-
Notifications
You must be signed in to change notification settings - Fork 32
/
ios-keychain-monitor.js
88 lines (81 loc) · 1.99 KB
/
ios-keychain-monitor.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/*
Description: IOS Keychain Observer
Usage: frida -U -f XXX -l ios-keychain-monitor.js
Credit: as0ler
*/
var className = "Security";
var hookMethods = ["SecItemAdd", "SecItemUpdate", "SecItemDelete"];
for (index = 0; index < hookMethods.length; index++)
{
var methodName = hookMethods[index];
var ptr = null;
Module.enumerateExports(className,
{
onMatch: function(imp)
{
if (imp.type == "function" && imp.name == methodName)
{
send("Found target method : " + methodName);
try
{
Interceptor.attach(ptr(imp.address),
{
onEnter: function(args)
{
send("[+] Keychain operation: " + imp.name);
var params = ObjC.Object(args[0]); // CFDictionaryRef => NSDictionary
var keys = params.allKeys();
for (index = 0; index < keys.count(); index++)
{
var k = keys.objectAtIndex_(index);
var v = params.objectForKey_(k);
if (k == "v_Data")
{
var string = ObjC.classes.NSString.alloc();
v = string.initWithData_encoding_(v,4).toString();
}
if (k == "pdmn")
{
if (v == "ak")
{
v = "kSecAttrAccessibleWhenUnlocked";
}
else if (v == "ck")
{
v = "kSecAttrAccessibleAfterFirstUnlock";
}
else if (v == "dk")
{
v = "kSecAttrAccessibleAlways";
}
else if (v == "aku")
{
v = "kSecAttrAccessibleWhenUnlockedThisDeviceOnly"
}
else if (v == "cku")
{
v = "kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly";
}
else
{
// v == dku
v = "kSecAttrAccessibleAlwaysThisDeviceOnly";
}
}
send("\t- " + k + "=" + v);
}
}
});
}
catch (error)
{
console.log("Ignoring " + imp.name + ": " + error.message);
}
}
},
onComplete: function (e)
{
send("All methods loaded");
}
});
}