CDSQ

威锋技术组CDSQ的博客,主要是将一些好的有用的,尤其是我原创的文章做个汇总吧,偶尔写写心情!新浪微博:CDSQ

iOS 7.x原始系统启动加载服务文件清单(初稿,还需查错)

iOS 7.x 原始系统启动加载服务文件清单(主要用作恶意插件排除)

如果有其它没有列出的服务加载配置文件,就需要留个心眼,在排除是自己安装的插件添加的服务(尤其是名字看上去像系统文件故意混淆的),就极有可能是恶意插件了!


com.apple.ABDatabaseDoctor.plist

com.apple.AOSNotification.plist

com.apple.BTServer.avrcp.plist

com.apple.BTServer.le.plist

com.apple.BTServer.map.plist

com.apple.BTServer.plist

com.apple.BlueTool.plist

com.apple.CommCenter.plist

com.apple.CommCenterClassic.plist

com.apple.CommCenterLite.plist

com.apple.CommCenterMobileHelper.plist

com.apple.CommCenterRootHelper.plist

com.apple.CrashHousekeeping.plist

com.apple.DMHelper.plist

com.apple.DuetHeuristic-HIP.plist

com.apple.DuetLMT.plist

com.apple.DuetLST.plist

com.apple.DumpBasebandCrash.plist     (iPhone)

com.apple.DumpPanic.plist

com.apple.EscrowSecurityAlert.plist

com.apple.FileCoordination.plist

com.apple.IMLoggingAgent.plist

com.apple.L65ancd.mobile.plist

com.apple.L65d.mobile.plist

com.apple.Maps.geocorrectiond.plist

com.apple.Maps.pushdaemon.plist

com.apple.MobileFileIntegrity.plist

com.apple.MobileInternetSharing.plist

com.apple.NetworkLinkConditioner.plist

com.apple.OTACrashCopier.plist

com.apple.OTAPKIAssetTool.plist

com.apple.OTATaskingAgent.plist

com.apple.ReportCrash.DirectoryService.plist

com.apple.ReportCrash.Jetsam.plist

com.apple.ReportCrash.SafetyNet.plist

com.apple.ReportCrash.SimulateCrash.plist

com.apple.ReportCrash.StackShot.plist

com.apple.ReportCrash.plist

com.apple.SCHelper-embedded.plist

com.apple.SpringBoard.plist

com.apple.TextInput.kbd.plist

com.apple.UIKit.pasteboardd.plist

com.apple.UserEventAgent-System.plist

com.apple.VoiceOverTouch.plist

com.apple.WebBookmarks.webbookmarksd.plist

com.apple.WirelessCoexManager.plist     (5s)

com.apple.absd.plist

com.apple.accountsd.plist

com.apple.adid.plist

com.apple.afcd.plist

com.apple.aggregated.addaily.plist

com.apple.aggregated.plist

com.apple.ait.aitd.plist

com.apple.appsupport.cplogd.plist

com.apple.apsd.plist

com.apple.aslmanager.plist

com.apple.assetsd.plist

com.apple.assistant.analyzer.plist    (5,5s)

com.apple.assistant_service.plist  (iPad,5,5s)

com.apple.assistantd.plist  (iPad,5,5s)

com.apple.assistivetouchd.plist

com.apple.atc.atwakeup.plist

com.apple.atc.plist

com.apple.awdd.plist

com.apple.backboardd.plist

com.apple.backupd.plist

com.apple.biometrickitd.plist    (iPhone5s)

com.apple.calaccessd.plist

com.apple.certui.relay.plist

com.apple.cfnetwork.AuthBrokerAgent.plist

com.apple.cfnetwork.cfnetworkagent.plist

com.apple.cmfsyncagent.plist

com.apple.configd.plist

com.apple.corecaptured.plist

com.apple.coreservices.appleid.authentication.plist

com.apple.coreservices.appleid.passwordcheck.plist

com.apple.coresymbolicationd.plist

com.apple.crash_mover.plist

com.apple.crashreportcopymobile.plist

com.apple.cvmsCompAgent_arm64.plist      (64位设备)

com.apple.cvmsCompAgent_armv7.plist

com.apple.cvmsServ.plist

com.apple.daily.plist

com.apple.dataaccess.dataaccessd.plist

com.apple.device-o-matic.plist

com.apple.distnoted.xpc.daemon.plist

com.apple.fairplayd.A2.plist  (此处设备不同"A2"部分文件名会有些许变化)

com.apple.filesystems.userfs_helper.plist    (iPad)

com.apple.filesystems.userfsd.plist    (iPad)

com.apple.fseventsd.plist

com.apple.ftp-proxy-embedded.plist

com.apple.gamed.plist

com.apple.geod.plist

com.apple.hpfd.mobile.plist    (iPhone4,4s)

com.apple.iad.limitadtrackingd.plist

com.apple.iap2d.plist

com.apple.iapauthd.plist

com.apple.iapd.plist

com.apple.iaptransportd.plist

com.apple.icloudKeychainStats.plist

com.apple.identityservicesd.plist

com.apple.imagent.plist

com.apple.imavagent.plist

com.apple.itunescloudd.plist

com.apple.itunesstored.plist

com.apple.jetsamproperties.P103.plist  (此处设备不同"P103"部分文件名会有些许变化")

com.apple.librariand.plist

com.apple.locationd.plist

com.apple.lsd.plist

com.apple.lskdd.plist

com.apple.lskdrl.plist

com.apple.mDNSResponder.plist

com.apple.mDNSResponderHelper.plist

com.apple.managedconfiguration.mdmd.plist

com.apple.managedconfiguration.profiled.plist

com.apple.managedconfiguration.teslad.plist

com.apple.mdt.plist

com.apple.medialibraryd.plist

com.apple.mediaremoted.plist

com.apple.mediaserverd.plist

com.apple.mediastream.mstreamd.plist

com.apple.midiserver-ios.plist

com.apple.mobile.accessory_device_arbitrator.plist

com.apple.mobile.assertion_agent.plist

com.apple.mobile.audio_device_arbitrator.plist

com.apple.mobile.deleted.plist

com.apple.mobile.fud.plist

com.apple.mobile.insecure_notification_proxy.plist

com.apple.mobile.installd.plist

com.apple.mobile.keybagd.plist

com.apple.mobile.lockbot.plist

com.apple.mobile.lockdown.plist

com.apple.mobile.notification_proxy.plist

com.apple.mobile.obliteration.plist

com.apple.mobile.ptp_device_arbitrator.plist

com.apple.mobile.softwareupdated.plist

com.apple.mobile.storage_mounter.plist

com.apple.mobile.vendor_device_arbitrator.plist

com.apple.mobile_installation_proxy.plist

com.apple.mobileactivation.recert.plist

com.apple.mobileassetd.plist

com.apple.mobilecheckpoint.checkpointd.plist

com.apple.mobilegestalt.xpc.plist

com.apple.mobilestoredemod.plist

com.apple.monkeybars.plist

com.apple.mtmergeprops.plist

com.apple.mtrecorder.plist

com.apple.munchd.plist

com.apple.networkd.plist

com.apple.networkd_privileged.plist

com.apple.nfsconf.plist

com.apple.notifyd.plist

com.apple.nsnetworkd.plist

com.apple.oscard.plist        (iPhone5s)

com.apple.passd.plist         (iPhone)

com.apple.pfd.plist

com.apple.powerd.plist

com.apple.powerlog.plist

com.apple.prdaily.plist

com.apple.printd.plist

com.apple.racoon.plist

com.apple.recentsd.plist

com.apple.routined.plist

com.apple.safarifetcherd.plist

com.apple.sandboxd.plist

com.apple.sbd.plist

com.apple.scrod.plist

com.apple.search.appindexer.plist

com.apple.searchd.plist

com.apple.security.CircleJoinRequested.plist

com.apple.security.cloudkeychainproxy.plist

com.apple.securityd.plist

com.apple.sharingd.plist      (iPad,5,5s)

com.apple.sharktrace.plist

com.apple.snhelper.plist

com.apple.softwarebehaviorservicesd.plist

com.apple.softwareupdateservicesd.plist

com.apple.storebookkeeperd.plist

com.apple.syncdefaultsd.plist

com.apple.syslog_relay.plist

com.apple.syslogd.plist

com.apple.tccd.plist

com.apple.telephonyutilities.remotelogdaemon.plist

com.apple.timed.plist

com.apple.touchsetupd.plist

com.apple.tzlinkd.plist

com.apple.ubd.plist

com.apple.usb.networking.addNetworkInterface.plist

com.apple.usbptpd.plist

com.apple.vibrationmanagerd.plist

com.apple.voiced.plist

com.apple.voicemail.vmd.plist     (iPhone)

com.apple.vsassetd.plist

com.apple.webinspectord.plist

com.apple.wifi.hostapd.plist

com.apple.wifi.wapic.plist

com.apple.wifiFirmwareLoader.plist

com.apple.wifid.plist

com.apple.wirelessproxd.plist      (iPad,5,5s)

com.apple.xpcd.plist

com.evad3rs.evasi0n7.untether.plist       (越狱后的服务)

com.saurik.Cydia.Startup.plist         (越狱后的服务)



如果发现疑似问题插件,首先打开这个服务启动配置文件,以前段时间发现的盗号的恶意插件为例:

文件头那部分不用看,看这主要部分:

<key>Label</key>

<string>com.archive</string>

<key>Nice</key>

<integer>20</integer>

<key>ProgramArguments</key>

<array>

<string>/bin/updatesrv</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>7200</integer>


那么我们可以看到一个Label的key,它对于的字符串就是:com.archive ,这个是这款插件的命名,

然后往下看,有一个ProgramArguments的键值,在下面可以看到指向的:/bin/updatesrv 那么说明这个配置文件实际上是调用的bin目录下的updatesrv 程序,然后结合上面的“archive”关键字,一下就明白了这个是一个明显的想伪装自己的恶意插件,因为一个真正的程序是不可能用压缩服务的名字,而且压缩,解压缩是根本不需要开服务的,最多就是一个支持文件,然后这个“压缩”服务又指向的是一个“updatesrv”文件,字面上看是一个什么更新服务的意思,就算你是一个压缩相关的,开什么更新服务!再有一个最下的一个key “StartInterval”的键值:7200;你要正常的启动为什么又要暂缓7200秒来启动?除非是想不被发现和影响启动速度!


那么判断后,首先需要的就是先备份这个plist文件和指向的执行程序(这样做的目的就有2个,一是防止误判后由备份来恢复,二是可以做样本来公布检查,防止扩散,为他人造福),然后将这2个文件删除即可!


iOS虽然越狱后会有这些恶意程序的问题,但是只要我们不胡乱安装第三方源,不安装无法信任的开发者的程序,以及多多留意最新的社区消息,一般问题是不大的,还有一个关键是,基本上这些恶意程序是不会想电脑病毒感染后无法简单移除的,其实找到了很容易处理!


不要一朝被蛇咬,十年怕草绳!然后就开始奚落什么越狱不安全,不敢再越狱什么云云的,就算你吃东西再怎么注意,也会有吃坏肚子的时候,那时候不会拒绝吃东西了吧!O(∩_∩)O哈哈~!



评论

热度(2)