一直希望 iOS 平台能有一款文件监控工具,监控应用的文件操作,对于逆向分析来说是事倍功半。fsmon 是一款开源的文件监控工具,支持的平台有 iOS、macOS、Android、Linux、FirefoxOS,源码的下载地址是:https://github.com/nowsecure/fsmon
以 iOS 为例,下载之后,使用 make 就能编译:
|
1 |
make ios |
编译成功之后会生成 fsmon-ios 可执行文件,将这个可执行文件上传到手机,执行 fsmon-ios -help 看一下使用说明:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
R:/ root# ./fsmon-ios -help Usage: ./fsmon-ios [-Jjc] [-a sec] [-b dir] [-B name] [-p pid] [-P proc] [path] -a [sec] stop monitoring after N seconds (alarm) -b [dir] backup files to DIR folder (EXPERIMENTAL) -B [name] specify an alternative backend -c follow children of -p PID -f show only filename (no path) -h show this help -j output in JSON format -J output in JSON stream format -L list all filemonitor backends -p [pid] only show events from this pid -P [proc] events only from process name -v show version [path] only get events from this path |
比如要监控微信的文件操作,执行 fsmon-ios -P WeChat,然后再打开微信,就会监控到文件的操作行为,创建,删除、修改等操作都能监控到,信息如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
./fsmon-ios -P WeChat FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/MemoryStat/.dat.nosync32f0.FJvSp2 FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/MemoryStat/.dat.nosync32f0.FJvSp2 FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/MemoryStat/.dat.nosync32f0.FJvSp2 FSE_CHOWN 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/MemoryStat/StackLogger.dat FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/KSCrashReports/WeChat/Data/ConsoleLog.txt FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/KSCrashReports/WeChat/Data/CrashState.json FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/KSCrashReports/WeChat/Data/CrashState.json FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.BONzXH FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.BONzXH FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.BONzXH FSE_CHOWN 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/SafeMode.dat FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.ML2ehJ FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.ML2ehJ FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.ML2ehJ FSE_CHOWN 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/SafeMode.dat FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/reportnow_0_369558306_1_1540286631_96_600_input.statistic FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/reportnow_0_369558306_1_1540286631_96_600_input.statistic FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/reportnow_0_369558306_1_1540286631_96_600_input.statistic FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/monitordata_0_17827 FSE_DELETE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/monitordata_0_17827 FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/monitordata_0_17827 FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/monitordata_0_17827 FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/monitordata_0_17827 FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/host/getdns.ini FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/host/getdns.ini FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/host/getdns.ini FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/host/getdns.ini FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/MMResourceMgr/resInfo.sqlite-shm FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/host/shuzilm_16070322.getdns2 FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/host/shuzilm_16070322.getdns2 FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/psk.key. FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/psk.key. FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/key_reportnow_0_369558306_1_1540286631_2_600_input.monitor FSE_STAT_CHANGED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/key_reportnow_0_369558306_1_1540286631_2_600_input.monitor FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Library/WechatPrivate/kvcomm/key_reportnow_0_369558306_1_1540286631_2_600_input.monitor FSE_CREATE_FILE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.1uQEdm FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.1uQEdm FSE_RENAME 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/.dat.nosync32f0.1uQEdm -> /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/SMReport.dat FSE_CONTENT_MODIFIED 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/SMReport.dat FSE_DELETE 13040 "WeChat" /private/var/mobile/Containers/Data/Application/D536D8F6-E7E6-4F13-8DAF-D649D72DEA68/Documents/00000000000000000000000000000000/appsetting.dat ...... |