检测并回避调试器 [英] Detecting, and Shirking Off, the Debugger

查看:81
本文介绍了检测并回避调试器的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

新iTunes中的一个有趣功能是它无法接受附加到它的调试器进程(诸如F-Script之类的崩溃工具),这不仅会涉及检测方法,但它需要某种过程来检查调试器在运行中附加自身,还是输入调试器尝试附加自身时将发出的Point方法。另外,它将需要一种方法来告知调试器退出(而不是终止)而不会终止进程。问题是:如何?显然,每隔X秒钟轮询一次调试器效率低下,并且不允许它附加到给定的进程(没有像ptrace()那样覆盖)似乎很私密。

解决方案

iTunes正在调用 ptrace(PT_DENY_ATTACH),这会设置 P_LNOATTACH 标志,阻止调试器(和其他进程,例如F-Script和DTrace)附加到该进程。



请参阅是否可以从DTrace隐藏OS X应用?以获取更多信息。



如果iTunes也积极使用检测方法来识别调试器,我也不会感到惊讶。苹果已经竭尽全力尝试保护iTunes中的DRM。



有很多书籍介绍了保护Cocoa应用程序安全的方法,包括检测调试器。我想到了一些潜在的标题(我没有仔细检查这些内容的内容,因此不要认为它们具有检测方法): Mac Hacker手册, Hacking and Secureing iOS Applications, Professional Cocoa Application Security和
C& C ++的安全编程指南。



Mac OS X内部构件和 Mac OS X和iOS内部构件可能在 PT_DENY_ATTACH 上具有某些内容。 / p>

An interesting feature in the new iTunes is it's inability to accept debugger processes that are attached to it (crippling tools like F-Script) Not only would this involve a detection method, but it would require some kind of process that was either checking for the debugger attaching itself mid-run, or an entry-point method that the debugger would emit when it attempts to attach itself. In addition, it would need a way to tell the debugger to go away (as it were) without terminating the process. The question is: How? Clearly, polling for a debugger every X number of seconds is inefficient, and not allowing it to attach to a given process (sans override like ptrace()) seems intensely private.

解决方案

iTunes is calling ptrace(PT_DENY_ATTACH) which sets the P_LNOATTACH flag which stops debuggers (and other processes, e.g. F-Script and DTrace) from attaching to the process.

See Is it possible to conceal a OS X app from DTrace? for more information.

I wouldn't be surprised if iTunes is also actively using detection methods to identify debuggers. Apple have gone to great lengths to try to protect the DRM in iTunes.

There are a number of books that have methods of securing Cocoa applications, including detecting debuggers. Some potential titles that spring to mind (I haven't double checked the contents of these so don't assume they have detection methods): "Mac Hacker's Handbook", "Hacking and Securing iOS Applications", "Professional Cocoa Application Security" and "Secure Programming Cookbook for C & C++".

"Mac OS X Internals" and "Mac OS X and iOS Internals" might have something on PT_DENY_ATTACH.

这篇关于检测并回避调试器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆