Merge branch 'master' into update_DLL_ForwardSideLoading_20250824_182553

Author: carlospolop

src/SUMMARY.md

@@ -41,6 +41,7 @@
   - [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
   - [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
   - [Image Acquisition & Mount](generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md)
+  - [Ios Backup Forensics](generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md)
   - [Linux Forensics](generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md)
   - [Malware Analysis](generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md)
   - [Memory dump analysis](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md)
@@ -61,6 +62,7 @@
     - [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
     - [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
     - [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
+    - [Structural File Format Exploit Detection](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md)
     - [Video and Audio file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
     - [ZIPs tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
   - [Windows Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md)

src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md

@@ -33,9 +33,21 @@ int main() {
 Compile without pie and canary:
 
 ```bash
-clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
+clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie -mbranch-protection=none
 ```
 
+- The extra flag `-mbranch-protection=none` disables AArch64 Branch Protection (PAC/BTI). If your toolchain defaults to enabling PAC or BTI, this keeps the lab reproducible. To check whether a compiled binary uses PAC/BTI you can:
+  - Look for AArch64 GNU properties:
+    - `readelf --notes -W ret2win | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'`
+  - Inspect prologues/epilogues for `paciasp`/`autiasp` (PAC) or for `bti c` landing pads (BTI):
+    - `objdump -d ret2win | head -n 40`
+
+### AArch64 calling convention quick facts
+
+- The link register is `x30` (a.k.a. `lr`), and functions typically save `x29`/`x30` with `stp x29, x30, [sp, #-16]!` and restore them with `ldp x29, x30, [sp], #16; ret`.
+- This means the saved return address lives at `sp+8` relative to the frame base. With a `char buffer[64]` placed below, the usual overwrite distance to the saved `x30` is 64 (buffer) + 8 (saved x29) = 72 bytes — exactly what we’ll find below.
+- The stack pointer must remain 16‑byte aligned at function boundaries. If you build ROP chains later for more complex scenarios, keep the SP alignment or you may crash on function epilogues.
+
 ## Finding the offset
 
 ### Pattern option
@@ -112,6 +124,8 @@ from pwn import *
 # Configuration
 binary_name = './ret2win'
 p = process(binary_name)
+# Optional but nice for AArch64
+context.arch = 'aarch64'
 
 # Prepare the payload
 offset = 72
@@ -187,6 +201,47 @@ print(p.recvline())
 p.close()
 ```
 
-{{#include ../../../banners/hacktricks-training.md}}
+### Notes on modern AArch64 hardening (PAC/BTI) and ret2win
+
+- If the binary is compiled with AArch64 Branch Protection, you may see `paciasp`/`autiasp` or `bti c` emitted in function prologues/epilogues. In that case:
+  - Returning to an address that is not a valid BTI landing pad may raise a `SIGILL`. Prefer targeting the exact function entry that contains `bti c`.
+  - If PAC is enabled for returns, naive return‑address overwrites may fail because the epilogue authenticates `x30`. For learning scenarios, rebuild with `-mbranch-protection=none` (shown above). When attacking real targets, prefer non‑return hijacks (e.g., function pointer overwrites) or build ROP that never executes an `autiasp`/`ret` pair that authenticates your forged LR.
+- To check features quickly:
+  - `readelf --notes -W ./ret2win` and look for `AARCH64_FEATURE_1_BTI` / `AARCH64_FEATURE_1_PAC` notes.
+  - `objdump -d ./ret2win | head -n 40` and look for `bti c`, `paciasp`, `autiasp`.
+
+### Running on non‑ARM64 hosts (qemu‑user quick tip)
 
+If you are on x86_64 but want to practice AArch64:
+
+```bash
+# Install qemu-user and AArch64 libs (Debian/Ubuntu)
+sudo apt-get install qemu-user qemu-user-static libc6-arm64-cross
+
+# Run the binary with the AArch64 loader environment
+qemu-aarch64 -L /usr/aarch64-linux-gnu ./ret2win
+
+# Debug with GDB (qemu-user gdbstub)
+qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./ret2win &
+# In another terminal
+gdb-multiarch ./ret2win -ex 'target remote :1234'
+```
 
+### Related HackTricks pages
+
+-
+{{#ref}}
+../../rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
+{{#endref}}
+-
+{{#ref}}
+../../rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md
+{{#endref}}
+
+
+
+## References
+
+- Enabling PAC and BTI on AArch64 for Linux (Arm Community, Nov 2024). https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/enabling-pac-and-bti-on-aarch64-for-linux
+- Procedure Call Standard for the Arm 64-bit Architecture (AAPCS64). https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst
+{{#include ../../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/basic-forensic-methodology/README.md

@@ -23,6 +23,33 @@ malware-analysis.md
 if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
 
 
+{{#ref}}
+partitions-file-systems-carving/
+{{#endref}}# Basic Forensic Methodology
+
+
+
+## Creating and Mounting an Image
+
+
+{{#ref}}
+../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md
+{{#endref}}
+
+## Malware Analysis
+
+This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:
+
+
+{{#ref}}
+malware-analysis.md
+{{#endref}}
+
+## Inspecting an Image
+
+if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
+
+
 {{#ref}}
 partitions-file-systems-carving/
 {{#endref}}
@@ -44,6 +71,11 @@ linux-forensics.md
 docker-forensics.md
 {{#endref}}
 
+
+{{#ref}}
+ios-backup-forensics.md
+{{#endref}}
+
 ## Deep inspection of specific file-types and Software
 
 If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
@@ -91,6 +123,54 @@ anti-forensic-techniques.md
 file-integrity-monitoring.md
 {{#endref}}
 
-{{#include ../../banners/hacktricks-training.md}}
 
 
+## Deep inspection of specific file-types and Software
+
+If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
+Read the following page to learn some interesting tricks:
+
+
+{{#ref}}
+specific-software-file-type-tricks/
+{{#endref}}
+
+I want to do a special mention to the page:
+
+
+{{#ref}}
+specific-software-file-type-tricks/browser-artifacts.md
+{{#endref}}
+
+## Memory Dump Inspection
+
+
+{{#ref}}
+memory-dump-analysis/
+{{#endref}}
+
+## Pcap Inspection
+
+
+{{#ref}}
+pcap-inspection/
+{{#endref}}
+
+## **Anti-Forensic Techniques**
+
+Keep in mind the possible use of anti-forensic techniques:
+
+
+{{#ref}}
+anti-forensic-techniques.md
+{{#endref}}
+
+## Threat Hunting
+
+
+{{#ref}}
+file-integrity-monitoring.md
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}
+

src/generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.md

@@ -0,0 +1,132 @@
+# iOS Backup Forensics (Messaging‑centric triage)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+This page describes practical steps to reconstruct and analyze iOS backups for signs of 0‑click exploit delivery via messaging app attachments. It focuses on turning Apple’s hashed backup layout into human‑readable paths, then enumerating and scanning attachments across common apps.
+
+Goals:
+- Rebuild readable paths from Manifest.db
+- Enumerate messaging databases (iMessage, WhatsApp, Signal, Telegram, Viber)
+- Resolve attachment paths, extract embedded objects (PDF/Images/Fonts), and feed them to structural detectors
+
+
+## Reconstructing an iOS backup
+
+Backups stored under MobileSync use hashed filenames that are not human‑readable. The Manifest.db SQLite database maps each stored object to its logical path.
+
+High‑level procedure:
+1) Open Manifest.db and read the file records (domain, relativePath, flags, fileID/hash)
+2) Recreate the original folder hierarchy based on domain + relativePath
+3) Copy or hardlink each stored object to its reconstructed path
+
+Example workflow with a tool that implements this end‑to‑end (ElegantBouncer):
+
+```bash
+# Rebuild the backup into a readable folder tree
+$ elegant-bouncer --ios-extract /path/to/backup --output /tmp/reconstructed
+[+] Reading Manifest.db ...
+✓ iOS backup extraction completed successfully!
+```
+
+Notes:
+- Handle encrypted backups by supplying the backup password to your extractor
+- Preserve original timestamps/ACLs when possible for evidentiary value
+
+
+## Messaging app attachment enumeration
+
+After reconstruction, enumerate attachments for popular apps. The exact schema varies by app/version, but the approach is similar: query the messaging database, join messages to attachments, and resolve paths on disk.
+
+### iMessage (sms.db)
+Key tables: message, attachment, message_attachment_join (MAJ), chat, chat_message_join (CMJ)
+
+Example queries:
+
+```sql
+-- List attachments with basic message linkage
+SELECT
+  m.ROWID            AS message_rowid,
+  a.ROWID            AS attachment_rowid,
+  a.filename         AS attachment_path,
+  m.handle_id,
+  m.date,
+  m.is_from_me
+FROM message m
+JOIN message_attachment_join maj ON maj.message_id = m.ROWID
+JOIN attachment a ON a.ROWID = maj.attachment_id
+ORDER BY m.date DESC;
+
+-- Include chat names via chat_message_join
+SELECT
+  c.display_name,
+  a.filename AS attachment_path,
+  m.date
+FROM chat c
+JOIN chat_message_join cmj ON cmj.chat_id = c.ROWID
+JOIN message m ON m.ROWID = cmj.message_id
+JOIN message_attachment_join maj ON maj.message_id = m.ROWID
+JOIN attachment a ON a.ROWID = maj.attachment_id
+ORDER BY m.date DESC;
+```
+
+Attachment paths may be absolute or relative to the reconstructed tree under Library/SMS/Attachments/.
+
+### WhatsApp (ChatStorage.sqlite)
+Common linkage: message table ↔ media/attachment table (naming varies by version). Query media rows to obtain on‑disk paths.
+
+Example (generic):
+
+```sql
+SELECT
+  m.Z_PK          AS message_pk,
+  mi.ZMEDIALOCALPATH AS media_path,
+  m.ZMESSAGEDATE  AS message_date
+FROM ZWAMESSAGE m
+LEFT JOIN ZWAMEDIAITEM mi ON mi.ZMESSAGE = m.Z_PK
+WHERE mi.ZMEDIALOCALPATH IS NOT NULL
+ORDER BY m.ZMESSAGEDATE DESC;
+```
+
+Adjust table/column names to your app version (ZWAMESSAGE/ZWAMEDIAITEM are common in iOS builds).
+
+### Signal / Telegram / Viber
+- Signal: the message DB is encrypted; however, attachments cached on disk (and thumbnails) are usually scan‑able
+- Telegram: inspect cache directories (photo/video/document caches) and map to chats when possible
+- Viber: Viber.sqlite contains message/attachment tables with on‑disk references
+
+Tip: even when metadata is encrypted, scanning the media/cache directories still surfaces malicious objects.
+
+
+## Scanning attachments for structural exploits
+
+Once you have attachment paths, feed them into structural detectors that validate file‑format invariants instead of signatures. Example with ElegantBouncer:
+
+```bash
+# Recursively scan only messaging attachments under the reconstructed tree
+$ elegant-bouncer --scan --messaging /tmp/reconstructed
+[+] Found N messaging app attachments to scan
+✗ THREAT in WhatsApp chat 'John Doe': suspicious_document.pdf → FORCEDENTRY (JBIG2)
+✗ THREAT in iMessage: photo.webp → BLASTPASS (VP8L)
+```
+
+Detections covered by structural rules include:
+- PDF/JBIG2 FORCEDENTRY (CVE‑2021‑30860): impossible JBIG2 dictionary states
+- WebP/VP8L BLASTPASS (CVE‑2023‑4863): oversized Huffman table constructions
+- TrueType TRIANGULATION (CVE‑2023‑41990): undocumented bytecode opcodes
+- DNG/TIFF CVE‑2025‑43300: metadata vs. stream component mismatches
+
+
+## Validation, caveats, and false positives
+
+- Time conversions: iMessage stores dates in Apple epochs/units on some versions; convert appropriately during reporting
+- Schema drift: app SQLite schemas change over time; confirm table/column names per device build
+- Recursive extraction: PDFs may embed JBIG2 streams and fonts; extract and scan inner objects
+- False positives: structural heuristics are conservative but can flag rare malformed yet benign media
+
+
+## References
+
+- [ELEGANTBOUNCER: When You Can't Get the Samples but Still Need to Catch the Threat](https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/)
+- [ElegantBouncer project (GitHub)](https://github.com/msuiche/elegant-bouncer)
+
+{{#include ../../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md

@@ -35,6 +35,11 @@ pdf-file-analysis.md
 {{#endref}}
 
 
+{{#ref}}
+structural-file-format-exploit-detection.md
+{{#endref}}
+
+
 {{#ref}}
 png-tricks.md
 {{#endref}}
@@ -50,5 +55,3 @@ zips-tricks.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-