MobileSMS通過XPC與其通信，而不是打開資料庫。

*參考來源：medium，FB小編secist編譯，轉載請註明來自FreeBuf.COM

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！

本站內容充實豐富，博大精深，小編精選每日熱門資訊，隨時更新，點擊「搶先收到最新資訊」瀏覽吧！

請您繼續閱讀更多來自 FreeBuf 的精彩文章:

※2018弱密碼TOP 100出爐：123456再次衛冕
※探究物聯網系統中的安全威脅 | FIT 2019議題前瞻「全球高峰會」

TAG:FreeBuf |