# 14.反HOOK防护(二):Monkey ## 一、安装:MonkeyDev > [GitHub-MonkeyDev](https://github.com/AloneMonkey/MonkeyDev) 安装完成后,重启Xcode,就可以看到有个`MonkeyDev` ![1](https://4193904735-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MI8JgbGh3U6X_oedqkm%2Fsync%2F74e75811084c87c04c672e6022a2071b99d3343a.png?generation=1621265703496623\&alt=media) ## 二、重签名 创建一个`MonkeyApp`,我们看到目录下有个`TargetApp`,将需要重签名的`ipa包`或者`app文件`放进去。 并将Demo给为自己的一个可用的BundleID,运行即可! ![2](https://4193904735-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MI8JgbGh3U6X_oedqkm%2Fsync%2Feb3d5f30e62c722b20433f71123cf9e1810d70a5.png?generation=1621265703734293\&alt=media) ## 三、Hook:Logos语法 > [Logos](http://iphonedevwiki.net/index.php/Logos) ![1](https://4193904735-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MI8JgbGh3U6X_oedqkm%2Fsync%2F6e5e4ea3f326f9f6c737d298066256de436a4031.png?generation=1621265704119794\&alt=media) 我们可以看到这个文件,没有高亮。 ![1](https://4193904735-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MI8JgbGh3U6X_oedqkm%2Fsync%2F6aab6e1197a2f5b3e4d5879e6e2969a227be4d9a.png?generation=1621265703461455\&alt=media) 在这里改一下类型为`ObjectiveC++Source`,切换一下文件就可以了。 ### 3.1 试着Hook上一篇中我们做了防护的项目 > 这里我们准备Hook`ViewController`的`actionA` #### a. 将编译出的app文件放进TargetApp目录下 #### b. 用Logos语法写Hook代码 ```cpp #import %hook ViewController - (void)actionA:(id)sender { NSLog(@"action-A-(Hooked!)"); } %end ``` 就这么简单! #### c. 运行查看Log ``` 2021-05-16 23:10:24.635341+0800 AntiHook[3859:1526960] ⚠️检测到了Hook! 2021-05-16 23:10:24.635477+0800 AntiHook[3859:1526960] ⚠️检测到了Hook! 2021-05-16 23:10:24.635519+0800 AntiHook[3859:1526960] [AntiAntiDebug Init] 🎉!!!congratulations!!!🎉 👍----------------insert dylib success----------------👍 [MethodTrace] 📚--------------------OCMethodTrace(Usage)-------------------📚 https://github.com/omxcodec/OCMethodTrace/blob/master/README.md 📚--------------------OCMethodTrace(Usage)-------------------📚 [MethodTrace] logLevel: 0: logWhen: 0 traceFlag: 2 traceObject: 0(未指定类) [MethodTrace] Method Trace is disabled Download cycript(https://cydia.saurik.com/api/latest/3) then run: ./cycript -r 192.168.0.102:6666 2021-05-16 23:10:24.915464+0800 AntiHook[3859:1526960] result: 2021-05-16 23:10:24.996174+0800 AntiHook[3859:1526960] INFO: Reveal Server started (Protocol Version 43). 2021-05-16 23:10:33.341774+0800 AntiHook[3859:1526960] action-A-(Hooked!) ``` 虽然我们的防护代码检测到了Hook,但是依然成功了。 #### d. 思考 这里我们使用[反HOOK防护(一)](https://ryukiedev.gitbook.io/wiki/ni-xiang/13.-fan-hook-fang-hu-yi-ji-yu-fishhook)中的技术去进行防护,并没有成功防护到`Monkey`的Hook。我们大概可以推测出:它使用的是Set和Get进行的Hook! 下面我们针对Set Get进行一下防护验证我们的想法! ## 四、Set/Get Hook防护 这里我们简单修改下防护代码。 ```cpp + (void)load { struct rebinding exchange; exchange.name = "method_exchangeImplementations"; exchange.replacement = my_exchange; exchange.replaced = (void *)&sysExchangePoint; struct rebinding get; get.name = "method_getImplementation"; get.replacement = my_get; get.replaced = (void *)&sysExchangePoint; struct rebinding set; set.name = "method_setImplementation"; set.replacement = my_set; set.replaced = (void *)&sysExchangePoint; struct rebinding bds[] = { exchange, get, set }; rebind_symbols(bds, 3); } // 保存原函数的指针,这个可以暴露给自己使用 void (*sysExchangePoint)(Method _Nonnull methA, Method _Nonnull methB); void my_exchange(Method _Nonnull methA, Method _Nonnull methB) { NSLog(@"⚠️检测到了Hook!-method_exchangeImplementations"); } void my_get(Method _Nonnull methA, Method _Nonnull methB) { NSLog(@"⚠️检测到了Hook!-method_getImplementation"); } void my_set(Method _Nonnull methA, Method _Nonnull methB) { NSLog(@"⚠️检测到了Hook!-method_setImplementation"); } ``` ### 4.1 防护成果 ``` 2021-05-17 23:25:17.892661+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation 2021-05-17 23:25:17.892798+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_exchangeImplementations 2021-05-17 23:25:17.892840+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation 2021-05-17 23:25:17.892874+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_exchangeImplementations 2021-05-17 23:25:17.892912+0800 AntiHook[3999:1630972] [AntiAntiDebug Init] 🎉!!!congratulations!!!🎉 👍----------------insert dylib success----------------👍 2021-05-17 23:25:17.914757+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation 2021-05-17 23:25:17.914913+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_setImplementation [MethodTrace] ... 2021-05-17 23:25:26.987849+0800 AntiHook[3999:1630972] action-A 2021-05-17 23:25:27.952512+0800 AntiHook[3999:1630972] action-A 2021-05-17 23:25:28.803100+0800 AntiHook[3999:1630972] action-B 2021-05-17 23:25:29.170666+0800 AntiHook[3999:1630972] action-B ``` 可以看到我们的`set`/`get`防护代码被触发了,并且输出了点击按钮输出了正确的Log! 防护成功!也验证了我们的想法:***Monkey的Hook是基于Get/Set的***