nabla-c0d3 / ssl-kill-switch2

Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
Other
3.07k stars 466 forks source link

iOS 10.2, fishhook and tls_helper_create_peer_trust function #36

Closed strano666 closed 6 years ago

strano666 commented 6 years ago

Hi, i've some trouble with hooking tls_helper_create_peer_trust in a my project via fishhook

I would intercept this call to know the state of SSL pinning and also i use fishhook to reach this goal.

Unfortunately in my project fishhookdoesn't seem to work. I'm testing on this app, where with a Xcode Symbolic Breakpoint on tls_helper_create_peer_trust, i'm sure that it is called.

The code i've wrote is this

#include <substrate.h>
#import <Security/SecureTransport.h>

#import <fishhook.h>

#import "SSLPinning.h"

static OSStatus (*original_tls_helper_create_peer_trust)(void *hdsk, bool server, SecTrustRef *trustRef);

static OSStatus replaced_tls_helper_create_peer_trust(void *hdsk, bool server, SecTrustRef *trustRef)
{

    NSLog(@"Hooking SSLPinning");
    return original_tls_helper_create_peer_trust(hdsk, server, trustRef);
}

@implementation SSLPinning

+(void)enableHooks {

    rebind_symbols((struct rebinding[1]){{"tls_helper_create_peer_trust", replaced_tls_helper_create_peer_trust, (void *)&original_tls_helper_create_peer_trust}},1);
}

@end

My question is if, in your knowledge, this way is still working. I know that this isn't strictly related to your project and if this issue is a problem, sorry.

nabla-c0d3 commented 6 years ago

Fishook and symbol interposing in general will not work to hook calls between Apple frameworks (such as NSURLSession ->tls_helper_create_peer_trust). See https://nabla-c0d3.github.io/blog/2015/10/17/trustkit-ios-9-shared-cache/