ISH is a project to get a Linux shell running on iOS, using usermode x86 emulation and syscall translation.
For the current status of the project, check the issues tab, and the commit logs.
Hacking
This project has a git submodule, make sure to clone with --recurse-submodules
or run git submodule update --init
after cloning.
You’ll need these things to build the project:
pip install meson
)brew install llvm
, on linux, sudo apt install clang lld
or sudo pacman -S clang lld
or whatever)sudo apt install libsqlite3-dev
)brew install libarchive
, sudo port install libarchive
, sudo apt install libarchive-dev
) TODO: bundle this dependencyBuild for iOS
Open the project in Xcode, open iSH.xcconfig, and change ROOT_BUNDLE_IDENTIFIER
to something unique. Then click Run. There are scripts that should do everything else automatically. If you run into any problems, open an issue and I’ll try to help.
Build Command Line Tool For Testing
To set up your environment, cd to the project and run meson build
to create a build directory in build
. Then cd to the build directory and run ninja
.
To set up a self-contained Alpine linux filesystem, download the Alpine minirootfs tarball for i386 from the Alpine website and run ./tools/fakefsify
, with the minirootfs tarball as the first argument and the name of the output directory as the second argument. Then you can run things inside the Alpine filesystem with ./ish -f alpine /bin/login -f root
, assuming the output directory is called alpine
. If tools/fakefsify
doesn’t exist for you in your build directory, that might be because it couldn’t find libarchive on your system (see above for ways to install it.)
You can replace ish
with tools/ptraceomatic
to run the program in a real process and single step and compare the registers at each step. I use it for debugging. Requires 64-bit Linux 4.11 or later.
Logging
iSH has several logging channels which can be enabled at build time. By default, all of them are disabled. To enable them:
ISH_LOG
setting in iSH.xcconfig to a space-separated list of log channels.meson configure -Dlog="<space-separated list of log channels>
.Available channels:
strace
: The most useful channel, logs the parameters and return value of almost every system call.instr
: Logs every instruction executed by the emulator. This slows things down a lot.verbose
: Debug logs that don’t fit into another category.DEFAULT_CHANNEL
to see if more log channels have been added since this list was updated.A Note On The JIT
Possibly the most interesting thing I wrote as part of iSH is the JIT. It’s not actually a JIT since it doesn’t target machine code. Instead it generates an array of pointers to functions called gadgets, and each gadget ends with a tailcall to the next function; like the threaded code technique used by some Forth interpreters. The result is a speedup of roughly 3-5x compared to pure emulation.
Unfortunately, I made the decision to write nearly all of the gadgets in assembly language. This was probably a good decision with regards to performance (though I’ll never know for sure), but a horrible decision with regards to readability, maintainability, and my sanity. The amount of bullshit I’ve had to put up with from the compiler/assembler/linker is insane. It’s like there’s a demon in there that makes sure my code is sufficiently deformed, and if not, makes up stupid reasons why it shouldn’t compile. In order to stay sane while writing this code, I’ve had to ignore best practices in code structure and naming. You’ll find macros and variables with such descriptive names as ss
and s
and a
. Assembler macros nested beyond belief. And to top it off, there are almost no comments.
So a warning: Long-term exposure to this code may cause loss of sanity, nightmares about GAS macros and linker errors, or any number of other debilitating side effects. This code is known to the State of California to cause cancer, birth defects, and reproductive harm.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…