14.反HOOK防护（二）：Monkey

一、安装：MonkeyDev

GitHub-MonkeyDev

安装完成后，重启Xcode，就可以看到有个MonkeyDev

1

二、重签名

创建一个MonkeyApp，我们看到目录下有个TargetApp，将需要重签名的ipa包或者app文件放进去。 并将Demo给为自己的一个可用的BundleID，运行即可！

2

三、Hook：Logos语法

Logos

1

我们可以看到这个文件，没有高亮。

1

在这里改一下类型为ObjectiveC++Source，切换一下文件就可以了。

3.1 试着Hook上一篇中我们做了防护的项目

这里我们准备HookViewController的actionA

a. 将编译出的app文件放进TargetApp目录下

b. 用Logos语法写Hook代码

#import <UIKit/UIKit.h>

%hook ViewController

- (void)actionA:(id)sender {
    NSLog(@"action-A-(Hooked!)");
}

%end

就这么简单！

c. 运行查看Log

2021-05-16 23:10:24.635341+0800 AntiHook[3859:1526960] ⚠️检测到了Hook！
2021-05-16 23:10:24.635477+0800 AntiHook[3859:1526960] ⚠️检测到了Hook！
2021-05-16 23:10:24.635519+0800 AntiHook[3859:1526960] [AntiAntiDebug Init]
               🎉!!！congratulations!!！🎉
👍----------------insert dylib success----------------👍
[MethodTrace] 
📚--------------------OCMethodTrace(Usage)-------------------📚
https://github.com/omxcodec/OCMethodTrace/blob/master/README.md
📚--------------------OCMethodTrace(Usage)-------------------📚
[MethodTrace] logLevel: 0: logWhen: 0 traceFlag: 2 traceObject: 0(未指定类)
[MethodTrace] Method Trace is disabled

Download cycript(https://cydia.saurik.com/api/latest/3) then run: ./cycript -r 192.168.0.102:6666

2021-05-16 23:10:24.915464+0800 AntiHook[3859:1526960] result: <UIApplication: 0x1017100d0>
2021-05-16 23:10:24.996174+0800 AntiHook[3859:1526960]  INFO: Reveal Server started (Protocol Version 43).
2021-05-16 23:10:33.341774+0800 AntiHook[3859:1526960] action-A-(Hooked!)

虽然我们的防护代码检测到了Hook，但是依然成功了。

d. 思考

这里我们使用反HOOK防护（一）中的技术去进行防护，并没有成功防护到Monkey的Hook。我们大概可以推测出：它使用的是Set和Get进行的Hook！

下面我们针对Set Get进行一下防护验证我们的想法！

四、Set/Get Hook防护

这里我们简单修改下防护代码。

+ (void)load {
    struct rebinding exchange;
    exchange.name = "method_exchangeImplementations";
    exchange.replacement = my_exchange;
    exchange.replaced = (void *)&sysExchangePoint;

    struct rebinding get;
    get.name = "method_getImplementation";
    get.replacement = my_get;
    get.replaced = (void *)&sysExchangePoint;

    struct rebinding set;
    set.name = "method_setImplementation";
    set.replacement = my_set;
    set.replaced = (void *)&sysExchangePoint;

    struct rebinding bds[] = { exchange, get, set };

    rebind_symbols(bds, 3);
}

// 保存原函数的指针，这个可以暴露给自己使用
void (*sysExchangePoint)(Method _Nonnull methA, Method _Nonnull methB);

void my_exchange(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！-method_exchangeImplementations");
}

void my_get(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！-method_getImplementation");
}

void my_set(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！-method_setImplementation");
}

4.1 防护成果

2021-05-17 23:25:17.892661+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_getImplementation
2021-05-17 23:25:17.892798+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_exchangeImplementations
2021-05-17 23:25:17.892840+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_getImplementation
2021-05-17 23:25:17.892874+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_exchangeImplementations
2021-05-17 23:25:17.892912+0800 AntiHook[3999:1630972] [AntiAntiDebug Init]
               🎉!!！congratulations!!！🎉
👍----------------insert dylib success----------------👍
2021-05-17 23:25:17.914757+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_getImplementation
2021-05-17 23:25:17.914913+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_setImplementation
[MethodTrace] 
...
2021-05-17 23:25:26.987849+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:27.952512+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:28.803100+0800 AntiHook[3999:1630972] action-B
2021-05-17 23:25:29.170666+0800 AntiHook[3999:1630972] action-B

可以看到我们的set/get防护代码被触发了，并且输出了点击按钮输出了正确的Log！ 防护成功！也验证了我们的想法：Monkey的Hook是基于Get/Set的