@zhuowei I assume this would be extremely complicated since you can't replace executable code and even doing something like interposes I would assume is very limited since I don't think it's easy to make native code call into javascript by replacing a pointer.
I assume all they really do is call from JS into native code and of course there might be some stuff you can do with it, but I don't think it's much outside of well… what a malware would want to do 😛
@opa334 Except the malware seems to be able to make native calls in any process by taking them over with just kernel r/w and a userspace PAC bypass. All from JavaScript. (see the code sample from https://iverify.io/blog/darksword-ios-exploit-kit-explained) With their PAC bypass, I’m sure someone could sign fake IMPs and ROP chains to redirect Objective-C methods into JavaScript. Or even start a thread, set it as exception handler, have your JS wait for an exception message, then use the hardware breakpoint handlers and/or cause an intentional segfault where you want your hook to run, so the exception gets delivered to your JS…
And you really can’t underestimate JavaScript: remember when Fugu14 wrote an entire untether with JavaScript embedded in a dyld closure? (https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/iOS/Fugu14App/Fugu14App/setup.js#L270, https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/shared/ClosurePwn/Sources/ClosurePwn/JSFiles/JSUtilsSetup.swift#L615, https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/shared/ClosurePwn/Sources/ClosurePwn/PwnClosure.swift#L509
Zhuowei Zhang
opa334