Closed rohinideo1812 closed 1 year ago
Hey!
Thank for the information!
Hi,
I can confirm that Shadow with fishook as hooking library will bypass detection (using Cydia Substrate as hooking library will crash my app).
@r3ggi it seems that Shadow hooks dyld functions. Is there even then a chance to detect / prevent such case?
The IOSSecuritySuite implementation of denySystemHook
relies on those dyld functions, e.g. FishHookChecker, so using denySystemHook wouldn't solve the problem, right?
static func denyFishHook(_ symbol: String) {
var symbolAddress: UnsafeMutableRawPointer?
for imgIndex in 0..<_dyld_image_count() { // 1. if this got hooked and returns false data
if let image = _dyld_get_image_header(imgIndex) {
if symbolAddress == nil {
_ = SymbolFound.lookSymbol(symbol, at: image, imageSlide: _dyld_get_image_vmaddr_slide(imgIndex), symbolAddress: &symbolAddress)
}
if let symbolPointer = symbolAddress {
var oldMethod: UnsafeMutableRawPointer?
// 2. then this might never be called :(
FishHook.replaceSymbol(symbol, at: image, imageSlide: _dyld_get_image_vmaddr_slide(imgIndex), newMethod: symbolPointer, oldMethod: &oldMethod)
}
}
}
}
Hey @rohinideo1812 & @MarcoEidinger!
I finally had time to sit on the Shadow detector. After Shadow's source code investigation I found a way to detect it.
In 1.9.7 (new IOSSecuritySuite version) the detection has been added and tested. 🚀
@r3ggi it seems that Shadow hooks dyld functions. Is there even then a chance to detect / prevent such case?
I have an idea how to detect that, but it has to be tested :-)
@r3ggi thank you so much!! I confirmed that 1.9.7 detects Shadow with the objective-c class check 👍
@r3ggi Sorry, the newest version of Shadow can bypass jailbreak devices... IOSSecuritySuite version: 1.9.8
Shadow modify selector from 'isURLSchemeRestricted' to 'isSchemeRestricted' 😭.
check now :-) ISS 1.9.9 updated this
With the new versions of shadow jailbreak it's possible to bypass jailbreak devices - https://github.com/jjolano/shadow