Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife

Overview

iOS Malicious Bit Hunter

Abstract

iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime, and can perform behavior analysis through interface input characteristics to determine the behavior of the dynamic library feature. The program does not rely on the jailbreak environment and can be used on the AppStore.

What’s new feature

This is a new way to accurately identify the behavior of iOS malicious code. Based on the method of analyzing malicious code running in the memory based on the Mach-O format in the App, it can perform flexible behavior recognition for analysis and continuous tracking. This is a very accurate anti-plug-in defense method, including behaviors, variables, and highly obfuscated code (including ollvm), which has achieved very good results in our defense process.

How to use

  1. Use XCode open .xcodeproj file or create new static library project .
  2. Build Phases -> Compile Sources , add all *.c / *.mm file .
  3. command + B build .

The ios-malicious-bithunter had only one api: secinfo * Security_CoreFoundation(void);

Invoke example :

info = (secinfo *)malloc(sizeof(secinfo));

info->scan_result = (unsigned char * ) malloc(1024*1024);

memset(info->scan_result,0,1024*1024);

if(info == NULL)

{

    goto RETURN;

}
    
info->is_plugScan = security_scanEngine((unsigned char *)info->scan_result);

Logic Priciple

The tool provides an API interface for obtaining externally match rules. It will analyze the behavior of jailbroken and repackaged dynamic libraries at runtime, mainly through static analysis of the MachO file format, through the Load Command and different segments Obtain the import table, export table, class name, function name, string and other information, and judge whether the dynamic library has been loaded into the memory through the memory map at runtime.

Logic Priciple

Detect demo result

We used our SDK to analyze tens of thousands of jailbreak dynamic libraries. These resources come from some public jailbreak plugins. Below are our current test results:

filename,rule

ALS.dylib,FAKEDEV_H

AWZ.dylib,FAKEDEV_H

CallAssist.dylib,FAKEDEV_H

EGrimaceTweak.dylib,FAKEDEV_H

Lynx.dylib,FAKEDEV_H

NZT.dylib,FAKEDEV_H

SystemInfo.dylib,FAKEDEV_H

YOY.dylib,FAKEDEV_H

fakephonelib.dylib,FAKEDEV_H

fakid.dylib,FAKEDEV_H

nt.dylib,FAKEDEV_H

AWZ.dylib,FAKEDEV_M

1feaks.dylib,FAKETOUCH

ATTweak.dylib,FAKETOUCH

BTC-Springboard.dylib,FAKETOUCH

Callofdutygarena.dylib,FAKETOUCH

Cercube.dylib,FAKETOUCH

EASimulateTower.dylib,FAKETOUCH

EPEventTweak.dylib,FAKETOUCH

EvilHunterTycoon.dylib,FAKETOUCH

FlyBirdRemoteControl.dylib,FAKETOUCH

GamePlayerUI.dylib,FAKETOUCH

HAWK.dylib,FAKETOUCH

HonkaiImpactTW.dylib,FAKETOUCH

HookedInc.dylib,FAKETOUCH

IdleFitnessGymTycoon.dylib,FAKETOUCH

JudeTaxi_jb.dylib,FAKETOUCH

LienQuanMobile.dylib,FAKETOUCH

P4UTweak.dylib,FAKETOUCH

PUBGMOBILEFREEiOSGodsCom.dylib,FAKETOUCH

ScarFalliOSGodsCom.dylib,FAKETOUCH

SimulateTouch.dylib,FAKETOUCH

TSEventTweak.dylib,FAKETOUCH

TSTweak.dylib,FAKETOUCH

WildRift.dylib,FAKETOUCH

bitcoinminer.dylib,FAKETOUCH

coin.dylib,FAKETOUCH

dls2019.dylib,FAKETOUCH

dq2.dylib,FAKETOUCH

dungeoncorp.dylib,FAKETOUCH

easimulatetower.thirdparty.2.dylib,FAKETOUCH

freefire.dylib,FAKETOUCH

gameisbugged.dylib,FAKETOUCH

hidspringboard.dylib,FAKETOUCH

mycafe.dylib,FAKETOUCH

raidthedungeon.dylib,FAKETOUCH

royaldice.dylib,FAKETOUCH

rushroyale.dylib,FAKETOUCH

tetweak.dylib,FAKETOUCH

tkasmtouch.dylib,FAKETOUCH

1.dylib,FAKE_LBS

AliDt.dylib,FAKE_LBS

CyDown.dylib,FAKE_LBS

DouTu.dylib,FAKE_LBS

GpsHookLibrary.dylib,FAKE_LBS

Lamo.dylib,FAKE_LBS

LamoClient.dylib,FAKE_LBS

OTRLocation.dylib,FAKE_LBS

WeChatHookPro.dylib,FAKE_LBS

abcd.dylib,FAKE_LBS

appstoreplusUI.dylib,FAKE_LBS

easimulatetower.client.dylib,FAKE_LBS

kfc.dylib,FAKE_LBS

lk.dylib,FAKE_LBS

m.dylib,FAKE_LBS

mmm.dylib,FAKE_LBS

pbyy.dylib,FAKE_LBS

phonetweak.dylib,FAKE_LBS

tou111.dylib,FAKE_LBS

txytweak.dylib,FAKE_LBS

xiaoqi.dylib,FAKE_LBS

xin.dylib,FAKE_LBS

zorro.dylib,FAKE_LBS

zzzzzLiberty.dylib,FAKE_LBS

Owner
Alipay
Ant Group Open Source
Alipay
Development of a system which can capture and analyze transmitted data on a USB wire.

FPGA based USB protocol analyser Development of a system which can capture and analyze transmitted data on a

Harsha Sandirigama 0 Apr 3, 2022
a undetectable tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our qqgroup is 703156427

a undetectable ios root access tool by modify odyssey, support sign disable & dylib injection, test on iphoneX(13.5.1 expolit by FreeTheSandbox), our

null 58 Nov 22, 2021
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 673 Aug 10, 2022
FiveM Cheat with KEKHACK. Injected with simple injector in c++.

FiveM Cheat with TriggersEvent [KEKHACK] This is the ultimate great source code for building the best cheat FiveM. I'm not going to tell you how to cr

MasterDev 9 Jul 22, 2022
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Tushar Agarwal 3 Aug 19, 2021
Offline fluid simulation solver adopted from https://github.com/doyubkim/fluid-engine-dev.

FluidEngine This is a fluid simulation engine for computer graphics applications. I adopt it from Doyub Kim's fluid-engine-dev. It's built on C++11 an

YangWC 53 Jul 20, 2022
(C++) Integrity dynamic link library made in C++ that you can export to C#

C-Integrity-Library ✔ (C++) Integrity dynamic link library made in C++ that can export to C# C# Exports [DllImport("Exports.dll")] public static exter

null 1 Jan 20, 2022
Original hVNC has been recoded to work with all version of windows above XP. Thanks to the original author for this wonderful tool.

hVNC - Recoded This is the recoded version of the hVNC found in TinyNuke trojan. Compiling Compile tested with Visual Studio 2017. No compile errors.

Snow Leopard 8 Jan 22, 2022
Example of downloading/installing dependencies using Hunter package manager.

Linux/OSX Windows Example of downloading/installing dependencies using Hunter package manager. Requirements CMake version 3.0 Usage Set HUNTER_ROOT en

null 45 Apr 12, 2022
A Charm/Item editor for Monster Hunter Rise

mhr-charm-item-editor A Charm/Item editor for Monster Hunter Rise. The project is written in C++/CLR (yes, I know, it's shit). I was too lazy to use s

Fexty 40 Aug 10, 2022
Blade - A simple, fast, clean, and dynamic language that allows you to develop complex applications quickly.

The Blade Programming Language Quick links: BUILDING | CONTRIBUTING | DOCS | LICENSE | tl;dr Blade is a simple, fast, clean and dynamic language that

Blade Programming Language 103 Aug 6, 2022
Please feel free to use this code if you need to keep track of accelerometer and gyro data :)

IMUArduinoDataCollection Please feel free to use this code if you need to keep track of accelerometer and gyro data :) This code takes in xyz motion b

null 1 Nov 9, 2021
(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)

Marathon-Fortnite-Cheat-Fix-Leak Fortnite Marathon Cheat v18.20 FIXED [Leak] Getting started Open .sln with Visual Studio 2019 Compile batch build to

LUCIFER ® 2 Dec 13, 2021
Nissan Pathfinder R51 Head Unit Adapter

Nissan Pathfinder R51 Head Unit Adapter This repo contains documentation and code to turn an Arduino into a CAN Bus climate control adapter for the Ni

Ryan Bourgeois 1 Apr 19, 2022
Documentation and code for rooting and extending a Bosch car head unit (lcn2kai)

Rooting Bosch lcn2kai Headunit My Nissan Xterra came with a (for the time) modern head unit that has a touch screen, built-in navigation, backup camer

null 329 Jul 24, 2022
The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-source and can be used with OpenOCD as a general-purpose programmer

pico-probe-programmer The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-sou

martijn 21 Jul 20, 2022
This Program Enables And Disables Hyper-V Hypervisor So You Can Use Other Virtualisation Tools Such As (VMware, VirtualBox) Simultaneously.

Hyper-V-Switch This Program Enables And Disables Hyper-V Hypervisor So You Can Use Other Virtualisation Tools Such As (VMware, VirtualBox) Simultaneou

RaynerSec 2 May 27, 2022
A video input (V4L2) to NDI converter that works with Raspberry Pi (32-bit and 64-bit), and Intel/AMD CPUs

V4L2 to NDI V4L2 to NDI is an application that connects to attached V4L2 devices and encodes the video signal into NDI It uses the NDI library, allowi

Luke Plassman 40 Jul 28, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

null 13 May 21, 2022