1

I am currently doing some research on techniques about hooking mobile applications and came across some frameworks like Xposed (Android), Frida (Android and iOS) and Cycript (iOS).

The documentation about Xposed and Frida is fairly good explaining how exactly they are doing it. Xposed states to manipulate the binary starting the Zygote process and loading an additional JAR file that assists in hooking the methods. Frida documentation explains that it uses ptrace (in Linux environments) to attach to a process, allocating and populating a bootstrapper that loads a thread to launch a .so file containing the frida agent, in a nutshell, if I understood it correctly.

I couldn't find useful documentation about the strategy that Cycript pursues. I know that it is built on top of Cydia Substrate that does the actual hooking. I couldn't find details about how exactly Substrate accomplishes this either.

I further understand that on iOS the objective-c runtime enables runtime manipulation as it is runtime-oriented.

Does anybody know how exactly Cycript / Cydia Substrate works to hook/inject into applications?

Thanks in advance.

Phoebus
  • 121
  • 4

2 Answers2

1

It figured out that is apparently working by adding the DYLD_INSERT_LIBRARIES into the program's launchd manifest and thereby every time the application is started it loads the malicious payload by loading the dynamic library.

Still, are there other techniques how to perform runtime hooking / manipulations on Android and iOS?

Phoebus
  • 121
  • 4
0

Cycript uses cynject in mobile substrate https://git.saurik.com/cycript.git/blob/HEAD:/Inject.cpp

Cynject uses the mach task port to inject and create a thread in the target process: https://github.com/rweichler/substrate/blob/master/DarwinInjector.cpp

mach_port_t self(mach_task_self()), task;
_krncall(task_for_pid(self, pid, &task));