OSG-macOS/iOS Security Group Translation Team

看雪iOS安全小组的翻译团队作品合集，如有勘误/瑕疵/拗口/偏颇，欢迎斧正！

看雪iOS安全小组置顶向导资源集合贴： [逆向][调试][漏洞][越狱]：http://bbs.pediy.com/showthread.php?t=212685

翻译团队

维护by：yaren （看雪ID：西海）

---

编号	文章	来源网址	翻译	得票
1	MacOS and iOS Internals, Volume III: Security & Insecurity	http:// newosxbook.com /files/moxii3 /AppendixA.pdf	rodster@ccav10.cn(727542262) everettjf@live.com(276751551)
2	Analysis and exploitation of Pegasus kernel vulnerabilities (CVE-2016-4655 / CVE-2016-4656)	http://jndok.github.io/2016/10/04/pegasus-writeup/	rodster@ccav10.cn(727542262)
3	海马iOS应用商店助手各种恶意行为的研究 Helper for Haima iOS App Store Adds More Malicious Behavior	http://blog.trendmicro.com/trendlabs-security-intelligence/helper-haima-malicious-behavior/	rodster@ccav10.cn(727542262)
4	未越狱状态下的iOS插桩：iOS instrumentation without jailbreak	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/	rodster@ccav10.cn(727542262)
5	iOS软件在运行时究竟做了什么：Introspy-iOS	https://github.com/integrity-sa/Introspy-iOS	try_fly:247498009
6	当我们在移动文件时，发生了什么？MacOS File Movements	https://forensic4cast.com/2016/10/macos-file-movements/	舜生Ree:2035153354
7	macOS Chrome密码破解 Decrypting Google Chrome Passwords on macOS / OS X	http://bufferovernoah.com/2016/10/17/chrome/	free:249099804
8	CVE-2016-6187: Exploiting Linux kernel heap off-by-one by Vitaly Nikolenko	https://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit	rodster@ccav10.cn(727542262)
9	LINUX SRP OVERWRITE AND ROP	http://buffered.io/posts/linux-srp-overwrite-and-rop/	布兜儿:527626504
10	基于python的开源LLDB前端GUI Voltron简介	https://github.com/snare/voltron	拟人:75345771
11	基于 Frida 框架的 Objective-C 插桩方法 Objective-C Instrumentation with Frida	https://rotlogix.com/2016/03/20/objective-c-instrumentation-with-frida/	lockdown:527850864
12	FRIDA框架简介：Welcome introduction、quickstart guide、installation、basic usage	http://www.frida.re/docs/home/	lockdown:527850864
13	FRIDA框架简介：Modes ofoperation、Functions、Messages、iOS、Android	http://www.frida.re/docs/home/	lockdown:527850864
14	FRIDA框架推出8.1 released	http://www.frida.re/news/2016/10/25/frida-8-1-released/	lockdown:527850864
15	OS X蓝牙IO系统UAF漏洞分析 OS X kernel use-after-free in IOBluetoothFamily.kext	https://bugs.chromium.org/p/project-zero/issues/detail?id=830 附上Exploit：https://www.exploit-db.com/exploits/40652/	布兜儿:527626504
16	OS X/iOS磁盘镜像子系统UAF漏洞分析 OS X/iOS kernel use-after-free in IOHDIXController	https://bugs.chromium.org/p/project-zero/issues/detail?id=832	布兜儿:527626504
17	OS X内核存储UAF漏洞分析 OS X kernel use-after-free in CoreStorage	https://bugs.chromium.org/p/project-zero/issues/detail?id=833	布兜儿:527626504
18	OS X内核雷电IO系统UAF漏洞 OS X kernel use-after-free in IOThunderboltFamily	https://bugs.chromium.org/p/project-zero/issues/detail?id=834	布兜儿:527626504
19	OS X/iOS图像共享IO的UAF漏洞分析 OS X/iOS kernel use-after-free in IOSurface	https://bugs.chromium.org/p/project-zero/issues/detail?id=831	布兜儿:527626504
20	task_t指针重大风险预报 task_t considered harmful	https://googleprojectzero.blogspot.kr/2016/10/taskt-considered-harmful.html	看雪翻译小组
21	task_t指针重大风险预报——PoC task_t considered harmful - many XNU EoPs	https://bugs.chromium.org/p/project-zero/issues/detail?id=837	看雪翻译小组
22	IOKit被动Fuzz框架 PassiveFuzzFrameworkOSX	https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX	看雪翻译小组
23	launchd中虚拟磁盘挂载尺寸分配问题导致UAF Controlled vm_deallocate size can lead to UaF in launchd	https://bugs.chromium.org/p/project-zero/issues/detail?id=896	看雪翻译小组
24	launchd中消息队列逻辑问题导致内核message控制 Logic issue in launchd message requeuing allows arbitrary mach message control	https://bugs.chromium.org/p/project-zero/issues/detail?id=893	看雪翻译小组
25	OSX/iOS中的内存端口注册中的内存安全问题 OS X/iOS multiple memory safety issues in mach_ports_register	https://bugs.chromium.org/p/project-zero/issues/detail?id=882	看雪翻译小组
26	趋势科技研究员今年 7 月份在 HITCON 2016 会议的演讲《(P)FACE Into the Apple Core and Exploit to Root》	http://hitcon.org/2016/CMT/slide/day1-r2-c-1.pdf	看雪翻译小组
27	通过 OS X 的邮件规则实现持久控制 Using email for persistence on OS X	https://www.n00py.io/2016/10/using-email-for-persistence-on-os-x/	布兜
28	通过 IO Kit 驱动走进 Ring-0︰Strolling into Ring-0 via IO Kit Drivers	https://ruxcon.org.au/assets/2016/slides/RuxCon_Wardle.pdf		18
29	Nginx 搭建同时启用多个工具的 HTTP 代理环境，支持多个用户	https://www.swordshield.com/2016/10/multi-tool-multi-user-http-proxy/		5
30	提高iOS的健壮性及抗Fuzz技术	https://ruxcon.org.au/assets/2016/slides/Make_iOS_App_more_Robust_and_Security_through_Fuzzing-1476442078.pdf		9
31	iOS的WebView自动拨号的bug iOS WebView auto dialer bug	https://www.mulliner.org/blog/blosxom.cgi/security/ios_webview_auto_dialer.html	赤
32	iOS.GuiInject广告木马库分析 Analysis of iOS.GuiInject Adware Library	https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/		4
33	iOS软件安全全局方法论 iOS Application Security Review Methodology	http://research.aurainfosec.io/ios-application-security-review-methodology/		6
34	解码苹果上所有的Tokens decrypts/extracts all authorization tokens on macOS / OS X / OSX	https://github.com/manwhoami/MMeTokenDecrypt
35	Lookout发布的iOS三叉戟漏洞的详细技术分析 Technical Analysis of the Pegasus Exploits on iOS	https://info.lookout.com/rs/051-ESQ-475/images/pegasus-exploits-technical-details.pdf
36	攻击safari的JS引擎CVE-2016-4622详细分析	http://phrack.org/papers/attacking_javascript_engines.html
37	Mac平台上的广告蠕虫一览	https://blog.malwarebytes.com/threat-analysis/social-engineering-threat-analysis/2016/11/an-overview-of-malvertising-on-the-mac/
38	Mac 用户想防止被查水表?	https://github.com/drduh/macOS-Security-and-Privacy-Guide
39	Mac 上恶意软件的总览	https://blog.malwarebytes.com/threat-analysis/social-engineering-threat-analysis/2016/11/an-overview-of-malvertising-on-the-mac/
40	阻止 iCloud 日历上的垃圾邮件邀请	http://t.cn/RfjMbGy https://t.co/qOHXUYS6J3 https://t.co/PYGq7gNT4V
41	绕过苹果系统的完整性保护 Bypassing Apple's System Integrity Protection	https://objective-see.com/blog/blog_0x14.html
42	在二进制代码中通过静态分析的方法检测 UAF 漏洞	https://t.co/ulcgwGkRI7
43	趋势科技的一篇 Blog，谈利用 Dirty Cow 漏洞攻击 Android	http://blog.trendmicro.com/trendlabs-security-intelligence/new-flavor-dirty-cow-attack-discovered-patched/
44	以福昕阅读器为例实现高性能Fuzz Applied high-speed in-process fuzzing: the case of Foxit Reader	https://t.co/6MwdamAHJ4
45	ARM汇编语言极速入门part 1~5	https://azeria-labs.com/writing-arm-assembly-part-1/
46	苹果FSEvent深层文件系统调用记录取证	http://nicoleibrahim.com/apple-fsevents-forensics/
47	二进制grep工具、还能高亮！	https://github.com/m4b/bingrep/
48	MacRansom,Mac上的勒索软件分析（带反调试、反虚拟机）	https://objective-see.com/blog/blog_0x1E.html
49	IDA反汇编的一些小技巧	https://qmemcpy.github.io/post/ida-series-1-hex-rays
50	macOS 10.12.2本地提权以及XNU port堆风水by蒸米大神：【https://jaq.alibaba.com/community/art/show?articleid=781 提权的exp源码也可以在我的github下载到：【https://github.com/zhengmin1989/macOS-10.12.2-Exp-via-mach_voucher】	https://jaq.alibaba.com/community/art/show?articleid=781
51	反病毒Yara规则生成器、病毒特征提取工具	https://github.com/Neo23x0/yarGen
52	10.2.1上重打包iOS应用的方法	http://www.vantagepoint.sg/blog/85-patching-and-re-signing-ios-apps
53	iOS 10.3.1 Wifi芯片漏洞详解——by Project Zero Beniamini	https://googleprojectzero.blogspot.jp/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html
54	从iOS程序运行时的堆中提取敏感信息	https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/
55	如何在 macOS 上安装 Powershell 6.0	http://www.techrepublic.com/article/how-to-install-microsoft-powershell-6-0-on-macos/
56	Google ssl_logger - 可以解密并记录进程的SSL流量	https://github.com/google/ssl_logger
57	ian beer 亲自讲解iOS 10越狱用的mach portal的教程 上	https://github.com/zhengmin1989/GreatiOSJailbreakMaterial/blob/master/iOS10_Mach_Portal.pdf
58	ian beer 亲自讲解iOS 10越狱用的mach portal的教程 中	https://github.com/zhengmin1989/GreatiOSJailbreakMaterial/blob/master/iOS10_Mach_Portal.pdf
59	ian beer 亲自讲解iOS 10越狱用的mach portal的教程 下	https://github.com/zhengmin1989/GreatiOSJailbreakMaterial/blob/master/iOS10_Mach_Portal.pdf
60	iOS 9 开始引入的内核完整性保护（KPP）功能是如何实现的	https://xerub.github.io/ios/kpp/2017/04/13/tick-tock.html
61	支持macOS！-"leviathan - 大型安全审计工具包，支持大范围的服务探测、暴力破解、SQL注入检测以及运行自定义漏洞利用模块	https://github.com/leviathan-framework/leviathan
62	[CODE REVIEW]TWEAK系列-respring之后弹自定义消息-PopUpOnStart	https://github.com/LacertosusRepo/Open-Source-Tweaks
63	[CODE REVIEW]TWEAK系列-给调音量增加震动反馈-Volbrate	https://github.com/LacertosusRepo/Open-Source-Tweaks
64	[CODE REVIEW]TWEAK系列-给控制中心增加震动反馈-HaptikCenter	https://github.com/LacertosusRepo/Open-Source-Tweaks
65	[CODE REVIEW]TWEAK系列-每次respring之后给你播放一段音乐-SoundSpring	https://github.com/LacertosusRepo/Open-Source-Tweaks
66	一个函数，两个bug part.1	https://www.synack.com/2017/03/27/two-bugs-one-func/
67	一个函数，两个bug（含poc） part.2	https://www.synack.com/2017/04/07/two-bugs-one-func-p2/ POC地址： https://pastebin.com/87fHLMQq
68	APFS苹果文件系统逆向初探	https://blog.cugu.eu/post/apfs/
69	Safari Browser Array.concat 方法中越界的内存拷贝可导致内存破坏（CVE-2017-2464	https://bugs.chromium.org/p/project-zero/issues/detail?id=1095
70	在 HITB AMS 2017 会议上，独立安全研究员 malerisch 分享了他是如何在趋势科技产品中挖掘到 200 个 CVE 的	http://blog.malerisch.net/2017/04/trend-micro-threat-discovery-appliance-session-generation-authentication-bypass-cve-2016-8584.html
71	昨天他又写了一篇 Blog 介绍了一个新发现的趋势科技 TDA 产品 Session 生成认证机制绕过的漏洞	http://conference.hitb.org/hitbsecconf2017ams/materials/D1T1 - Steven Seeley and Roberto Suggi Liverani - I Got 99 Trends and a # Is All Of Them.pdf"
72	【Frida系列】Frida的基本功能	http://2015.zeronights.org/assets/files/23-Ravnas.pdf
73	【Frida系列】通过案例入门Frida - learn by example	http://www.ninoishere.com/frida-learn-by-example/
74	【Frida系列】逆向iOS过程中一些有用的Frida脚本 some useful frida script for iOS Reversing	https://github.com/as0ler/frida-scripts
75	安卓下的对Frida的检测方法（问：如何移植到iOS）	http://www.vantagepoint.sg/blog/90-the-jiu-jitsu-of-detecting-frida
76	Pwn2Own 2017 Samuel Groß 攻击 Safari 所使用的 WebKit JSC::CachedCall UAF 漏洞的分析（CVE-2017-2491）(第一篇)	https://phoenhex.re/2017-05-04/pwn2own17-cachedcall-uaf
77	Fox-IT 的研究员发现 Snake 恶意软件框架首次出现了攻击 MacOS 操作系统的版本	https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/ Github： https://github.com/Neo23x0/signature-base/blob/master/yara/apt_snaketurla_osx.yar
78	Mobile Pwn2Own 2012 -WebKit Array.sort() UAF 漏洞的分析和利用（CVE-2012-3748）(一)	https://scarybeastsecurity.blogspot.jp/2017/05/ode-to-use-after-free-one-vulnerable.html
79	Mobile Pwn2Own 2012 -WebKit Array.sort() UAF 漏洞的分析和利用（CVE-2012-3748）(二)	https://scarybeastsecurity.blogspot.jp/2017/05/ode-to-use-after-free-one-vulnerable.html
80	Mobile Pwn2Own 2012 -WebKit Array.sort() UAF 漏洞的分析和利用（CVE-2012-3748）(三)	https://scarybeastsecurity.blogspot.jp/2017/05/ode-to-use-after-free-one-vulnerable.html
81	用fuzzing来高速挖洞_High_Speed_Bug_Discovery_with_Fuzzing
82	无痛入门Linux用户态堆和堆风水	https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap//
83	Flanker：CVE-2017–2448, 绕过OTR签名校验iCloud钥匙串秘密窃取	https://medium.com/@longtermsec/bypassing-otr-signature-verification-to-steal-icloud-keychain-secrets-9e92ab55b605
84	Fuzz 工具 OSS-Fuzz 开源的 5 个月中，被用于测试了 47 个开源项目，发现了超过 1000 个 Bug(264 个潜在漏洞)	https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
85	Project Zero 研究员 Felix 总结的 iOS APP 层面的常见漏洞案例	https://github.com/felixgr/secure-ios-app-dev
86	CIA那个用NSUnarchiver过沙盒的0day被beer挖出来了，还随手挖了修了一堆 IPC 过沙盒的洞	https://bugs.chromium.org/p/project-zero/issues/detail?id=1168&can=1&q=owner%3Aianbeer%20modified-after%3A2017%2F5%2F22
87	近期几款色情 App 开始大量在 Android 和 iOS 平台上传播，他们甚至找到了上架 Apple App Store 的方式	http://blog.trendmicro.com/trendlabs-security-intelligence/pua-operation-spreads-thousands-explicit-apps-wild-legitimate-app-stores/
88	两款用来破解 MacOS Keychain 的工具： KeychainCracker,chainbreaker	KeychainCracker： https://github.com/macmade/KeychainCracker chainbreaker： https://github.com/n0fate/chainbreaker
89	joker：使用joker抽取iOS 11的kernelcache	http://newosxbook.com/tools/joker.html
90	“捡到一个亿”系列：盘古Janus原型：云舒幻盾原型：伸缩性规模化分布式全自动蠕虫木马代码定位检测系统暨入侵预警与防御系统原型机白皮书	http://lockheedmartin.com/content/dam/lockheed/data/isgs/documents/LaikaBOSS%20Whitepaper.pdf Github地址：https://github.com/lmco/laikaboss
91	安全从业者的瑞士军刀——样本模块匹配搜索引擎	https://virustotal.github.io/yara/
92	libimobiledevice，用来操纵iOS设备的跨平台本地协议库和工具库	http://www.libimobiledevice.org/
93	【大数据】工具分享：全自动YARA规则生成器：如何从病毒木马大数据样本中批量提取字符串指纹	https://github.com/Neo23x0/yarGen 范例：https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/ 、https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/、https://www.bsk-consulting.de/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/
94	macOS内核调试指南：Introduction to macOS Kernel Debugging	http://lightbulbone.com/2016/10/04/intro-to-macos-kernel-debugging.html
95	逆向macOS内核扩展模块“DSMOS”：Reversing a macOS Kernel Extension	http://lightbulbone.com/2016/10/11/dsmos-kext.html
96	栈反转技术简介和示例：Stack Pivoting	http://neilscomputerblog.blogspot.tw/2012/06/stack-pivoting.html
97	APT团队海莲花出新品啦——全新设计的高级macOS后门软体套件！The New and Improved macOS Backdoor from OceanLotus	https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/
98	如何在 macOS 中监控指定应用的 HTTPS 流量	Monitoring HTTPS Traffic of a Single App on OSX/
99	macOS软件沙盒工具，监控所有文件和进程	filewatcher-a simple auditing utility for macOS/
100	谷歌推出的ssl流量记录器：解密并且记录进程的所有SSL流量信息	ssl_logger_byGoogle_Github
101	iOS_App二进制文件逆向指南	ObjC篇:Reading iOS app binary files Swift篇:Reading iOS app binary files. Part 2: Swift
102	【Frida系列】Frida全局方法论和入门实例	Unlocking secrets of proprietary software using Frida备用链接
103	macOS和iOS的位置信息数据库dump下来	Dump the contents of the location database files on iOS and macOS.
104	【Frida系列】使用Frida从TeamViewer的内存中提取出密码	Extract password from TeamViewer memory using Frida
105	【IDA系列】IDA 6.95最新进展：使用UTF-8从头开始构建并支持iOS源码级调试及直接调试dyld_shared_cache中的dylib	News about the x64 edition
106	【iOS内核漏洞讲解系列】树人哥讲解影响iOS5、6、7、8三年之久的setattrlist()漏洞	setattrlist() iOS Kernel Vulnerability Explained
107	【IDA系列】IDA Pro 6.8 for mac破解版上手指南	文件在雪花群群文件里下载
108	【IDA系列】IDA伴侣——FRIEND	Flexible Register/Instruction Extender aNd Documentation
109	【IDA系列】使用IDA Python插件加速分析集成系统固件镜像	the life-changing magic of ida python embedded device edition IDAPython Embedded Toolkit
110	【iOS App安全】App逆向研究的方法	RECON-BRX-2017-Analysing_ios_Apps
111	【radare2系列】给r2加上可视化支持	Bubble Struggle - Call Graph Visualization with Radare2
112	【IDA系列】导出IDA的调试信息	Exporting IDA Debug Information - Adam Schwalm
113	开源的macOS系统进程信息查看工具	Proc Info is a open-source, user-mode, library for macOS
114	【Git进阶】Git天梯图	Git Cheat Sheet: Useful Commands, Tips and Tricks
115	从keychain为犯罪者进行“画像”	Breaking into the iCloud Keychain
116	macOS High Sierra的'Secure Kernel Extension Loading'瓦特了	High Sierra's 'Secure Kernel Extension Loading' is Broken
117	“盲”逆向：iOS 应用 Blind 寻踪	"BLIND" Reversing - A Look At The Blind iOS App 、https://paper.seebug.org/440/
118	给iOS添加根证书太简单了！	Too Easy – Adding Root CA’s to iOS Devices
119	在10.12 macOS Sierra上编译XNU内核	Building the XNU kernel on Mac OS X Sierra (10.12.X)
120	一步一步编译iOS的内核——arm64版本的XNU	steps to build arm64 version of xnu-4570.1.46
121	CVE-2017-5123爆破指南writeup	Exploiting CVE-2017-5123 视频地址
122	为什么root和空密码可以进系统？	Why Gets You Root
123	iOS11安全与隐私保护完整指南	iOS 11: A Complete Guide to iOS Security and Privacy](https://www.intego.com/mac-security-blog/ios-11-a-complete-guide-to-ios-security-and-privacy/)
124	【IDA插件体验】IDALazy！	Make your IDA Lazy!
125	【IDA插件体验】IDA代码覆盖率测试工具	Lighthouse - Code Coverage Explorer for IDA Pro