Fixing ptrace(pt_deny_attach, …) on Mac OS X 10.5 Leopard
PT_DENY_ATTACH is a non-standard ptrace() request type that prevents a debugger from attaching to the calling process. Adam Leventhal recently discovered that Leopard extends PT_DENY_ATTACH to prevent introspection into processes using dtrace.
…
For Leopard, I decided to find a public symbol that is placed in the data segment, nearby the sysent array. In the kernel’s data segment, nsysent is placed (almost) directly before the sysent array. By examining mach_kernel I can determine the offset to the actual sysent array, and then use this in my kext to patch the actual function. To keep things safe, I added sanity checks to verify that I’d found the real sysent array.
…
Once we have the address of the array, we can find the SYS_ptrace entry and substitute our own ptrace wrapper:
— via Hack the Planet
OS X allow applications to say “don’t trace me”. This kernel extension directly modified the kernel to cripple that ability. Which makes debugging a whole lot easier in general. Apple’s attempt to do this has been worked around in the last three revisions of the OS. I suspect they have to make a good faith effort for various corporate reasons.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
You must be logged in to post a comment.