首页
社区
课程
招聘
[原创]frida 配置iOS系统WiFi和代理
发表于: 2022-11-10 15:11 38330

[原创]frida 配置iOS系统WiFi和代理

2022-11-10 15:11
38330

#iOS #frida #WiFi #proxy #系统相关

最近研究一个App时顺便研究了下如何给iOS系统WiFi挂代理,并将相关功能整理成函数,方便调试时使用。

需要注意的是,可以使用 frida 注入到 SpringBoard 进程内,并且要确保 WiFiKit.framework 已经装入,以下是测试代码:

frida 命令

全文完

function toggleAirplaneMode(mode) {
    var p = ObjC.classes.RadiosPreferences.alloc().init();
    p.setAirplaneMode_(mode)
    p.synchronize()
    p.release();
}
function toggleAirplaneMode(mode) {
    var p = ObjC.classes.RadiosPreferences.alloc().init();
    p.setAirplaneMode_(mode)
    p.synchronize()
    p.release();
}
function toggleWifiMode(mode) {
    var wfc = ObjC.classes.WFClient.sharedInstance();
    wfc.setPowered_(mode);
}
function toggleWifiMode(mode) {
    var wfc = ObjC.classes.WFClient.sharedInstance();
    wfc.setPowered_(mode);
}
function readWifiPasswords() {
    var knownNet = ObjC.classes.WFKnownNetworkStore.sharedInstance();
    var nets = knownNet.knownNetworks();
    var objs = nets.allObjects();
    var count = objs.count();
 
    var result = []
    for (var n = 0; n < count; n++) {
        var networkProfile = objs.objectAtIndex_(n);
 
        result.push(
            {
                HS20AccountName: networkProfile.HS20AccountName(),
                HS20Badge: networkProfile.HS20Badge(),
                isHS20Network: networkProfile.isHS20Network(),
                isHS20NetworkProvisioned: networkProfile.isHS20NetworkProvisioned(),
                TLSIdentity: networkProfile.TLSIdentity()+'',
                addedDate: networkProfile.addedDate()+'',
                adhoc: networkProfile.isAdhoc(),
                autoJoinEnabled: networkProfile.isAutoJoinEnabled(),
                autoLoginEnabled: networkProfile.isAutoLoginEnabled(),
                bssid: networkProfile.bssid()+'',
                canExposeIMSI: networkProfile.canExposeIMSI(),
                captive: networkProfile.isCaptive(),
                carPlay: networkProfile.isCarPlay(),
                carPlayType: networkProfile.carPlayType(),
                carPlayUUID: networkProfile.carPlayUUID(),
                carrierBased: networkProfile.isCarrierBased(),
                certificateChain: networkProfile.certificateChain(),
                enterpriseProfile: networkProfile.enterpriseProfile(),
                fetchedPassword: networkProfile.fetchedPassword(),
                hidden: networkProfile.isHidden(),
                lastAutoJoinDate: networkProfile.lastAutoJoinDate()+'',
                managed: networkProfile.isManaged(),
                originatorBundleIdentifier: networkProfile.originatorBundleIdentifier(),
                password: networkProfile.password()+'',
                policyUUID: networkProfile.policyUUID(),
                previousPassword: networkProfile.previousPassword(),
                requiresPassword: networkProfile.requiresPassword(),
                scanAttributes: valueOf(networkProfile.scanAttributes()),
                securityMode: networkProfile.securityMode()+'',
                ssid: networkProfile.ssid()+'',
                username: networkProfile.username()+''
            }
        );
    }
    return result;
 
}
function readWifiPasswords() {
    var knownNet = ObjC.classes.WFKnownNetworkStore.sharedInstance();
    var nets = knownNet.knownNetworks();
    var objs = nets.allObjects();
    var count = objs.count();
 
    var result = []
    for (var n = 0; n < count; n++) {
        var networkProfile = objs.objectAtIndex_(n);
 
        result.push(
            {
                HS20AccountName: networkProfile.HS20AccountName(),
                HS20Badge: networkProfile.HS20Badge(),
                isHS20Network: networkProfile.isHS20Network(),
                isHS20NetworkProvisioned: networkProfile.isHS20NetworkProvisioned(),
                TLSIdentity: networkProfile.TLSIdentity()+'',
                addedDate: networkProfile.addedDate()+'',
                adhoc: networkProfile.isAdhoc(),
                autoJoinEnabled: networkProfile.isAutoJoinEnabled(),
                autoLoginEnabled: networkProfile.isAutoLoginEnabled(),
                bssid: networkProfile.bssid()+'',
                canExposeIMSI: networkProfile.canExposeIMSI(),
                captive: networkProfile.isCaptive(),
                carPlay: networkProfile.isCarPlay(),
                carPlayType: networkProfile.carPlayType(),
                carPlayUUID: networkProfile.carPlayUUID(),
                carrierBased: networkProfile.isCarrierBased(),
                certificateChain: networkProfile.certificateChain(),
                enterpriseProfile: networkProfile.enterpriseProfile(),
                fetchedPassword: networkProfile.fetchedPassword(),
                hidden: networkProfile.isHidden(),
                lastAutoJoinDate: networkProfile.lastAutoJoinDate()+'',
                managed: networkProfile.isManaged(),
                originatorBundleIdentifier: networkProfile.originatorBundleIdentifier(),
                password: networkProfile.password()+'',
                policyUUID: networkProfile.policyUUID(),
                previousPassword: networkProfile.previousPassword(),
                requiresPassword: networkProfile.requiresPassword(),
                scanAttributes: valueOf(networkProfile.scanAttributes()),
                securityMode: networkProfile.securityMode()+'',
                ssid: networkProfile.ssid()+'',
                username: networkProfile.username()+''
            }
        );
    }
    return result;
 
}
function currentWifiSSID() {
    return currentNetwork().ssid();
}
function currentWifiSSID() {
    return currentNetwork().ssid();
}
function currentNetwork() {
    return ObjC.classes.WFClient.sharedInstance().interface().currentNetwork();
}
function currentNetwork() {
    return ObjC.classes.WFClient.sharedInstance().interface().currentNetwork();
}
function readWifiSettings(_ssid) {
    //读取配置
    var WFGetSettingsOperation = ObjC.classes.WFGetSettingsOperation.alloc();
    //10684 ms  -[WFGetSettingsOperation initWithSSID:xxxWiFiSSID]
    var wfGetSet = WFGetSettingsOperation.initWithSSID_(_ssid);
    /* TID 0x23c2f */
    //10732 ms  -[WFGetSettingsOperation start]
    wfGetSet.start();
    //10737 ms     | -[WFGetSettingsOperation ssid]
    //10740 ms     | -[WFGetSettingsOperation keychainQueue]
    /* TID 0x303 */
    //10759 ms  -[WFGetSettingsOperation settings]
    //10759 ms  -[WFGetSettingsOperation dealloc]
    //10759 ms     | -[WFGetSettingsOperation .cxx_destruct]
    console.log('WIFI-SSID', wfGetSet.ssid());
    console.log('keychainQueue', wfGetSet.keychainQueue());
    var settings = wfGetSet.settings();
    return settings;//__NSArrayM
}
function readWifiSettings(_ssid) {
    //读取配置
    var WFGetSettingsOperation = ObjC.classes.WFGetSettingsOperation.alloc();
    //10684 ms  -[WFGetSettingsOperation initWithSSID:xxxWiFiSSID]
    var wfGetSet = WFGetSettingsOperation.initWithSSID_(_ssid);
    /* TID 0x23c2f */
    //10732 ms  -[WFGetSettingsOperation start]
    wfGetSet.start();
    //10737 ms     | -[WFGetSettingsOperation ssid]
    //10740 ms     | -[WFGetSettingsOperation keychainQueue]
    /* TID 0x303 */
    //10759 ms  -[WFGetSettingsOperation settings]
    //10759 ms  -[WFGetSettingsOperation dealloc]
    //10759 ms     | -[WFGetSettingsOperation .cxx_destruct]
    console.log('WIFI-SSID', wfGetSet.ssid());
    console.log('keychainQueue', wfGetSet.keychainQueue());

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-11-11 23:47 被chinasf编辑 ,原因:
收藏
免费 3
支持
分享
最新回复 (2)
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
git 有吗
2024-7-11 11:27
0
雪    币: 469
活跃值: (386)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
mb_nzzjxwdx git 有吗
这个小脚本没放git..
2024-7-12 09:37
0
游客
登录 | 注册 方可回帖
返回
//