摘要:OS X Anti-Debugging and Anti-Anti-Debugging
1. ptrace方法
示例代码如下:
ptrace(PT_DENY_ATTACH,0,0,0);
printf("Hello, World!\n");
执行效果如下:
$ ./DebugMeHello, World!$ lldb ./DebugMeCurrent executable set to './DebugMe' (x86_64).(lldb) rProcess 1526 launched: '/.../Build/Products/Debug/DebugMe' (x86_64)Process 1526 exited with status = 45 (0x0000002d)
破解方法:
$ ./DebugMeHello, World!$ lldb ./DebugMeCurrent executable set to './DebugMe' (x86_64).(lldb) b ptracebreakpoint set --name 'ptrace'Breakpoint created: 1: name = 'ptrace', locations = 1(lldb) rProcess 1539 launched: '/.../Build/Products/Debug/DebugMe' (x86_64)Process 1539 stopped* thread #1: tid = 0x1c03, 0x00007fff8b68c244 libsystem_kernel.dylib`__ptrace, stop reason = breakpoint 1.1frame #0: 0x00007fff8b68c244 libsystem_kernel.dylib`__ptracelibsystem_kernel.dylib`__ptrace:-> 0x7fff8b68c244: xorq %rax, %raxlibsystem_kernel.dylib`ptrace + 3:0x7fff8b68c247: leaq 49154(%rip), %r110x7fff8b68c24e: movl %eax, (%r11)0x7fff8b68c251: movl $33554458, %eax(lldb) re r -f dGeneral Purpose Registers:rax = 31rbx = 0rcx = 0rdx = 0rdi = 31(lldb) re w rdi 0(lldb) cProcess 1955 resumingHello, World!Process 1955 exited with status = 0 (0x00000000)
2. sysctl
示例代码如下:
static int is_debugger_present(void)
{
int name[4];
struct kinfo_proc info;
size_t info_size = sizeof(info);
info.kp_proc.p_flag = 0;
name[0] = CTL_KERN;
name[1] = KERN_PROC;
name[2] = KERN_PROC_PID;
name[3] = getpid();
if (sysctl(name, 4, &info, &info_size, NULL, 0) == -1) {
perror("sysctl");
exit(-1);
}
return ((info.kp_proc.p_flag & P_TRACED) != 0);
}
if (is_debugger_present()) {
return 0;
}
printf("Hello, World!\n");
效果如下:
$ lldb ./DebugMeCurrent executable set to './DebugMe' (x86_64).(lldb) rProcess 2132 launched: '/.../Build/Products/Debug/DebugMe' (x86_64)Process 2132 exited with status = 0 (0x00000000)
破解方法:
直接修改该函数返回值:
0000000100000d76 E845000000 call _is_debugger_present_100000dc0
0000000100000d7b 3D00000000 cmp eax, 0x0
$ lldb ./DebugMeCurrent executable set to './DebugMe' (x86_64).(lldb) b 0x100000d7Bbreakpoint set --address 0x100000d7BBreakpoint created: 1: address = 0x0000000100000d7b, locations = 1(lldb) rProcess 2260 launched: '/.../Build/Products/Debug/DebugMe' (x86_64)Process 2260 stopped* thread #1: tid = 0x1c03, 0x0000000100000d7b DebugMe`main + 27 at main.c:50, stop reason = breakpoint 1.1......(lldb) re r -f B raxrax = true(lldb) re w rax 0(lldb) cProcess 2260 resumingHello, World!Process 2260 exited with status = 0 (0x00000000)
3. GDB/LLDB进程检查
直接简单粗暴一点:
static void stop_debugger_running(void)
{
system("killall lldb");
system("killall gdb");
}
stop_debugger_running();
printf("Hello, World!\n");
效果如下:
$ lldb ./DebugMeCurrent executable set to './DebugMe' (x86_64).(lldb) rProcess 2518 launched: '/.../Build/Products/Debug/DebugMe' (x86_64)Terminated: 15
------------------------------
文章的授權使用CC BY-ND2.5協議。凡是標示“轉載”的文章,均來源於網絡並儘可能標註作者。如果有侵犯您的權益,請及時聯繫刪除或者署名、授權。
Gtalk/Email: cmd4shell [at] gmail.com