Source:https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/

An essential part of pentesting iOS applications is analyzing the runtime of the application. In this blog, I will be covering how to dump the heap from an iOS application. I will also be releasing a little script to run on the iOS device to dump the heap of a specified application for you.

You can download the script from the NetSPI Git Hub. The script basically wraps around GDB, but only dumps the ranges in memory that have “sub-regions”. These sub-regions are usually where I find active credentials, anything that is currently being used in the UI, or instantiated class properties. This technique currently only works for IOS 7 and lower or until there is a working GDB version for IOS 8. You also cannot use the version GDB from the default Cydia repositories. You have to use the fixed version in this repository here: “http://cydia.radare.org” or here is a direct link to the deb package: “http://cydia.radare.org/debs/gdb_1708_iphoneos-arm.deb“. Below are a few screenshots of the process, and how the script works.

First, we launch the application that we want to capture the heap for and log in.

After we log into the app, we will keep it at the first main screen which in this case is the user’s timeline.

Now we will SSH into the device, so that we can leave the application running without the app being put in the background by iOS.

Above is the output that the script provides during runtime. Here we are giving the binary name that we want the script to dump.

Above are all the .dmp files that we can now start searching through for the credentials or any other sensitive data. You can usually find encryption keys or passwords from any instantiated classes that use encryption or contain the login process. I personally use a combination of the “strings” command and “xxd” as a hex dumper but you can use any hex editor that works for you.

This technique can be used to determine if the application is not removing sensitive information from memory once the instantiated classes are done with the data. All applications should deallocate spaces in memory that deal with classes and methods that were used to handle sensitive information, otherwise you run the risk of the information sitting available in memory for an attacker to see.

I’ve included the GDB commands that are used in the script:

  • info mach-regions (look for sub-regions)
  • dump binary memory heap1.dmp <sub-region range from above>

Tags: GDBHeapiOSMemory

 

 

[转]iOS Tutorial – Dumping the Application Heap from Memory的更多相关文章

  1. [转]iOS Tutorial – Dumping the Application Memory Part 2

    Source:https://blog.netspi.com/ios-tutorial-dumping-the-application-memory-part-2/ In my previous bl ...

  2. 内存错误:CRT detected that the application wrote to memory after end of heap buffer

    今天调试测试代码时,发现在用完了new出来的内存buf后,在执行delete时报错了,具体信息为: HEAP_CORRUPTION_DETECTED: after Normal block(#908) ...

  3. C语言错误: CRT detected that the application wrote to memory after end of heap buffer

    CRT detected that the application wrote to memory after end of heap buffer 多是中间对其进行了一些操作,在程序结束处,释放内存 ...

  4. ios学习路线—Objective-C(堆(heap)和栈(stack))

    Objective-C的对象在内存中是以堆的方式分配空间的,并且堆内存是由你释放的,即release 栈由编译器管理自动释放的,在方法中(函数体)定义的变量通常是在栈内,因此如果你的变量要跨函数的话就 ...

  5. Android 性能优化(23)*性能工具之「Heap Viewer, Memory Monitor, Allocation Tracker」Memory Profilers

    Memory Profilers In this document Memory Monitor Heap Viewer Allocation Tracker You should also read ...

  6. ios 10 sticker pack application

    看了WWDC2016直播,我们发现变得谨慎而开放的苹果在新一版四大平台系统中展示了很多变化,当然重中之重还是伟大的iOS.通过试用iOS10beta版,除了长大了的更强大的Siri主要感受到iMess ...

  7. CRT detected that the application wrote to memory after end of heap buffer.

    很多人的解释都不一样,  我碰到的问题是,开辟的内存空间小于操作的内存空间.也就是说,我free的内存越界了. 这是我开辟链表结构体内存的代码: PNODE Create() { int len; / ...

  8. [vs执行报错] CRT detected that the application wrote to memory after end of heap buffer

    CRT 是c/c++ run-time lib , 是程序执行时所需的核心库. 这个错误是由于以对内在操作的过程中.所写的地址超出了.所分配内在的边界 有个建议是: 1.内存申请多少释放多少,释放掉你 ...

  9. 【iOS】No suitable application records found

    昨天提交 Apple 审核时遇到这个问题,如图: 原来是还没在 iTunes Connect 创建 APP ... 一时着急大意了…… 后来想想还真是脑子一时没反应过来……

随机推荐

  1. Poj 3517 And Then There Was One Joseph核心问题

    基本上纯Joseph核心问题,只是第一步多一件.m. 然后你就可以用获得的递推公式: Win(n) 代表n当个人的中奖号码, 然后,Win(n)必须相等Win(n-1).当一个人将在下一次删除队列. ...

  2. Windows移动开发(一)——登堂入室

    開始本博客之前先分享一个自己的好消息吧,2014年3月31日起,正式就职于北京****集团Win8project师.主要负责将IOS和Android应用移植到Win8.1平板上,目标客户是银行,闲话不 ...

  3. 运行时间(Java版本)—转换毫秒到时分秒日期

    第一种方式: import java.util.Calendar; import java.util.TimeZone; public class Test { /** * 将毫秒转换为年月日时分秒 ...

  4. iOS设备per app vpn,什么是什么系统的要求,必须?

    坑爹Apple网站信息MDM厂商资料,最有发言权iOS 7.x设备支持per app vpn该,但它没有说明是什么系统要求环保要求. 1. iOS 7.x 设备.当然 2. iOS 7.x 需要设备M ...

  5. 内置在虚拟机上64位操作系统:该主机支持 Intel VT-x,但 Intel VT-x 残

    VT-Virtual Technology. 在这里特别说一下:虚拟64位操作系统,须要特别在BIOS中打开VT支持.怎样提示:此主机不支持Intel VT-x,则不可能虚拟出64位系统. 当提示:此 ...

  6. javascript系列之核心知识点(二)

    变量对象       变量对象是一个与执行上下文相关联的容器.它是一个和上下文密切结合的特殊对象,含有定义在上下文中的变量和函数声明.注意,函数表达式(和函数声明不同的)不包含在变量对象中. 变量对象 ...

  7. [kmp+dp] hdu 4628 Pieces

    题目链接: http://acm.hdu.edu.cn/showproblem.php?pid=4622 Reincarnation Time Limit: 6000/3000 MS (Java/Ot ...

  8. C#随机双色球

    using System; using System.Collections.Generic; namespace ConsoleApplicationRandnumber { class Progr ...

  9. Fckeditor用法

    试Fckeditor版本号:2.6.3 眼下Fckeditor仅仅能用于基于ie内核的浏览器,假设要使用于chrome等浏览器,请使用ckeditor. 详细用法: 1.将解压后的fckeditor整 ...

  10. $.each()遍历Json对象

    1.遍历JavaScript数组对象: var json = [ //中括号起始 {"id":"1","tagName":"app ...