Source:https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/

An essential part of pentesting iOS applications is analyzing the runtime of the application. In this blog, I will be covering how to dump the heap from an iOS application. I will also be releasing a little script to run on the iOS device to dump the heap of a specified application for you.

You can download the script from the NetSPI Git Hub. The script basically wraps around GDB, but only dumps the ranges in memory that have “sub-regions”. These sub-regions are usually where I find active credentials, anything that is currently being used in the UI, or instantiated class properties. This technique currently only works for IOS 7 and lower or until there is a working GDB version for IOS 8. You also cannot use the version GDB from the default Cydia repositories. You have to use the fixed version in this repository here: “http://cydia.radare.org” or here is a direct link to the deb package: “http://cydia.radare.org/debs/gdb_1708_iphoneos-arm.deb“. Below are a few screenshots of the process, and how the script works.

First, we launch the application that we want to capture the heap for and log in.

After we log into the app, we will keep it at the first main screen which in this case is the user’s timeline.

Now we will SSH into the device, so that we can leave the application running without the app being put in the background by iOS.

Above is the output that the script provides during runtime. Here we are giving the binary name that we want the script to dump.

Above are all the .dmp files that we can now start searching through for the credentials or any other sensitive data. You can usually find encryption keys or passwords from any instantiated classes that use encryption or contain the login process. I personally use a combination of the “strings” command and “xxd” as a hex dumper but you can use any hex editor that works for you.

This technique can be used to determine if the application is not removing sensitive information from memory once the instantiated classes are done with the data. All applications should deallocate spaces in memory that deal with classes and methods that were used to handle sensitive information, otherwise you run the risk of the information sitting available in memory for an attacker to see.

I’ve included the GDB commands that are used in the script:

  • info mach-regions (look for sub-regions)
  • dump binary memory heap1.dmp <sub-region range from above>

Tags: GDBHeapiOSMemory

 

 

[转]iOS Tutorial – Dumping the Application Heap from Memory的更多相关文章

  1. [转]iOS Tutorial – Dumping the Application Memory Part 2

    Source:https://blog.netspi.com/ios-tutorial-dumping-the-application-memory-part-2/ In my previous bl ...

  2. 内存错误:CRT detected that the application wrote to memory after end of heap buffer

    今天调试测试代码时,发现在用完了new出来的内存buf后,在执行delete时报错了,具体信息为: HEAP_CORRUPTION_DETECTED: after Normal block(#908) ...

  3. C语言错误: CRT detected that the application wrote to memory after end of heap buffer

    CRT detected that the application wrote to memory after end of heap buffer 多是中间对其进行了一些操作,在程序结束处,释放内存 ...

  4. ios学习路线—Objective-C(堆(heap)和栈(stack))

    Objective-C的对象在内存中是以堆的方式分配空间的,并且堆内存是由你释放的,即release 栈由编译器管理自动释放的,在方法中(函数体)定义的变量通常是在栈内,因此如果你的变量要跨函数的话就 ...

  5. Android 性能优化(23)*性能工具之「Heap Viewer, Memory Monitor, Allocation Tracker」Memory Profilers

    Memory Profilers In this document Memory Monitor Heap Viewer Allocation Tracker You should also read ...

  6. ios 10 sticker pack application

    看了WWDC2016直播,我们发现变得谨慎而开放的苹果在新一版四大平台系统中展示了很多变化,当然重中之重还是伟大的iOS.通过试用iOS10beta版,除了长大了的更强大的Siri主要感受到iMess ...

  7. CRT detected that the application wrote to memory after end of heap buffer.

    很多人的解释都不一样,  我碰到的问题是,开辟的内存空间小于操作的内存空间.也就是说,我free的内存越界了. 这是我开辟链表结构体内存的代码: PNODE Create() { int len; / ...

  8. [vs执行报错] CRT detected that the application wrote to memory after end of heap buffer

    CRT 是c/c++ run-time lib , 是程序执行时所需的核心库. 这个错误是由于以对内在操作的过程中.所写的地址超出了.所分配内在的边界 有个建议是: 1.内存申请多少释放多少,释放掉你 ...

  9. 【iOS】No suitable application records found

    昨天提交 Apple 审核时遇到这个问题,如图: 原来是还没在 iTunes Connect 创建 APP ... 一时着急大意了…… 后来想想还真是脑子一时没反应过来……

随机推荐

  1. Tyvj P1016 包装问题 (DP)

    底 Background 太原诚成中学2模拟法庭竞赛 第三条道路 描写叙述 Description 有一个箱子容量为v(正整数.o≤v≤20000).同一时候有n个物品(o≤n≤30).每一个物品有一 ...

  2. 房间计费系统改造E-R图纸设计

    简单的学习过程:     这几天忙得太混乱了,用了近一个星期才设计好.我在这段时间遇到的困难,就积极找师哥师姐指点迷津,如今多少总算是有些拿得出手的成果. 学习成果: Entity Relations ...

  3. 【Espruino】NO.15 nRF24L01+无线收发器

    http://blog.csdn.net/qwert1213131/article/details/35853747 本文属于个人理解,能力有限,纰漏在所难免,还望指正! [小鱼有点电] [Espru ...

  4. JavaScript Date对象介绍

    原文:JavaScript Date对象介绍 Date 日期和时间对象 1. 介绍 Date对象,是操作日期和时间的对象.Date对象对日期和时间的操作只能通过方法. 2. 构造函数 2.1 new ...

  5. js模块开发

    js模块开发(一) 现在嵌入页面里面的javascript代码越来越复杂,于是可能依赖也越来越严重,使用别人开发的js也越来越多,于是在理想情况下,我们只需要实现核心的业务逻辑,其他都可以加载别人已经 ...

  6. C语言学习-数据结构 - 倒插法顺序表

    // test20161106.cpp : Defines the entry point for the console application. // #include "stdafx. ...

  7. POI导出Excel文档通用工具方法

    import java.lang.reflect.InvocationTargetException; import java.util.List; import java.util.Map; imp ...

  8. MySQL引擎介绍ISAM,MyISAM,HEAP,InnoDB

    MySQL数据库引擎取决于MySQL在安装的时候是如何被编译的.要添加一个新的引擎,就必须重新编译MYSQL. 在缺省情况下,MYSQL支持三个引擎:ISAM.MYISAM和HEAP.另外两种类型IN ...

  9. CodeSmith

    完美解决CodeSmith无法获取MySQL表及列Description说明注释的方案   问题描述: CodeSmith是现在比较实用的代码生成器,但是我们发现一个问题: 使用CodeSmith编写 ...

  10. HDU 5185 Equation (DP)

    题目:LINK 题意:求满足题目要求的x序列的种类数. 能够发现符合条件的序列去重后是一个0, 1, ..., k的连续序列(k满足k*(k+1)/2 <= n) ,则这个去重后的序列长度最长为 ...