當前位置：首頁 > 報告詳情

Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf

上傳人：張** 編號：161159 2024-05-05 PDF PDF 163頁 19.35MB

該報告所屬合集： Black Hat Asia 2024嘉賓演講PPT合集

打包下載報告合集

文檔加載中……請稍候！
如果長時間未打開，您也可以點擊刷新試試。

下載報告到電腦，查找使用更方便

VIP專享文檔

書簽

分享

收藏

已收藏

版權投訴

/163

立即下載

word格式文檔無特別注明外均可編輯修改，預覽文件經過壓縮，下載原文更清晰！

三個皮匠報告文庫所有資源均是客戶上傳分享，僅供網友學習交流，未經上傳用戶書面授權，請勿作商用。

《Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf》由會員分享，可在線閱讀，更多相關《Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf（163頁珍藏版）》請在三個皮匠報告上搜索。

1、#BHASIA BlackHatEventsYou Shall not PASSAnalysing a NSO iOS Spyware SampleMatthias Frielingsdorf#BHASIA BlackHatEventsMatthias FrielingsdorfVP of Research at iVerifyiOS Malware&Mobile Device Securityhelthydriver#BHASIA BlackHatEventsSeptember 7th 2023#BHASIA BlackHatEventsiOS 9iOS 10iOS 11iOS 12iOS

2、13iOS 14iOS 15iOS 16Infection VectorTargetsDetection&Technical Analysis IOCsDetectionCVEsAttributioniMessageCitizen LabNSOPassKitAttachmentUSA Based Civil Society Forensic AnalysisCVE-2023-41061CVE-2023-410642023 Pegasus BLASTPASS Exploit#BHASIA BlackHatEventsSome BlastPass ReportsApple-About the se

3、curity content of iOS 16.6.1 and iPadOS 16.6.1https:/ 7th 2023 https:/citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/Amnesty International-Forensic appendix:Pegasus 0-Clickhttps:/securitylab.amnesty.org/latest/2023/12/pegasus-zero-click-exploit-thre

4、atens-journalists-in-india/iVerify-Clipping Wings:Our Analysis of a Pegasus Spyware Samplehttps:/www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample#BHASIA BlackHatEventsToday#BHASIA BlackHatEventsNo 0-Days revealed#BHASIA BlackHatEventsNo weaponised sample leaked!#BHASIA Bla

5、ckHatEventsBut#BHASIA BlackHatEventsA journey on how we discovered and analyzed the latest sample of NSOs Pegasus Exploit!#BHASIA BlackHatEventsTodayDetecting iOS Malware with Forensic AnalysisShow the Steps which are necessary to unveil the final PayloadDiscuss some Indicators of Compromise for thi

6、s specific sample.123#BHASIA BlackHatEvents#BHASIA BlackHatEventsHow to do Forensic Analysis?#BHASIA BlackHatEventsOBTSv5 In Walled Gardens be care Fun of Poisoned Apples2023Previous iOS Malware Detection Talks2022HITB AMS Poisoned Apples-Current state of iOS Malware DetectionOBTSv6 Poisoned -How do

7、 we find them?https:/objectivebythesea.org/v5/talks.html#Speaker_23https:/conference.hitb.org/hitbsecconf2023ams/session/poisoned-apples-current-state-of-ios-malware-detection/https:/objectivebythesea.org/v6/talks.html#Speaker_28#BHASIA BlackHatEventsOctober 2023-Customer contact#BHASIA BlackHatEven

8、tsPotential compromised device#BHASIA BlackHatEventsCrashlogsTelemetry DataData Sources in this CaseiTunes Backups#BHASIA BlackHatEventsCrashlogsTelemetry DataAnalysis ToolsiTunes BackupsScriptsScriptsMVTData Sources#BHASIA BlackHatEventsiOS Malware Analysis-ToolsBackups-Amnesty Security Lab Mobile

9、Verification Toolkithttps:/docs.mvt.re/en/latest/Crashlogs-Apple Documentationhttps:/ BlackHatEventsExample Suspicious Activities Process starting from/private/var/tmp Process doing Network Calls Files wrote to Disk Process crashes repeatedly#BHASIA BlackHatEvents25x homed Crashes 09:30-10:0010:00-1

10、0:3035 MessagesBlastDoorService Crashes 10:30-11:00Crashlogs#BHASIA BlackHatEventsThats suspicious#BHASIA BlackHatEventsopen-a Console.app Crashes/homed/homed-2023-0*ipsHardware ModelProcessPathIdentifierParent ProcessDate/TimeLaunch TimeOS VersionException TypeTermination ReasonTerminating Processi

11、Phone14,2homed 33317/System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homedhomedlaunchd 12023-0*.*+01002023-0*.*+0100iPhone OS 16.6(20G75)EXC_CRASH(SIGABRT)SIGNAL 6 Abort trap:6homed 33317Homed Crash#BHASIA BlackHatEventsHardware ModelProcessPathIdentifierParent ProcessDate/TimeLaunc

12、h TimeOS VersionException TypeException SubTypeTerminating ProcessTriggered by ThreadiPhone14,2MessagesBlastDoorService 34002/System/Library/PrivateFrameworks/MessagesBlastDoorSupport.framework/XPCServices/MessagesBlastDoorService.xpc/MessagesBlastDoorServicecom.apple.MessagesBlastDoorServicelaunchd

13、 12023-0*.*+01002023-0*.*+0100iPhone OS 16.6(20G75)EXC_BAD_ACCESS(SIGBUS)KERN_PROTECTION_FAILURE at 0 x000000016d2a7f08exc handler 340020open-a Console.app Crashes/MessagesBlastDoorService/MessagesBlastDoorService-2023-0*.*.ipsMessagesBlastDoorService Crash#BHASIA BlackHatEvents0 x1c191e644 _CFStrin

14、gEncodeByteStream+760 x1bbbdfeb0-NSString(NSStringOtherEncodings)getBytes:maxLength:usedLength:encoding:options:range:remainingRange:+2600 x1c1914c70-NSTaggedPointerString getBytes:maxLength:usedLength:encoding:options:range:remainingRange:+1000 x1bbbdec9c-NSString(NSStringOtherEncodings)getCString:

15、maxLength:encoding:+1360 x1bbbdeab8 NSClassFromString+760 x1bbbfe838 _decodeObjectBinary+16480 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:

16、+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 CoreFoundation1 Foundation2 CoreFoundation3 Foundation4 Foundation5 Foundation6 Foundation7 Foundation8 Foundation9 Foundation10 Foundationopen-a Console.app Crashes/MessagesBlastDoorService/MessagesBlastDoorService-2023-0*MessagesBlastDoorServic

17、e Crash#BHASIA BlackHatEvents0 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(N

18、SArray)initWithCoder:+1520 x1bbbfeb4c _decodeObjectBinary+24360 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+152*0 x1bbbd748c-NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+15920 x1bbbd6a88-NSArray(NSArray)initWithCoder:+1520 x1bbbd6a88 _d

19、ecodeObjectBinary+24360 x1bbbfeb4c -NSKeyedUnarchiver _decodeArrayOfObjectsForKey:+159211 Foundation12 Foundation13 Foundation14 Foundation15 Foundation16 Foundation17 Foundation18 Foundation19 Foundation*507 Foundation508 Foundation509 Foundation510 Foundationopen-a Console.app Crashes/MessagesBlas

20、tDoorService/MessagesBlastDoorService-2023-0*MessagesBlastDoorService Crash#BHASIA BlackHatEventsThats suspicious2#BHASIA BlackHatEventsLets quickly check the Backup!#BHASIA BlackHatEventsIMTransferAgent/com.apple.datausage.messages IN:32561646.0,OUT:621714.0IMTransferAgent/com.apple.datausage.messa

21、ges IN:32561646.0,OUT:621714.0IMTransferAgent/com.apple.datausage.messages IN:32561646.0,OUT:621714.0IMTransferAgent/com.apple.datausage.messages IMTransferAgent/com.apple.datausage.messagesIMTransferAgent/com.apple.datausage.messagesMVT Extract DataUsage.sqlite-2023-0*-WWAN Data12:*12:*12:*12:*12:*

22、12:*Backup#BHASIA BlackHatEventsLibrary/SMS/Attachments/a8/08/*/sample.pkpassLibrary/SMS/Attachments/a8/08/*Library/SMS/Attachments/a8/08MVT Extract Manifest.db-2023-0*-Files12:*12:*12:*Backup#BHASIA BlackHatEventsThats interesting,are there more?#BHASIA BlackHatEventsLibrary/SMS/*/sample.pkpassLibr

23、ary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassLibrary/SMS/*/sample.pkpassMVT Extract Manifest.db-2023-0*-Files12:*12:*12:*12:*12:*12:*12:*12:*Backup#BHASIA BlackHatEventsSuspicious!#BHASIA

24、 BlackHatEventsBut,are those Files in the Backup?#BHASIA BlackHatEventsYes!#BHASIA BlackHatEvents#BHASIA BlackHatEventsls-la sampletotal 175-rw-1 matthias staff 175233 0*sample.pkpassLets have a look!#BHASIA BlackHatEventsSo whats a wallet pass?#BHASIA BlackHatEventsYouApples PKPass format,also know

25、n as PassKit,is the file format used for storing and distributing digital passes for Apple Wallet(formerly known as Passbook).These passes can represent various items such as boarding passes,event tickets,loyalty cards,coupons,and more.The PKPass format is essentially a compressed archive that conta

26、ins all the information needed for the pass to be displayed within Apple Wallet.This includes metadata such as the pass type,organization name,pass serial number,and expiration date,as well as graphical assets such as images and logos.The PKPass file typically has a.pkpass file extension and is esse

27、ntially a ZIP archive that contains JSON files for pass information,along with images and other resources required for display.PassKit provides APIs and tools for developers to create,distribute,and manage digital passes for Apple Wallet,allowing businesses and organizations to offer convenient digi

28、tal alternatives to traditional physical cards and tickets.PWhats apples pk.pass format?Chat GPTAttempt Two#BHASIA BlackHatEventsLets have a look!file sample.pkpasssample.pkpass:Zip archive data,at least v2.0 to extract,compression method=deflatels-la sampletotal 175-rw-1 matthias staff 175233 0*sam

29、ple.pkpass#BHASIA BlackHatEventsls-la sample.pkpasstotal 11480-rw-1 matthias-trail staff 61653 *2023 background.png-rw-1 matthias-trail staff 5795842*2023 logo.png-rw-1 matthias-trail staff 175 *2023 manifest.json-rw-1 matthias-trail staff 18 *2023 pass.json-rw-1 matthias-trail staff 3392 *2023 sign

30、atureThats 5.8 MB!Lets have a look!#BHASIA BlackHatEventsThat logo is huge!#BHASIA BlackHatEventsLets file“againlogoBackgroundWebPPNGmanifestJSONPassJSONSignatureData#BHASIA BlackHatEventsThe WebP Vulnerability#BHASIA BlackHatEvents#BHASIA BlackHatEventsThe WebP 0dayThe WebP VulnerabilityA Vulnerabi

31、lity to Hack The World-CVE-2023-4863https:/ The.webp Vulnerability in 8s(Fuzzing with AFL+)https:/ 24-May 10th-11th BLASTING PAST WEBPhttps:/www.offensivecon.org/speakers/2024/ian-beer.htmlIan Beer#BHASIA BlackHatEvents4Lets take a closer look#BHASIA BlackHatEventsWhats the best tool for Malware Ana

32、lysis?#BHASIA BlackHatEventsStrings!#BHASIA BlackHatEventsstrings logo.pngAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

33、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

34、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

35、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

36、AAAAAAAAFirst try Strings!#BHASIA BlackHatEventsSecond try Strings!strings logo.png|lessRIFFWEBPVP8X*bplist00*_NSCallStackArraystringWithUTF8String:sel_registerNameobjc_msgSendNSClassFromString*dlopenmemcpystrtolallocclass_getMethodImplementationFUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),curren

37、tThread),threadDictionary),setObject:forKey:,FUNCTION(#BHASIA BlackHatEvents#BHASIA BlackHatEventsLets extract this bplist file!#BHASIA BlackHatEventsdd if=logo.png skip=1170 bs=1 logo.plist#BHASIA BlackHatEventsYouplutil*plutil-p path/to/your/file.bplistPlistBuddy*/usr/libexec/PlistBuddy-c Print pa

38、th/to/your/file.bplistPWhat are command lines tools I can use to view a bplist file?Chat GPTWhats a BPLIST?#BHASIA BlackHatEvents plutil-p logo.plist|less S5bA=0=value=0 1=0=value=0 1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

39、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*AAAAAAAAAAA

40、AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

41、AAAAAAAAAAAAAAAAAAAAAAAAA“Second try Strings!#BHASIA BlackHatEvents plutil-p logo.plist*113052=36028797018965100 113053=36028797018964917 113054=36028797018964732 113055=36028797018964549 113056=36028797018964364 113057=36028797018964181 113058=36028797018963996 113059=36028797018965340 113060=36028

42、797018965157 SWxJ=value=0Second try Strings!#BHASIA BlackHatEvents/usr/libexec/PlistBuddy-c Print logo.plist|lessDict SWxJ=Unprintable Data SHVN=Dict SWxJ=Unprintable Data SHVN=Dict SWxJ=Unprintable Data SHVN=Unprintable Data S94R=SRYR=*S2dp=Dict SWxJ=Unprintable Data SHVN=S94R=Array Unprintable Dat

43、a *Second try Strings!#BHASIA BlackHatEvents/usr/libexec/PlistBuddy-c Print logo.plist*1?W?1x+?V?1?W?3p?W?x+?V?1?W?1x+?V?1?WH?1?W3p?W?1?W?x+?1?W?TcWx+?VH?1?W0?3p?Wx?1?W?1?W?x+?V?1?W?1x+?V?3p?W?1?Wh?1x+?VX?1?W?1?W(?1?W?3p?W?x+?Vh?1?W?1x+?V?1?W?1?Wh?3p?W?1?W?1x+?V?r3?W?x+?V0s3?W3p?W?1x+?Vps3?W?r3?Wt3?

44、W?x+?V8?3p?Wt3?W?1x+?V?t3?W?r3x+?V?t3?W?3p?W?s3?Whu3?W?x+?V?u3?W?1x+?3p?W?u3?Wu3?Wxv3?W?x+?V?v3?Wp?3p?W?1x+?V8w3?W8u3x+?Vxw3?W?s3x+?V3p?W?v3?W(v3?W0 x3?W?x+?Vpx3?W?3p?W?TcWx+?V?x3?W?w3?Wy3?W?x+?V?3p?W?y3?Wx3x+?V?y3?W?x3?Wz3?W?3p?W?x3F?z3?Wy3x+?VHz3?Wz3x+?Vx?3p?W03?W?x+?Vp3?W?TcWx+?V?3?W?3p?W?z3?W|3?

45、W?x+?V?|3?W3x+?VH?3p?W?|3?W?3?W3?W?3F?3?W?3p?W|3x+?V3?Wz3x+?V(3?W?x+?V?3p?Wh3?W?1x+?V?3?W?3?W83?W?3p?WHv3x+?Vx3?W?x+?V?3?W?1x+?V?3p?W8?3?W?3x+?V?3?W?3?W Array Unprintable Data Second try Strings!#BHASIA BlackHatEvents#BHASIA BlackHatEventsWe need to understand this better!#BHASIA BlackHatEventsbplis

46、t NSKeyedArchiver#BHASIA BlackHatEvents1Dictionary-Root Object23NRefSimple NSKeyedArchiverRoot#BHASIA BlackHatEvents1Dictionary-Root Object23NRefObjectsArrayDictionaryIntegerStringSimple NSKeyedArchiverRoot#BHASIA BlackHatEvents1Dictionary-Root Object23NRefObjectsArrayDictionaryIntegerString3356Key

47、8Key 9Array 1N1HelloWorld“ObjectsSimple NSKeyedArchiverRoot#BHASIA BlackHatEvents1Dictionary-Root Object23NKeysObjectsArrayDictionaryIntegerString3356Key 8Key 9Array 1N1HelloWorld“ObjectsSimple NSKeyedArchiverRoot#BHASIA BlackHatEventsTime for some Python Magic#BHASIA BlackHatEventsPython MagicImpor

48、t your favourite NSKeyedArchiver Lib e.g.plistlib.pyRead/Understand the Code.Set some Breakpoints if needed.Replace Array/Objects/Dictionaries with their Top Level KeysPrint the result 123456#BHASIA BlackHatEventsAre we better off?cat logo.plist_root.txt|lessParsing Object Ref:0-Dictionary:-Keys(1,2

49、,1,3,1,1,4,1,5,1,1,6)-Keys(7,8,130,166,227,207,242,130,166,227,207,242)Parsing Object Ref:1-String:SWxJParsing Object Ref:2-String:SRYRParsing Object Ref:3-String:SHVNParsing Object Ref:4-String:S69OParsing Object Ref:5-String:S94R*#BHASIA BlackHatEventsAre we better off?cat logo.plist_root.txt*Pars

50、ing Object Ref:260-UID:UID(0)Parsing Object Ref:261-Array:(262,263,263,263,263,263,263,263,263,263,263)Parsing Object Ref:262-UID:UID(0)Parsing Object Ref:263-Data:bx00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00

51、 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00*x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00

52、 x00 x00 x00 x00 x00#BHASIA BlackHatEventsYes!We are down to 264 individual objects#BHASIA BlackHatEventsSome interesting onesObject Ref:8(9,10,*,10,11(x15),10,*,10,11(x15),10,*,10,11(x15),10,*,11(x15),10,*10,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,4

53、2,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129)#BHASIA

54、 BlackHatEventsSome interesting onesObject Ref:11-Data:bx00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x80&x00 x00 x01x00 x00 x00 x1fx00 x00 x00 x00 x00 x00 x00 x10 x00 x8bVx02x00 x00 x00 xb0 xc31x16x02x00 x00 x00Xxe3x01x00 x00 x00 x00 x00*FUNCTION(FU

55、NCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(eJwtlTWy7UASRBckQ0ymmPGKPTEza/Xz5s8YJ7oio63MjKou8fWCjUQpr8CeRC/8wxol1qgg1hvy/M7Lyyk2GlV3b1JlnId5kxQ27msxE1aF07gO1uagD9h0emvODEJomOGjV7x0EB0OCo8MuUQW/mkKoxcjfdO5Z3042k2TMaDFmE0meIEVDUS/5xi/pSG9X/ZtR83VjaJ

56、wHKcIhqYoyhxjfV23rvcTOJFtaiWQtrXWoMVtRmx+oGnuGgyTPNTlSNRlUdTlQfjhelJM3Zbh6k8g0k5QpF9dUxrDOUeCq6wsOknHKUkrKUnHGiTzUz5udFvTcFs9d1t7/xg2AYw8sMzcM5weNniprGpXXY0QRwxN3znxZGrw2cO47Za8HkdMVMtGXqpOxVtL+xg+ALRpVIbkZNYPirnNcIovd9ARC0tMvMxHdrO6vO7cBFgJVX5iqHjiyQ56zpwhNsT7jcBx14SYHFW1d7xihDBDNQ9BqMAVFpJ5DYNddLw

57、yQAoSD7DsZviErXgwwECl2xrlnZoYr9Adg5NMT7fKQjLqCIqZrcATxV+UvNMth283C97uB4h2yWIXJvgQ9kaUFIHsS7daVtVbeHBaVLTmAQqAvWsg5Y3APYEPn5Gi4Shtz3Jq/zcVliJfrGVN3VQwi8s1Q37/uwEle/fkbm7BGe+N2hesZvk/NeNpbjHl4tcbwPLHGRCl/WtwJ+GRqAzDYR1YSPiVxqPffhxf+BJlG6wS0g/5feaf9ptWKq1TMFnrP3tXZqp/goPIEOz5/LRu4jwqFFRQEGw0im6iaw2+9kQ

58、mNXjn0tZuWfhlEzpOcrbssLZs*#BHASIA BlackHatEventsThats our payload!#BHASIA BlackHatEvents4Some interesting onesObject Ref:182AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObject Ref:25

59、4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObject Ref:259-Array:(260,11,11,11,11,11,11,11,11,11,11)#BHASIA BlackHatEventsMentioning of Payload 111182592420#BHASIA BlackHatEventsLets inspect that payload!#BHASIA BlackHatEventsThe PayloadBinary StuffBinary+StringsNSExp

60、ressionBinary+Stringsx00*x00Binary StuffBinary+StringsNSExpressionBinary+Stringsx00*x001 MB of Binary DataWhats does this do?Whats does this do?Whats does this do?Whats does this do?Whats does this do?#BHASIA BlackHatEventsThe PayloadBinary StuffBinary+StringsNSExpressionBinary+Stringsx00*x00Binary

61、StuffBinary+StringsNSExpressionBinary+Stringsx00*x001 MB of Binary DataWhats does this do?Whats does this do?Whats does this do?Whats does this do?Whats does this do?#BHASIA BlackHatEvents#BHASIA BlackHatEventsWhats an NSExpression?#BHASIA BlackHatEventsFUNCTION(Receiver,SelectorName,Arguments,.)htt

62、ps:/ BlackHatEventshttps:/ BlackHatEventsSee No Eval:Runtime Dynamic Code Execution in Objective-CNS Expression LinksCode Coloristhttps:/codecolor.ist/2021/01/16/see-no-eval-runtime-code-execution-objc/FORCEDENTRY:Sandbox EscapeGoogle Project 0(Ian Beer&Samuel Gro)https:/ USA 2023-Apples Predicament

63、:NSPredicate Exploits on iOS and macOSAustin Emmethttps:/ the Safari Sandbox in iOS 16 Ian Beerhttps:/objectivebythesea.org/v6/talks.html#Speaker_12#BHASIA BlackHatEventsWhy is this still possible?#BHASIA BlackHatEventsFUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),

64、setObject:forKey:,FUNCTION(PAYLOAD-CS,componentsJoinedByString:,).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,cs)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-C,componentsJoinedByString:,).a

65、af_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,c)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-X).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,x)FUNCTION(F

66、UNCTION(FUNCTION(CAST(NSKeyPathExpression,Class),superclass),expressionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(PAYLOAD,componentsJoinedByString:,),decompressedDataUsingAlgorithm:err

67、or:,FUNCTION(3,intValue),nil),bytes),nil),expressionValueWithObject:context:,16045690984833335023,nil)=1Structure of the NSExpression PayloadPayload-CS12Payload-C1.3Payload-X1.41Payload1.5#BHASIA BlackHatEventsFUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject

68、:forKey:,FUNCTION(PAYLOAD-CS,componentsJoinedByString:,).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,cs)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-C,componentsJoinedByString:,).aaf_toBase

69、64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,c)FUNCTION(FUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(PAYLOAD-X).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64DecodedString,x)FUNCTION(FUNCTION(F

70、UNCTION(CAST(NSKeyPathExpression,Class),superclass),expressionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(PAYLOAD,componentsJoinedByString:,),decompressedDataUsingAlgorithm:error:,FUNCT

71、ION(3,intValue),nil),bytes),nil),expressionValueWithObject:context:,16045690984833335023,nil)=1Structure of the NSExpression PayloadPayload-CS12Payload-C1.3Payload-X1.41Payload1.5First executed Payload#BHASIA BlackHatEvents4FUNCTION(FUNCTION(FUNCTION(CAST(NSKeyPathExpression,Class),superclass),expre

72、ssionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(7Z0Jb9tIsoDfT8kb7IM3oyDi2WwGGGB,*,=,componentsJoinedByString:,),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),n

73、il),expressionValueWithObject:context:,16045690984833335023,nilStructure of PayloadPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsLets be naive and just try#BHASIA BlackHatEventsLets be naivebase64-d-i payload.txt?o?H?O?7?ltP?M?D?H?lgl?;?LQ4?_r?z.r?.?O(?JJ?(?n?f!?Vh?PL?0?n?s|D2?xzF?ag;?n?o

74、wRD?/z?I?7?U?5?k?:|?;?sG?;?r?r?T?8h?R?2?e?a?BJl?W/?;?it?qD?ON?n,?_?dOJj?7?x?v?=Ee?Z?|?=9:?E?a?Pb?ptq?gBE?f?&?v?NI?5Y?4F?fG?IC?%?;_?m)i?E?-?K?r/?t?4?$M|?3?xZ?7*?3?master CoreFoundation.frameworkNSData.h.CUTDecompressData;-(id)_CUTOptionallyDecompressData;(id)_CUTStringFromBaseData;/Image:#BHASIA Blac

75、kHatEvents#BHASIA BlackHatEventsLets search on GitHub for aaf_toBase64DecodedData?#BHASIA BlackHatEvents#BHASIA BlackHatEvents#BHASIA BlackHatEventsSo lets import“those Frameworks and lets try again#BHASIA BlackHatEventsDecoding Payload-CSNSLog(Decompressed String:%,decompressedPayloadCSString);bpli

76、st00*Q0Q1R10R11R12R13R14R15R16R17R18R19Q2R20R21R22R23R24R25R26R27R28R29Q3R30R31R32R33R34R35R36R37Q4Q5Q6Q7Q8Q9_iPhone10,1:20E247_iPhone10,1:20E252_iPhone10,1:20F66_iPhone10,1:20F75_iPhone10,1:20F770750d_iPhone10,1:20G75_iPhone10,2:20E247_iPhone10,2:20E252_iPhone10,2:20F66_iPhone10,2:20F75_iPhone10,2:

77、20F770750d_iPhone10,2:20G75_iPhone10,3:20E247_iPhone10,3:20E252_iPhone10,3:20F66_iPhone10,3:20F75_iPhone10,3:20F770750d_iPhone10,3:20G75_iPhone10,4:20E247_iPhone10,4:20E252_iPhone10,4:20F66_iPhone10,4:20F75_iPhone10,4:20F770750d_iPhone10,4:20G75_iPhone10,5:20E247_iPhone*Payload-CSPayload-CPayload-XP

78、ayloadBplist!#BHASIA BlackHatEvents#BHASIA BlackHatEventsLets have a look at the PLIST file#BHASIA BlackHatEventsDecoding Payload-CSNSLog(Decompressed String:%,decompressedPayloadCSPlist);28:s10.3:-149170296,s9.7.7:-15977552,s10.2:-896240284,s9.7.8:-15977544 ,iPhone10,4:20F75:10,iPhone10,4:20F770750

79、d:10,29:s10.3:-125850544,s9.7.7:80343472,s10.2:-912122464,s9.7.8:80343480 ,iPhone10,6:20E247:27,*Payload-CSPayload-CPayload-XPayloadiPhone Model+BuildNo iPads!#BHASIA BlackHatEvents#BHASIA BlackHatEventsTwo done!Two to go!#BHASIA BlackHatEventsMentioning of Payload-CLines 99-115Function(OCMapper.Cla

80、ss mapperForCurrentThread,setObject:forKey:,Function(NSData.Class alloc,initWithBase64EncodedString:options:,OCMapper.Class mapperForCurrentThread.c,1 intValue),a106c512d6e4353b)Function(OCMapper.Class mapperForCurrentThread,setObject:forKey:,Function(OCMapper.Class mapperForCurrentThreada106c512d6e

81、4353b,decompressedDataUsingAlgorithm:error:,3 intValue,nil),ac7fbd150d686fba)Function(OCMapper.Class mapperForCurrentThread,setObject:forKey:,Function(NSPropertyListSerialization.Class,propertyListWithData:options:format:error:,OCMapper.Class mapperForCurrentThreadac7fbd150d686fba,nil,nil,nil),abfd1

82、3dbf88776d2)Payload-C!Another Compression FormatPayload-C=Another PLISTPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsFUNCTION(FUNCTION(CAST(NSThread,Class),currentThread),threadDictionary),setObject:forKey:,FUNCTION(eJwVljWS5UAQRA8kQ0ymmJnlSV/MTKffWa+jIpqyIN+Wdup3vljxK68pQJicn6/eQmM+hBmK9

83、hgRVlVt7aFhzFWDec0lHks+p91pjxj07WA0wUgYGilva91S6IDS89wGKKdS6rQykeoLJMcDBSks+SkKocx1aGkuxxBewYDgudvgi2HIjkSFhco2PVKrL46UZV1Dc3SITwME/*4B+P4kRAALYY1Gl9dNvp+MAjgvxOsqiH625zHBF6B56SjeFCBl1L9A5q/bVI=,componentsJoinedByString:,).aaf_toBase64DecodedData._CUTDecompressData.base64Encoding.aaf_toBase64Decoded

84、String,c)Structure of Payload-CPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsDecoding Payload-CNSLog(Decompressed String:%,decompressedPayloadCPlist);a46aac1d87209cc3:FUNCTION(TERNARY(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)ab414b48d50d82b9=nil,FUNCTION(0,hash,FUNCTION(FUNCTI

85、ON(CAST(OCMapper,Class),mapperForCurrentThread),setObject:forKey:,FUNCTION(FUNCTION(CAST(NSKeyPathExpression,Class),superclass),expressionWithFormat:,FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,FUNCTION(Pay

86、loadInsidePayload-C,componentsJoinedByString:,),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),nil),ab414b48d50d82b9),1),FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)ab414b48d50d82b9LAST,expressionValueWithObject:context:,16045690984833335023,nil)Payload-CSPayload-CPa

87、yload-XPayloadPayload!#BHASIA BlackHatEventsCompressed Payload Inside Compressed Payload-C#BHASIA BlackHatEventsDecoding Payload inside Payload-CNSLog(Decompressed String:%,PayloadInsidePayloadCPlist);FUNCTION(0,hash,1),FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a5

88、749a0c51e8429b,performSelector:withObject:withObject:,FUNCTION(FUNCTION(CAST(NSExpression,Class),expressionForFunction:selectorName:arguments:,FUNCTION(CAST(NSExpression,Class),expressionForAnyKey),setArgument:atIndex:,nil),selector),FUNCTION(FUNCTION(CAST(_NSPredicateUtilities,Class),add:to:,24,FUN

89、CTION(CAST(NSNumber,Class),numberWithUnsignedLongLong:,FUNCTION(CAST(NSValue,Class),valueWithPointer:,FUNCTION(18446744073709551614,unsignedLongValue),pointerValue),nil)*FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,3VVZr5tGGO*.*Mo7XVCGDrEMJ8lPdxneZ75p0I+jt9go

90、59+Aw=),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),nil),a776c8627453a6b9),1),FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a776c8627453a6b9LAST,a65f00c73b1c7996),FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)Payload-CSPayload-CPayloa

91、d-XPayloadAnother Payload#BHASIA BlackHatEventsCompressed Payload Inside Compressed Payload Inside Compressed Payload-C#BHASIA BlackHatEventsDecoding Payload inside Payload inside Payload-CNSLog(Decompressed String:%,PayloadInsidePayloadInsidePayloadCPlist);TERNARY(FUNCTION(CAST(OCMapper,Class),mapp

92、erForCurrentThread)a5469019921478efFUNCTION(CAST(_NSPredicateUtilities,Class),from:subtract:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)*FUNCTION(CAST(NSString,Class),stringWithUTF8String:,FUNCTION(FUNCTION(FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64Encoding:,zVdNb9pAEO1P4ZQ

93、Nkg/*.*7wGw=),decompressedDataUsingAlgorithm:error:,FUNCTION(3,intValue),nil),bytes),nil),acd9421026604f20)Payload-CSPayload-CPayload-XPayloadAnother Payload#BHASIA BlackHatEventsCompressed Payload Inside Compressed Payload Inside Compressed Payload Inside Compressed Payload-C#BHASIA BlackHatEventsN

94、SLog(Decompressed String:%,PayloadInsidePayloadInsidePayloadInsidePayloadCPlist);TERNARY(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a02bb2d41a4a6c3a48&FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)ab2b4adedcace459=nil,*a02bb2d41a4a6c3a),a02bb2d41a4a6c3a),FUNCTION(0,hash,FUNCTION(FUN

95、CTION(CAST(OCMapper,Class),mapperForCurrentThread),setObject:forKey:,FUNCTION(CAST(_NSPredicateUtilities,Class),from:subtract:,FUNCTION(),FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a2fcc0e6725476c2,expressionValueWithObject:context:,nil,nil),0)Decoding Payload inside Payload insid

96、e Payload inside Payload-CPayload-CSPayload-CPayload-XPayload#BHASIA BlackHatEventsFinally no more payloads!#BHASIA BlackHatEventsThree down.One to go.#BHASIA BlackHatEventsNo mention of x“in Payload,Payload-C#BHASIA BlackHatEventsFormatted PayloadLines 2487-2497Function(NSKeyPathExpression.Class su

97、perclass,expressionWithFormat:,Function(NSString.Class,stringWithUTF8String:,Function(Function(Function(NSData.Class alloc,initWithBase64Encoding:,7V1bT+NIFtWLFoFVxCAAABYHEne9Xi2vboxN0U2cbqjFidEasz+l6d8aw7do9fCHDFSB8grZElUBHFDFbTSralxq21CUBBoBj2mEuksZiWVzepmwvCAVv/*.*+As=componentsJoinedByString:,),

98、decompressedDataUsingAlgorithm:error:,3 intValue,nil),bytes),nil),ab99f0dd78089b31),Payload-CSPayload-XPayload-CPayloadAnother Payload#BHASIA BlackHatEventsMore payloads#BHASIA BlackHatEventsNSLog(Decompressed String:%,payloadInsidePayload);TERNARY(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThrea

99、d)a02bb2d41a4a6c3a100&FUNCTION(CAST(NSDate,Class),mt_millisecondsSince1970)FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)af84949d6657831d,*FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread),setValue:forKey:,FUNCTION(FUNCTION(CAST(NSData,Class),alloc),initWithBase64

100、EncodedData:options:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)x,nil),a2888b59b5914536)*Compressed Payload inside PayloadPayload-X!Payload-CSPayload-XPayload-CPayload#BHASIA BlackHatEventsPERFECT!4#BHASIA BlackHatEventsNSLog(Decompressed String:%,payloadInsidePayload);TERNARY(FUNCTION(CAS

101、T(OCMapper,Class),mapperForCurrentThread)a02bb2d41a4a6c3a100&FUNCTION(CAST(NSDate,Class),mt_millisecondsSince1970)FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)af84949d6657831d,*FUNCTION(0,hash,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread),setValue:forKey:,FUNCTION(FUNCTION(C

102、AST(NSData,Class),alloc),initWithBase64EncodedData:options:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)x,nil),a2888b59b5914536)*FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread),setValue:forKey:,FUNCTION(FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a2888b59b5914536,fc_

103、decryptAESSIVWithKey:additionalData:,FUNCTION(CAST(OCMapper,Class),mapperForCurrentThread)a22990eb91e7ea79,nil),abc310bdbde1a724)Compressed Payload inside PayloadPayload-X!Encrypted!Payload-CSPayload-XPayload-CPayload#BHASIA BlackHatEventsNo Key in clear sight#BHASIA BlackHatEvents#BHASIA BlackHatEv

104、ents#BHASIA BlackHatEventsIs this the end?#BHASIA BlackHatEventsMaybe#BHASIA BlackHatEventsBut there is more to discover!#BHASIA BlackHatEventsHomed Crashes?#BHASIA BlackHatEventsNSExpression Bypass?#BHASIA BlackHatEventsSandbox Escape?#BHASIA BlackHatEventsPAC Bypass?#BHASIA BlackHatEventsImplant?#

105、BHASIA BlackHatEventsCommand&Control Structure?#BHASIA BlackHatEventsTo be continued#BHASIA BlackHatEventsSummaryplistBackupRef 11IMTransferAgentsample.pkpasslogo.pngNSExpressionPayloadPayloadPayload-CPayloadPayloadPayloadPayload-XEncryptedPayload-CSConfigMessagesBlastDoorCrashes#BHASIA BlackHatEven

106、tsSummary-IOCslogo.pngPayloadPayload-CSPayload-CConfigPayloadBackupplistRef 11MessagesBlastDoorCrashesIMTransferAgentsample.pkpassNSExpressionPayloadPayloadPayloadEncryptedPayload-XAAAAAAAAAAFUNCTION(PNG!=WebP#BHASIA BlackHatEventsSummarised Open QuestionsHow was NSExpression executed?Bypass NSExpre

107、ssion mitigations?Encryption Key?Sandbox Escape,Mitigation Bypasses?Command&Control Structure?Implant?Homed Crashes?1234567#BHASIA BlackHatEventsPlease contact us at infoiverify.io!If you got an Apple Threat NotificationIf you believe your iPhone is compromisedAnd you need help#BHASIA BlackHatEventsBlack Hat Asia Sound BytesiOS Forensic investigation works!We need more scale!iOS Vulnerability Mitigations are bypassed with more VulnerabilitiesSpyware vendors tend to reuse(very complex)Exploitation Frameworks123

相關圖表

本文主要內容是關于對NSO的Pegasus間諜軟件樣本的分析。作者通過分析iTunes備份、崩潰日志和Telemetry數據，發現了一個可疑的.pkpass文件，該文件包含了一個大型的logo.png圖片。通過進一步分析，作者發現該圖片中隱藏了一個NSExpression，該表達式執行了一個payload。這個payload是一個復雜的NSExpression，它首先解碼了Payload-CS，這是一個包含設備型號和構建號的plist文件。然后，它解碼了Payload-C，這是一個另一個plist文件，其中包含了一個壓縮的payload。最后，它解碼了Payload-X，這是一個加密的payload。盡管作者成功解碼了前三個payload，但Payload-X仍然是一個加密的payload，沒有找到解密密鑰。作者總結說，iOS取證調查是有效的，但需要更多的規模。iOS漏洞緩解措施被繞過，間諜軟件供應商傾向于重用復雜的利用框架。

"NSExpression如何被執行？" "如何繞過NSExpression緩解措施？" "加密密鑰在哪里？"

相關報告

聯系我們

0731-84720580
sgpjbg002
工作日 9:30 - 18:00

關于我們

侵權處理

關于我們

出版物經營許可證
工信部備案號：湘ICP備17000430號-2
公安備案號：湘公網安備43010402001071號

三個皮匠報告專業的行業報告下載站，每日更新，歡迎大家關注！

copyright@2008-2013 長沙景略智創信息技術有限公司版權所有
網站備案/許可證號：湘B2-20190120

客服

小程序

服務號

折疊

午夜网日韩中文字幕,日韩Av中文字幕久久,亚洲中文字幕在线一区二区,最新中文字幕在线视频网站