/frida-iOS-syscall-tracer

Traces syscalls on iOS via Frida, including Mach syscalls

Primary LanguageTypeScript

frida-iOS-syscall-tracer

An strace-like syscall tracer for 64-bit iOS devices based on Frida's Stalker API. It is not stable yet and often causes the traced process to crash. The purpose of this tool is to allow you to backtrace certain anti-(jailbreak|debugging|tampering|reverse engineering) techniques that rely on syscalls. Common file system-based syscalls that are used for anti-jailbreak techniques in many banking apps, for example, are stat and open. These scan the file system for file names such as Cydia, Sileo, /etc/apt/sources.list etc.

Requirements

  • NPM
  • Jailbroken iOS device
  • frida and frida-tools on the remote device
  • frida-server on the iOS device
  • patience
  • brain

Installation

git clone https://github.com/juliangrtz/frida-iOS-syscall-tracer
cd frida-iOS-syscall-tracer
npm run build

Usage example

# Be sure the jailbroken iOS device is connected via USB and everything is set up correctly.
cd agent
frida -Uf com.apple.stocks -l _tracer.js

Output example

[+] Following thread 12295
ulock_wake()
proc_info()
ulock_wake()
ulock_wake()
ulock_wake()
psynch_mutexdrop()
ulock_wake()
psynch_mutexdrop()
ulock_wake()
ulock_wake()
psynch_mutexdrop()
ulock_wake()
proc_info()
kevent_qos()
ulock_wake()
ulock_wake()
ulock_wake()
kevent_qos()
mprotect(ptr(0x100d90000), 0x100000, 0x3)
stat64("/usr/lib/libRosetta.dylib", 0x16f853360)
open("/usr/lib/libRosetta.dylib", 0x0, 0x0)
open("/usr/lib", 0x100000, 0x0)
fcntl(21, 0x32, 0x16f8542d0)
close(21)
mprotect(ptr(0x100d90000), 0x100000, 0x1)
...

to be done

– add proper backtracing

– improve code quality

– improve stability

– support newest iOS versions

License

Do whatever the f*ck you want with it.