search

securing / IOSSecuritySuite

iOS platform security & anti-tampering Swift library
https://www.securing.biz/
Other
2.36k stars 284 forks source link

Shadow Jailbreak new version introduced. #78

Closed rohinideo1812 closed 1 year ago

rohinideo1812 commented 1 year ago

With the new versions of shadow jailbreak it's possible to bypass jailbreak devices - https://github.com/jjolano/shadow

r3ggi commented 1 year ago

Hey!

Thank for the information!

MarcoEidinger commented 1 year ago

Hi,

I can confirm that Shadow with fishook as hooking library will bypass detection (using Cydia Substrate as hooking library will crash my app).

@r3ggi it seems that Shadow hooks dyld functions. Is there even then a chance to detect / prevent such case?

The IOSSecuritySuite implementation of denySystemHook relies on those dyld functions, e.g. FishHookChecker, so using denySystemHook wouldn't solve the problem, right?

    static func denyFishHook(_ symbol: String) {
        var symbolAddress: UnsafeMutableRawPointer?

        for imgIndex in 0..<_dyld_image_count() { // 1. if this got hooked and returns false data
            if let image = _dyld_get_image_header(imgIndex) {
                if symbolAddress == nil {
                    _ = SymbolFound.lookSymbol(symbol, at: image, imageSlide: _dyld_get_image_vmaddr_slide(imgIndex), symbolAddress: &symbolAddress)
                }
                if let symbolPointer = symbolAddress {
                    var oldMethod: UnsafeMutableRawPointer?
                    // 2. then this might never be called :(
                    FishHook.replaceSymbol(symbol, at: image, imageSlide: _dyld_get_image_vmaddr_slide(imgIndex), newMethod: symbolPointer, oldMethod: &oldMethod)
                }
            }
        }
    }
r3ggi commented 1 year ago

Hey @rohinideo1812 & @MarcoEidinger!

I finally had time to sit on the Shadow detector. After Shadow's source code investigation I found a way to detect it.

In 1.9.7 (new IOSSecuritySuite version) the detection has been added and tested. 🚀

r3ggi commented 1 year ago

@r3ggi it seems that Shadow hooks dyld functions. Is there even then a chance to detect / prevent such case?

I have an idea how to detect that, but it has to be tested :-)

MarcoEidinger commented 1 year ago

@r3ggi thank you so much!! I confirmed that 1.9.7 detects Shadow with the objective-c class check 👍

luzsyn commented 1 year ago

@r3ggi Sorry, the newest version of Shadow can bypass jailbreak devices... IOSSecuritySuite version: 1.9.8

luzsyn commented 1 year ago

Shadow modify selector from 'isURLSchemeRestricted' to 'isSchemeRestricted' 😭.

r3ggi commented 1 year ago

check now :-) ISS 1.9.9 updated this