From ebd920e9458e2d6b61674b9200a1369e88f7058c Mon Sep 17 00:00:00 2001 From: Corey Gagnon Date: Mon, 22 Feb 2021 04:05:22 -0500 Subject: [PATCH] Simplify ios monitor command. (#440) * monitor CommonCrypto in real time * typo * improve output when job already registered * fixed unpad * attempt to convert dataOut to ascii on decrypt * fixed output in CCCryptorUpdate * cleaning up style with tslint * removed dead code * simplified `monitor` command for crypto * removed duplicate helpfile * renamed helpfile to work with new command * renamed helpfile to work with new crypto monitor command Co-authored-by: Corey Gagnon --- agent/src/ios/crypto.ts | 8 -------- agent/src/rpc/ios.ts | 1 - objection/commands/ios/monitor.py | 13 ------------- objection/console/commands.py | 15 ++------------- ....crypto.monitor.txt => ios.monitor.crypto.txt} | 0 5 files changed, 2 insertions(+), 35 deletions(-) rename objection/console/helpfiles/{ios.monitor.crypto.monitor.txt => ios.monitor.crypto.txt} (100%) diff --git a/agent/src/ios/crypto.ts b/agent/src/ios/crypto.ts index 7a0334c6..59d03512 100644 --- a/agent/src/ios/crypto.ts +++ b/agent/src/ios/crypto.ts @@ -323,14 +323,6 @@ export namespace ioscrypto { }); }; - export const disable = (): void => { - // if we already have a job registered then kill it - if (jobs.hasIdent(cryptoidentifier)) { - send(c.red(`Killing `) + `${cryptoidentifier}`); - jobs.kill(cryptoidentifier); - } - }; - export const monitor = (): void => { // if we already have a job registered then return if (jobs.hasIdent(cryptoidentifier)) { diff --git a/agent/src/rpc/ios.ts b/agent/src/rpc/ios.ts index 0b20ca22..376c2acd 100644 --- a/agent/src/rpc/ios.ts +++ b/agent/src/rpc/ios.ts @@ -61,7 +61,6 @@ export const ios = { hooking.watchMethod(selector, dargs, dbt, dret), // ios crypto monitoring - iosMonitorCryptoDisable: (): void => ioscrypto.disable(), iosMonitorCryptoEnable: (): void => ioscrypto.monitor(), // jailbreak detection diff --git a/objection/commands/ios/monitor.py b/objection/commands/ios/monitor.py index 380c2ab0..b6971f28 100644 --- a/objection/commands/ios/monitor.py +++ b/objection/commands/ios/monitor.py @@ -1,18 +1,5 @@ from objection.state.connection import state_connection - -def crypto_disable(args: list = None) -> None: - """ - Attempts to disable ios crypto monitoring. - - :param args: - :return: - """ - - api = state_connection.get_api() - api.ios_monitor_crypto_disable() - - def crypto_enable(args: list = None) -> None: """ Attempts to enable ios crypto monitoring. diff --git a/objection/console/commands.py b/objection/console/commands.py index 98d93fc7..f5fbbbba 100644 --- a/objection/console/commands.py +++ b/objection/console/commands.py @@ -757,22 +757,11 @@ 'meta': 'Commands to work with ios function monitoring', 'commands': { 'crypto': { - 'meta': 'Hooks for working with monitoring iOS CommonCrypto usage', - 'commands': { - 'disable': { - 'meta': 'Disable CommonCrypto monitor', - 'exec': ios_crypto.crypto_disable - }, - 'monitor': { - 'meta': 'Monitor CommonCrypto operations', - 'exec': ios_crypto.crypto_enable - } - - } + 'meta': 'Monitor CommonCrypto operations', + 'exec': ios_crypto.crypto_enable } }, }, - } }, diff --git a/objection/console/helpfiles/ios.monitor.crypto.monitor.txt b/objection/console/helpfiles/ios.monitor.crypto.txt similarity index 100% rename from objection/console/helpfiles/ios.monitor.crypto.monitor.txt rename to objection/console/helpfiles/ios.monitor.crypto.txt