一、防護
ptrace
- 使用ptrace防護的特點是調試狀態開啟的時候會閃退,但是直接開啟的時候卻不會閃退。
- ptrace是系統函數,此函數提供一個進程去監聽和控制另一個進程,并且可以檢測被控制進程的內存和寄存器里面的數據。ptrace可以用來實現斷點調試和系統調用跟蹤。
/*
* Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
/*-
* Copyright (c) 1984, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ptrace.h 8.2 (Berkeley) 1/4/94
*/
#ifndef _SYS_PTRACE_H_
#define _SYS_PTRACE_H_
#include <sys/appleapiopts.h>
#include <sys/cdefs.h>
enum {
ePtAttachDeprecated __deprecated_enum_msg("PT_ATTACH is deprecated. See PT_ATTACHEXC") = 10
};
#define PT_TRACE_ME 0 /* child declares it's being traced */
#define PT_READ_I 1 /* read word in child's I space */
#define PT_READ_D 2 /* read word in child's D space */
#define PT_READ_U 3 /* read word in child's user structure */
#define PT_WRITE_I 4 /* write word in child's I space */
#define PT_WRITE_D 5 /* write word in child's D space */
#define PT_WRITE_U 6 /* write word in child's user structure */
#define PT_CONTINUE 7 /* continue the child */
#define PT_KILL 8 /* kill the child process */
#define PT_STEP 9 /* single step the child */
#define PT_ATTACH ePtAttachDeprecated /* trace some running process */
#define PT_DETACH 11 /* stop tracing a process */
#define PT_SIGEXC 12 /* signals as exceptions for current_proc */
#define PT_THUPDATE 13 /* signal for thread# */
#define PT_ATTACHEXC 14 /* attach to running process with signal exception */
#define PT_FORCEQUOTA 30 /* Enforce quota for root */
#define PT_DENY_ATTACH 31
#define PT_FIRSTMACH 32 /* for machine-specific requests */
__BEGIN_DECLS
int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
__END_DECLS
#endif /* !_SYS_PTRACE_H_ */
- 使用起來很簡單 -- ptrace(PT_DENY_ATTACH, 0, 0, 0);
創建一個新的頭文件,粘貼上面的代碼。
#import "ViewController.h"
#import "MyPtraceHeader.h"
@interface ViewController ()
@end
@implementation ViewController
- (void)viewDidLoad {
[super viewDidLoad];
// Do any additional setup after loading the view, typically from a nib.
ptrace(PT_DENY_ATTACH, 0, 0, 0);
}
@end
sysctl
- sysctl主要用來判斷當前是否是debug狀態,并不會像ptrace那樣,檢測到debug狀態就閃退,sysctl可以自己控制接下來要干什么事情。
BOOL isDebugger(){
int name[4];
name[0] = CTL_KERN;
name[1] = KERN_PROC;
name[2] = KERN_PROC_PID;
name[3] = getpid();
struct kinfo_proc info;
size_t info_size = sizeof(info);
sysctl(name, 4, &info, &info_size, NULL, 0);
int flag = info.kp_proc.p_flag & P_TRACED;
NSLog(@"%d",flag);
return ((info.kp_proc.p_flag & P_TRACED) != 0);
}
- 使用
#import "ViewController.h"
#import <sys/sysctl.h>
@interface ViewController ()
@end
@implementation ViewController
static dispatch_source_t timer ;
void debuggerCheck(){
timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(0, 0));
dispatch_source_set_timer(timer, DISPATCH_TIME_NOW, 1.0 * NSEC_PER_SEC, 0.0 * NSEC_PER_SEC);
dispatch_source_set_event_handler(timer, ^{
if (isDebugger()) {
NSLog(@"debug狀態!");
}else
{
NSLog(@"沒有debug!");
}
});
dispatch_resume(timer);
}
BOOL isDebugger(){
int name[4];//里面放字節碼。查詢的信息
name[0] = CTL_KERN;//內核查詢
name[1] = KERN_PROC;//查詢進程
name[2] = KERN_PROC_PID;//傳遞的參數是進程的ID
name[3] = getpid();//PID的值
//看info.kp_proc.p_flag 的第12位。如果為1,表示調試狀態。
//接受查詢結果的結構體
struct kinfo_proc info;
size_t info_size = sizeof(info);
sysctl(name, 4, &info, &info_size, NULL, 0);
int flag = info.kp_proc.p_flag & P_TRACED;
NSLog(@"%d",flag);
return ((info.kp_proc.p_flag & P_TRACED) != 0);
}
- (void)viewDidLoad {
[super viewDidLoad];
debuggerCheck();
}
@end
輸出結果
二、破解
- ptrace和sysctl都是系統函數。所以我們就利用fishhook來hook這兩個參數。
- ptrace破解
#import "HookLib.h"
#import "MyPtraceHeader.h"
#import "fishhook.h"
@implementation HookLib
+ (void)load
{
struct rebinding rebind;
//函數的名稱
rebind.name = "ptrace";
//新的函數地址
rebind.replacement = myPtrace;
//保存原始函數地址的變量的指針
rebind.replaced = (void *)&ptrace_p;
//定義數組
struct rebinding rebinds[] = {rebind};
/*
參數一 : 存放rebinding結構體的數組
參數二 : 數組的長度
*/
rebind_symbols(rebinds, 1);
}
/**
用來保存舊函數的指針
*/
int (*ptrace_p)(int _request, pid_t _pid, caddr_t _addr, int _data);
/**
新的函數
@param _request 請求做的事情
@param _pid 請求的進程id
@param _addr 地址
@param _data 數據 -- 取決于第一個參數
@return int
*/
int myPtrace(int _request, pid_t _pid, caddr_t _addr, int _data){
printf("hook住了");
if (_request != PT_DENY_ATTACH) {
return ptrace_p(_request,_pid,_addr,_data);
}
return 0;
}
@end
- sysctl破解
#import "HookSysctl.h"
#import <sys/sysctl.h>
#import "fishhook.h"
@implementation HookSysctl
//原始函數指針
int (*sysctl_p)(int *, u_int, void *, size_t *, void *, size_t);
//新函數地址
int my_sysctl(int *name, u_int namelen, void *info, size_t *infosize, void *newInfo, size_t newInfoSize){
if (namelen == 4
&& name[0] == CTL_KERN
&& name[1] == KERN_PROC
&& name[2] == KERN_PROC_PID
&& info
&& (int)*infosize == sizeof(struct kinfo_proc)) {
int err = sysctl_p(name,namelen,info,infosize,newInfo,newInfoSize);
struct kinfo_proc * myinfo = (struct kinfo_proc *)info;
if ((myinfo->kp_proc.p_flag & P_TRACED) != 0) {
//使用異或可以取反
myinfo->kp_proc.p_flag ^= P_TRACED;
}
return err;
}
return sysctl_p(name,namelen,info,infosize,newInfo,newInfoSize);
}
+(void)load
{
//交換
rebind_symbols((struct rebinding[1]){{"sysctl",my_sysctl,(void *)&sysctl_p}}, 1);
}
@end
三、再防護(防止hook)
- 利用庫的加載順序,在別人hook前,讓防護代碼先執行。
-
具體步驟。
1、創建一個庫。
image.png
2、寫防護代碼(把之前的防護代碼寫到這里)
#import "antiDebugCode.h"
#import <sys/sysctl.h>
#import "MyPtraceHeader.h"
@implementation antiDebugCode
//檢測調試
BOOL isDebugger(){
int name[4];//里面放字節碼。查詢的信息
name[0] = CTL_KERN;//內核查詢
name[1] = KERN_PROC;//查詢進程
name[2] = KERN_PROC_PID;//傳遞的參數是進程的ID
name[3] = getpid();//PID的值
struct kinfo_proc info;//接受查詢結果的結構體
size_t info_size = sizeof(info);
if(sysctl(name, 4, &info, &info_size, 0, 0)){
NSLog(@"查詢失敗");
return NO;
}
//看info.kp_proc.p_flag 的第12位。如果為1,表示調試狀態。
//(info.kp_proc.p_flag & P_TRACED)
return ((info.kp_proc.p_flag & P_TRACED) != 0);
}
static dispatch_source_t timer;
void debugCheck(){
timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(0, 0));
dispatch_source_set_timer(timer, DISPATCH_TIME_NOW, 1.0 * NSEC_PER_SEC, 0.0 * NSEC_PER_SEC);
dispatch_source_set_event_handler(timer, ^{
if (isDebugger()) {
NSLog(@"調試狀態!!");
}else{
NSLog(@"正常!");
}
});
dispatch_resume(timer);
}
+(void)load
{
debugCheck();
ptrace(PT_DENY_ATTACH, 0, 0, 0);
}
@end
四、再破解
- 利用二進制工具修改二進制文件。
-
具體步驟。
1、下一個ptrace符號斷點
image.png
2、斷住之后,使用bt查看調用棧,找到調用ptrace的庫及方法。image.png
3、利用Hopper查看二進制文件image.png
4、修改二進制選中此行,點擊鍵盤alt+a
5、導出新的二進制文件
File --> Produce New Executable
6、覆蓋之前.app文件里面的MachO,重新運行就可以了。
五、使用其它方式調用系統函數(以下都用ptrace為例)
利用dlopen+dlsym調用
-
直接調用ptrace(PT_DENY_ATTACH, 0, 0, 0);然后下一個斷點,查看使用的是哪個庫image.png
- 編寫調用代碼
//使用一個char數組拼接一個ptrace字符串 (此拼接方式可以讓逆向的人在使用工具查看匯編時無法直接看到此字符串)
unsigned char funcName[] = {
('q' ^ 'p'),
('q' ^ 't'),
('q' ^ 'r'),
('q' ^ 'a'),
('q' ^ 'c'),
('q' ^ 'e'),
('q' ^ '\0'),
};
unsigned char * p = funcName;
//再次異或之后恢復原本的值
while (((*p) ^= 'q') != '\0') p++;
//通過dlopen拿到句柄
void * handle = dlopen("/usr/lib/system/libsystem_kernel.dylib", RTLD_LAZY);
//定義函數指針
int (*ptrace_p)(int _request, pid_t _pid, caddr_t _addr, int _data);
//如果拿到句柄
if (handle) {
//通過dlsym拿到函數指針
ptrace_p = dlsym(handle, (const char *)funcName);
//如果拿到函數指針
if (ptrace_p) {
//調用所需函數
ptrace_p(PT_DENY_ATTACH, 0, 0, 0 );
}
}
- 使用dlopen+dlsym方式調用,lldb對ptrace下斷點還是可以斷住的。
利用syscall調用系統函數
- 編寫調用代碼(<sys/syscall.h>中可以查找系統函數編號)
/**
參數一:參數是函數編號
其它參數:給參數一的函數提供參數
*/
syscall(SYS_ptrace,PT_DENY_ATTACH,0,0);
- syscall方式調用,lldb對ptrace下斷點是無法斷住的。
利用匯編調用系統函數
-
<sys/syscall.h>中可以查找系統函數編號
image.png - 匯編代碼(CPU架構是arm64)
//安全防護-反調試
//volatile代表不優化此匯編代碼
asm volatile(
"mov x0,#31\n"http://參數1
"mov x1,#0\n"http://參數2
"mov x2,#0\n"http://參數3
"mov x3,#0\n"http://參數4
"mov x16,#26\n"http://中斷根據x16 里面的值,跳轉ptrace
"svc #0x80\n"http://這條指令就是觸發中斷去找x16執行(系統級別的跳轉!)
);
