SlideShare a Scribd company logo

"You shall not pass : anti-debug methodics"

ITCP Community
ITCP Community

How to save you app from hacking? We will discuss a protection mechanisms and ways to hack them. Основные тезисы: - Основы LLDB; - Способы защиты от нежелательного дебага вашего приложения; - Оценка эффективности этих способов; - Способы обхода приведенных методик; - Обфускация кода и другие полезные практики защиты; - Небольшое демо по взлому:)

Software
1 of 25
Download to read offline
{
 Author: Maksym Sysenko Company: Techery } You shall not pass : anti-debug methodics “Exhaustive prevention is an illusion. We can't secure misconfiguration, shadow IT, third parties, human error, former employee... Focus on what matters more and be ready to react.”  ― Stephane Nappo
Two definitive articles about how to debug binary on iOS device
LLDB (Low Level Debugger)
long ptrace( enum __ptrace_request request, pid_t pid, void *addr, void *data );
typedef int (* ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data); #if !defined(PT_DENY_ATTACH) #define PT_DENY_ATTACH 31 #endif // !defined(PT_DENY_ATTACH) void simple_guard() { void * handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW); ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace"); ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); dlclose(handle); } int main(int argc, char **argv) { printf("YOU SHALL NOT PASS!n"); simple_guard(); printf("Passed!n"); return 0; }
Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) process launch Process 5139 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 5139 exited with status = 45 (0x0000002d)
/System/Library/Frameworks/Kernel.framework/Versions/A/Headers/sys/errno.h ... #define ENOTSUP 45 /* Operation not supported * ...
br set --name ptrace Breakpoint 1: where = libsystem_kernel.dylib`__ptrace, address = ….
(lldb) register read General Purpose Registers: rax = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rbx = 0xfffffffffffffffe rcx = 0x0000000000000000 rdx = 0x0000000000000000 rdi = 0x000000000000001f rsi = 0x0000000000000000 rbp = 0x00007ffeefbff5b0 rsp = 0x00007ffeefbff598 r8 = 0x00007fffb19a1da0 sGlobalMutex + 32 r9 = 0x0000000000000040 r10 = 0x00007fffb19a1d98 sGlobalMutex + 24 r11 = 0xffffffffffffffff r12 = 0x0000000000000000 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rflags = 0x0000000000000246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000
(lldb) register write rdi 1 (lldb) register read General Purpose Registers: rax = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rbx = 0xfffffffffffffffe rcx = 0x0000000000000000 rdx = 0x0000000000000000 rdi = 0x0000000000000001 rsi = 0x0000000000000000 rbp = 0x00007ffeefbff5b0 rsp = 0x00007ffeefbff598 r8 = 0x00007fffb19a1da0 sGlobalMutex + 32 r9 = 0x0000000000000040 r10 = 0x00007fffb19a1d98 sGlobalMutex + 24 r11 = 0xffffffffffffffff r12 = 0x0000000000000000 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rflags = 0x0000000000000246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000
Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) br set --name ptrace Breakpoint 1: where = libsystem_kernel.dylib`__ptrace, address = 0x000000000001be7c (lldb) process launch Process 5124 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 5124 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace libsystem_kernel.dylib`__ptrace: -> 0x7fff78df7e7c <+0>: xorq %rax, %rax 0x7fff78df7e7f <+3>: leaq 0x38bc5482(%rip), %r11 ; errno 0x7fff78df7e86 <+10>: movl %eax, (%r11) 0x7fff78df7e89 <+13>: movl $0x200001a, %eax ; imm = 0x200001A Target 0: (Heimdall) stopped. (lldb) register write rdi 1 (lldb) continue Process 5124 resuming Passed! Process 5124 exited with status = 0 (0x00000000)
static bool AmIBeingDebugged(void) { int junk; int mib[4]; struct kinfo_proc info; size_t size; info.kp_proc.p_flag = 0; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); size = sizeof(info); junk = sysctl(mib, sizeof(mib) / sizeof(*mib), &info, &size, NULL, 0); assert(junk == 0); return ( (info.kp_proc.p_flag & P_TRACED) != 0 ); }
int main(int argc, const char * argv[]) { printf("YOU SHALL NOT PASS!n"); if (AmIBeingDebugged()) { return 13; } printf("Passed!n"); return 0; }
Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) process launch Process 24625 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 24625 exited with status = 13 (0x0000004c)
br set --name sysctl --condition 'typedef struct { int values[4]; } i4; (*(i4 *)$rdi).values[1] == 14 && (*(i4 *)$rdi).values[2] == 1 && $rbx==0’ expr typedef struct { int values[4]; } i4; (*(i4 *)$rdi).values[3]=123456
Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) br set --name sysctl --condition 'typedef struct {int values[4];}i4; (*(i4 *)$rdi).values[1] == 14 && (*(i4 *)$rdi).values[2] == 1 && $rbx==0' Breakpoint 1: where = libsystem_c.dylib`sysctl, address = 0x0000000002e2bc (lldb) process launch Process 24598 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 24598 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff78d252bc libsystem_c.dylib`sysctl libsystem_c.dylib`sysctl: -> 0x7fff78d252bc <+0>: pushq %rbp 0x7fff78d252bd <+1>: movq %rsp, %rbp 0x7fff78d252c0 <+4>: movl (%rdi), %eax 0x7fff78d252c2 <+6>: cmpl $0x8, %eax Target 0: (Heimdall) stopped. (lldb) expr typedef struct { int values[4]; } i4; *(i4 *)$rdi (i4) $0 = { values = ([0] = 1, [1] = 14, [2] = 1, [3] = 24598) } (lldb) expr typedef struct {int values[4];}i4; (*(i4 *)$rdi).values[3]=123456 (int) $1 = 123456 (lldb) continue Process 24598 resuming Passed! Process 24598 exited with status = 0 (0x00000000)
bool ios_execp_info_check() { struct ios_execp_info { exception_mask_t masks[EXC_TYPES_COUNT]; mach_port_t ports[EXC_TYPES_COUNT]; exception_behavior_t behaviors[EXC_TYPES_COUNT]; thread_state_flavor_t flavors[EXC_TYPES_COUNT]; mach_msg_type_number_t count; }; struct ios_execp_info *info = malloc(sizeof(struct ios_execp_info)); kern_return_t kr = task_get_exception_ports( mach_task_self(), EXC_MASK_ALL, info->masks, &info->count, info->ports, info->behaviors, info->flavors ); for (int i = 0; i < info->count; i++){ return (info->ports[i]!=0 || info->flavors[i]==THREAD_STATE_NONE); } return false; }
#ifdef __arm64__ asm( "mov x0, #26n" "mov x1, #31n" "mov x2, #0n" "mov x3, #0n" "mov x16, #0n" "svc #128n" ); #endif
Useful links:
Signups are welcome ;)
Presentation finished with exit code 0 Thanks ;)

Recommended

Building fast interpreters in Rust
Building fast interpreters in RustBuilding fast interpreters in Rust
Building fast interpreters in RustIngvar Stepanyan
 
Powered by Python - PyCon Germany 2016
Powered by Python - PyCon Germany 2016Powered by Python - PyCon Germany 2016
Powered by Python - PyCon Germany 2016Steffen Wenz
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)Night Sailer
 
John Melesky - Federating Queries Using Postgres FDW @ Postgres Open
John Melesky - Federating Queries Using Postgres FDW @ Postgres OpenJohn Melesky - Federating Queries Using Postgres FDW @ Postgres Open
John Melesky - Federating Queries Using Postgres FDW @ Postgres OpenPostgresOpen
 
Rubyconfindia2018 - GPU accelerated libraries for Ruby
Rubyconfindia2018 - GPU accelerated libraries for RubyRubyconfindia2018 - GPU accelerated libraries for Ruby
Rubyconfindia2018 - GPU accelerated libraries for RubyPrasun Anand
 
Arp
ArpArp
ArpEbsil Sherly
 
Cluj.py Meetup: Extending Python in C
Cluj.py Meetup: Extending Python in CCluj.py Meetup: Extending Python in C
Cluj.py Meetup: Extending Python in CSteffen Wenz
 
Redis the better NoSQL
Redis the better NoSQLRedis the better NoSQL
Redis the better NoSQLOpenFest team
 

Recommended

Building fast interpreters in Rust
Building fast interpreters in RustBuilding fast interpreters in Rust
Building fast interpreters in RustIngvar Stepanyan
 
Powered by Python - PyCon Germany 2016
Powered by Python - PyCon Germany 2016Powered by Python - PyCon Germany 2016
Powered by Python - PyCon Germany 2016Steffen Wenz
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)Night Sailer
 
John Melesky - Federating Queries Using Postgres FDW @ Postgres Open
John Melesky - Federating Queries Using Postgres FDW @ Postgres OpenJohn Melesky - Federating Queries Using Postgres FDW @ Postgres Open
John Melesky - Federating Queries Using Postgres FDW @ Postgres OpenPostgresOpen
 
Rubyconfindia2018 - GPU accelerated libraries for Ruby
Rubyconfindia2018 - GPU accelerated libraries for RubyRubyconfindia2018 - GPU accelerated libraries for Ruby
Rubyconfindia2018 - GPU accelerated libraries for RubyPrasun Anand
 
Arp
ArpArp
ArpEbsil Sherly
 
Cluj.py Meetup: Extending Python in C
Cluj.py Meetup: Extending Python in CCluj.py Meetup: Extending Python in C
Cluj.py Meetup: Extending Python in CSteffen Wenz
 
Redis the better NoSQL
Redis the better NoSQLRedis the better NoSQL
Redis the better NoSQLOpenFest team
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeYung-Yu Chen
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsMathias Herberts
 
Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboyKenneth Geisshirt
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by exampleYunWon Jeong
 
LLVM Backend の紹介
LLVM Backend の紹介LLVM Backend の紹介
LLVM Backend の紹介Akira Maruoka
 
C++totural file
C++totural fileC++totural file
C++totural filehalaisumit
 
はじめてのMongoDB
はじめてのMongoDBはじめてのMongoDB
はじめてのMongoDBTakahiro Inoue
 
Groovy
GroovyGroovy
GroovyZen Urban
 
Wprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
Wprowadzenie do technologii Big Data / Intro to Big Data EcosystemWprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
Wprowadzenie do technologii Big Data / Intro to Big Data EcosystemSages
 
Introduzione a C#
Introduzione a C#Introduzione a C#
Introduzione a C#Lorenz Cuno Klopfenstein
 
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)MongoSF
 
PHP 7 – What changed internally?
PHP 7 – What changed internally?PHP 7 – What changed internally?
PHP 7 – What changed internally?Nikita Popov
 
Webinar: Replication and Replica Sets
Webinar: Replication and Replica SetsWebinar: Replication and Replica Sets
Webinar: Replication and Replica SetsMongoDB
 
C++ tutorial
C++ tutorialC++ tutorial
C++ tutorialsikkim manipal university
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話tatsunori ishikawa
 
PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)Nikita Popov
 
Chainer-Compiler 動かしてみた
Chainer-Compiler 動かしてみたChainer-Compiler 動かしてみた
Chainer-Compiler 動かしてみたAkira Maruoka
 
Jan 2012 HUG: RHadoop
Jan 2012 HUG: RHadoopJan 2012 HUG: RHadoop
Jan 2012 HUG: RHadoopYahoo Developer Network
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04Krishna Sankar
 
Wprowadzenie do technologi Big Data i Apache Hadoop
Wprowadzenie do technologi Big Data i Apache HadoopWprowadzenie do technologi Big Data i Apache Hadoop
Wprowadzenie do technologi Big Data i Apache HadoopSages
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
Rootkit on linux_x86_v2.6
Rootkit on linux_x86_v2.6Rootkit on linux_x86_v2.6
Rootkit on linux_x86_v2.6scuhurricane
 

More Related Content

What's hot

Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeYung-Yu Chen
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsMathias Herberts
 
Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboyKenneth Geisshirt
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by exampleYunWon Jeong
 
LLVM Backend の紹介
LLVM Backend の紹介LLVM Backend の紹介
LLVM Backend の紹介Akira Maruoka
 
C++totural file
C++totural fileC++totural file
C++totural filehalaisumit
 
はじめてのMongoDB
はじめてのMongoDBはじめてのMongoDB
はじめてのMongoDBTakahiro Inoue
 
Wprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
Wprowadzenie do technologii Big Data / Intro to Big Data EcosystemWprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
Wprowadzenie do technologii Big Data / Intro to Big Data EcosystemSages
 
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)MongoSF
 
PHP 7 – What changed internally?
PHP 7 – What changed internally?PHP 7 – What changed internally?
PHP 7 – What changed internally?Nikita Popov
 
Webinar: Replication and Replica Sets
Webinar: Replication and Replica SetsWebinar: Replication and Replica Sets
Webinar: Replication and Replica SetsMongoDB
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話tatsunori ishikawa
 
PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)Nikita Popov
 
Chainer-Compiler 動かしてみた
Chainer-Compiler 動かしてみたChainer-Compiler 動かしてみた
Chainer-Compiler 動かしてみたAkira Maruoka
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04Krishna Sankar
 
Wprowadzenie do technologi Big Data i Apache Hadoop
Wprowadzenie do technologi Big Data i Apache HadoopWprowadzenie do technologi Big Data i Apache Hadoop
Wprowadzenie do technologi Big Data i Apache HadoopSages
 

What's hot (20)

Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New Rope
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy Systems
 
Unleash your inner console cowboy
Unleash your inner console cowboyUnleash your inner console cowboy
Unleash your inner console cowboy
 
PyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by examplePyCon KR 2019 sprint - RustPython by example
PyCon KR 2019 sprint - RustPython by example
 
LLVM Backend の紹介
LLVM Backend の紹介LLVM Backend の紹介
LLVM Backend の紹介
 
C++totural file
C++totural fileC++totural file
C++totural file
 
はじめてのMongoDB
はじめてのMongoDBはじめてのMongoDB
はじめてのMongoDB
 
Groovy
GroovyGroovy
Groovy
 
Wprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
Wprowadzenie do technologii Big Data / Intro to Big Data EcosystemWprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
Wprowadzenie do technologii Big Data / Intro to Big Data Ecosystem
 
Introduzione a C#
Introduzione a C#Introduzione a C#
Introduzione a C#
 
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
Map/reduce, geospatial indexing, and other cool features (Kristina Chodorow)
 
PHP 7 – What changed internally?
PHP 7 – What changed internally?PHP 7 – What changed internally?
PHP 7 – What changed internally?
 
Webinar: Replication and Replica Sets
Webinar: Replication and Replica SetsWebinar: Replication and Replica Sets
Webinar: Replication and Replica Sets
 
C++ tutorial
C++ tutorialC++ tutorial
C++ tutorial
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話
 
PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)PHP 7 – What changed internally? (Forum PHP 2015)
PHP 7 – What changed internally? (Forum PHP 2015)
 
Chainer-Compiler 動かしてみた
Chainer-Compiler 動かしてみたChainer-Compiler 動かしてみた
Chainer-Compiler 動かしてみた
 
Jan 2012 HUG: RHadoop
Jan 2012 HUG: RHadoopJan 2012 HUG: RHadoop
Jan 2012 HUG: RHadoop
 
Nosql hands on handout 04
Nosql hands on handout 04Nosql hands on handout 04
Nosql hands on handout 04
 
Wprowadzenie do technologi Big Data i Apache Hadoop
Wprowadzenie do technologi Big Data i Apache HadoopWprowadzenie do technologi Big Data i Apache Hadoop
Wprowadzenie do technologi Big Data i Apache Hadoop
 

Similar to "You shall not pass : anti-debug methodics"

Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
Rootkit on linux_x86_v2.6
Rootkit on linux_x86_v2.6Rootkit on linux_x86_v2.6
Rootkit on linux_x86_v2.6scuhurricane
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use CasesFabrizio Farinacci
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6fisher.w.y
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321Teddy Hsiung
 
All I know about rsc.io/c2go
All I know about rsc.io/c2goAll I know about rsc.io/c2go
All I know about rsc.io/c2goMoriyoshi Koizumi
 
2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docxtarifarmarie
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...Andrey Karpov
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_mapslcplcp1
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
Write a C program that reads the words the user types at the command.pdf
Write a C program that reads the words the user types at the command.pdfWrite a C program that reads the words the user types at the command.pdf
Write a C program that reads the words the user types at the command.pdfSANDEEPARIHANT
 
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)Igalia
 
r2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyr2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyRay Song
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaFerdinand Jamitzky
 
Im having difficulty with the directives i figured out a duplicatio.pdf
Im having difficulty with the directives i figured out a duplicatio.pdfIm having difficulty with the directives i figured out a duplicatio.pdf
Im having difficulty with the directives i figured out a duplicatio.pdfmaheshkumar12354
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 

Similar to "You shall not pass : anti-debug methodics" (20)

Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
 
Rootkit on linux_x86_v2.6
Rootkit on linux_x86_v2.6Rootkit on linux_x86_v2.6
Rootkit on linux_x86_v2.6
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use Cases
 
Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6Rootkit on Linux X86 v2.6
Rootkit on Linux X86 v2.6
 
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
ExperiencesSharingOnEmbeddedSystemDevelopment_20160321
 
All I know about rsc.io/c2go
All I know about rsc.io/c2goAll I know about rsc.io/c2go
All I know about rsc.io/c2go
 
2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
 
Php engine
Php enginePhp engine
Php engine
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
 
Write a C program that reads the words the user types at the command.pdf
Write a C program that reads the words the user types at the command.pdfWrite a C program that reads the words the user types at the command.pdf
Write a C program that reads the words the user types at the command.pdf
 
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
 
r2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyr2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCy
 
Gpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cudaGpu workshop cluster universe: scripting cuda
Gpu workshop cluster universe: scripting cuda
 
Im having difficulty with the directives i figured out a duplicatio.pdf
Im having difficulty with the directives i figured out a duplicatio.pdfIm having difficulty with the directives i figured out a duplicatio.pdf
Im having difficulty with the directives i figured out a duplicatio.pdf
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
Boosting Developer Productivity with Clang
Boosting Developer Productivity with ClangBoosting Developer Productivity with Clang
Boosting Developer Productivity with Clang
 

More from ITCP Community

"Best Practices for Designing a Pragmatic RESTful API
"Best Practices for Designing a Pragmatic RESTful API "Best Practices for Designing a Pragmatic RESTful API
"Best Practices for Designing a Pragmatic RESTful APIITCP Community
 
"Generics+Decodable serving your API-client"
"Generics+Decodable serving your API-client""Generics+Decodable serving your API-client"
"Generics+Decodable serving your API-client"ITCP Community
 
Парадигмы программирования
Парадигмы программированияПарадигмы программирования
Парадигмы программированияITCP Community
 
Лайфхаки группового собеседования
Лайфхаки группового собеседованияЛайфхаки группового собеседования
Лайфхаки группового собеседованияITCP Community
 
Бла бла-бла поговорить или структура “неструктурированного” интервью
Бла бла-бла поговорить или структура “неструктурированного” интервьюБла бла-бла поговорить или структура “неструктурированного” интервью
Бла бла-бла поговорить или структура “неструктурированного” интервьюITCP Community
 
Не все святой скрам
Не все святой скрамНе все святой скрам
Не все святой скрамITCP Community
 
Самоорганизующиеся команды
Самоорганизующиеся командыСамоорганизующиеся команды
Самоорганизующиеся командыITCP Community
 
Управление содержанием проекта
Управление содержанием проектаУправление содержанием проекта
Управление содержанием проектаITCP Community
 
Таргетированная реклама в Facebook
Таргетированная реклама в FacebookТаргетированная реклама в Facebook
Таргетированная реклама в FacebookITCP Community
 
Финансовое планирование бюджета IT-компании
Финансовое планирование бюджета IT-компанииФинансовое планирование бюджета IT-компании
Финансовое планирование бюджета IT-компанииITCP Community
 
Вам упаковать?
Вам упаковать?Вам упаковать?
Вам упаковать?ITCP Community
 
Клиент всегда прав?
Клиент всегда прав?Клиент всегда прав?
Клиент всегда прав?ITCP Community
 
Общение с клиентами на автопилоте
Общение с клиентами на автопилоте Общение с клиентами на автопилоте
Общение с клиентами на автопилоте ITCP Community
 
Kонтент решает все (почти)
Kонтент решает все (почти) Kонтент решает все (почти)
Kонтент решает все (почти) ITCP Community
 
Продукт с нуля
Продукт с нуляПродукт с нуля
Продукт с нуляITCP Community
 
Storytelling in the Digital Age
Storytelling in the Digital AgeStorytelling in the Digital Age
Storytelling in the Digital AgeITCP Community
 
Место карьеры в мире дизайна
Место карьеры в мире дизайнаМесто карьеры в мире дизайна
Место карьеры в мире дизайнаITCP Community
 

More from ITCP Community (20)

"Best Practices for Designing a Pragmatic RESTful API
"Best Practices for Designing a Pragmatic RESTful API "Best Practices for Designing a Pragmatic RESTful API
"Best Practices for Designing a Pragmatic RESTful API
 
"Generics+Decodable serving your API-client"
"Generics+Decodable serving your API-client""Generics+Decodable serving your API-client"
"Generics+Decodable serving your API-client"
 
Парадигмы программирования
Парадигмы программированияПарадигмы программирования
Парадигмы программирования
 
Лайфхаки группового собеседования
Лайфхаки группового собеседованияЛайфхаки группового собеседования
Лайфхаки группового собеседования
 
Бла бла-бла поговорить или структура “неструктурированного” интервью
Бла бла-бла поговорить или структура “неструктурированного” интервьюБла бла-бла поговорить или структура “неструктурированного” интервью
Бла бла-бла поговорить или структура “неструктурированного” интервью
 
Метрики
МетрикиМетрики
Метрики
 
Не все святой скрам
Не все святой скрамНе все святой скрам
Не все святой скрам
 
Самоорганизующиеся команды
Самоорганизующиеся командыСамоорганизующиеся команды
Самоорганизующиеся команды
 
Управление содержанием проекта
Управление содержанием проектаУправление содержанием проекта
Управление содержанием проекта
 
Таргетированная реклама в Facebook
Таргетированная реклама в FacebookТаргетированная реклама в Facebook
Таргетированная реклама в Facebook
 
Финансовое планирование бюджета IT-компании
Финансовое планирование бюджета IT-компанииФинансовое планирование бюджета IT-компании
Финансовое планирование бюджета IT-компании
 
Вам упаковать?
Вам упаковать?Вам упаковать?
Вам упаковать?
 
Клиент всегда прав?
Клиент всегда прав?Клиент всегда прав?
Клиент всегда прав?
 
Общение с клиентами на автопилоте
Общение с клиентами на автопилоте Общение с клиентами на автопилоте
Общение с клиентами на автопилоте
 
Kонтент решает все (почти)
Kонтент решает все (почти) Kонтент решает все (почти)
Kонтент решает все (почти)
 
Electron
ElectronElectron
Electron
 
It is a Test
It is a TestIt is a Test
It is a Test
 
Продукт с нуля
Продукт с нуляПродукт с нуля
Продукт с нуля
 
Storytelling in the Digital Age
Storytelling in the Digital AgeStorytelling in the Digital Age
Storytelling in the Digital Age
 
Место карьеры в мире дизайна
Место карьеры в мире дизайнаМесто карьеры в мире дизайна
Место карьеры в мире дизайна
 

Recently uploaded

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Recently uploaded (20)

How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

"You shall not pass : anti-debug methodics"

  • 1. {
 Author: Maksym Sysenko Company: Techery } You shall not pass : anti-debug methodics “Exhaustive prevention is an illusion. We can't secure misconfiguration, shadow IT, third parties, human error, former employee... Focus on what matters more and be ready to react.”  ― Stephane Nappo
  • 2.
  • 3. Two definitive articles about how to debug binary on iOS device
  • 4. LLDB (Low Level Debugger)
  • 5. long ptrace( enum __ptrace_request request, pid_t pid, void *addr, void *data );
  • 6. typedef int (* ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data); #if !defined(PT_DENY_ATTACH) #define PT_DENY_ATTACH 31 #endif // !defined(PT_DENY_ATTACH) void simple_guard() { void * handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW); ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace"); ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); dlclose(handle); } int main(int argc, char **argv) { printf("YOU SHALL NOT PASS!n"); simple_guard(); printf("Passed!n"); return 0; }
  • 7. Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) process launch Process 5139 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 5139 exited with status = 45 (0x0000002d)
  • 9.
  • 10.
  • 11. br set --name ptrace Breakpoint 1: where = libsystem_kernel.dylib`__ptrace, address = ….
  • 12. (lldb) register read General Purpose Registers: rax = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rbx = 0xfffffffffffffffe rcx = 0x0000000000000000 rdx = 0x0000000000000000 rdi = 0x000000000000001f rsi = 0x0000000000000000 rbp = 0x00007ffeefbff5b0 rsp = 0x00007ffeefbff598 r8 = 0x00007fffb19a1da0 sGlobalMutex + 32 r9 = 0x0000000000000040 r10 = 0x00007fffb19a1d98 sGlobalMutex + 24 r11 = 0xffffffffffffffff r12 = 0x0000000000000000 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rflags = 0x0000000000000246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000
  • 13. (lldb) register write rdi 1 (lldb) register read General Purpose Registers: rax = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rbx = 0xfffffffffffffffe rcx = 0x0000000000000000 rdx = 0x0000000000000000 rdi = 0x0000000000000001 rsi = 0x0000000000000000 rbp = 0x00007ffeefbff5b0 rsp = 0x00007ffeefbff598 r8 = 0x00007fffb19a1da0 sGlobalMutex + 32 r9 = 0x0000000000000040 r10 = 0x00007fffb19a1d98 sGlobalMutex + 24 r11 = 0xffffffffffffffff r12 = 0x0000000000000000 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace rflags = 0x0000000000000246 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000
  • 14. Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) br set --name ptrace Breakpoint 1: where = libsystem_kernel.dylib`__ptrace, address = 0x000000000001be7c (lldb) process launch Process 5124 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 5124 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff78df7e7c libsystem_kernel.dylib`__ptrace libsystem_kernel.dylib`__ptrace: -> 0x7fff78df7e7c <+0>: xorq %rax, %rax 0x7fff78df7e7f <+3>: leaq 0x38bc5482(%rip), %r11 ; errno 0x7fff78df7e86 <+10>: movl %eax, (%r11) 0x7fff78df7e89 <+13>: movl $0x200001a, %eax ; imm = 0x200001A Target 0: (Heimdall) stopped. (lldb) register write rdi 1 (lldb) continue Process 5124 resuming Passed! Process 5124 exited with status = 0 (0x00000000)
  • 15. static bool AmIBeingDebugged(void) { int junk; int mib[4]; struct kinfo_proc info; size_t size; info.kp_proc.p_flag = 0; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); size = sizeof(info); junk = sysctl(mib, sizeof(mib) / sizeof(*mib), &info, &size, NULL, 0); assert(junk == 0); return ( (info.kp_proc.p_flag & P_TRACED) != 0 ); }
  • 16. int main(int argc, const char * argv[]) { printf("YOU SHALL NOT PASS!n"); if (AmIBeingDebugged()) { return 13; } printf("Passed!n"); return 0; }
  • 17. Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) process launch Process 24625 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 24625 exited with status = 13 (0x0000004c)
  • 18. br set --name sysctl --condition 'typedef struct { int values[4]; } i4; (*(i4 *)$rdi).values[1] == 14 && (*(i4 *)$rdi).values[2] == 1 && $rbx==0’ expr typedef struct { int values[4]; } i4; (*(i4 *)$rdi).values[3]=123456
  • 19. Max:Release newowner$ lldb ./Heimdall (lldb) target create "./Heimdall" Current executable set to './Heimdall' (x86_64). (lldb) br set --name sysctl --condition 'typedef struct {int values[4];}i4; (*(i4 *)$rdi).values[1] == 14 && (*(i4 *)$rdi).values[2] == 1 && $rbx==0' Breakpoint 1: where = libsystem_c.dylib`sysctl, address = 0x0000000002e2bc (lldb) process launch Process 24598 launched: './Heimdall' (x86_64) YOU SHALL NOT PASS! Process 24598 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff78d252bc libsystem_c.dylib`sysctl libsystem_c.dylib`sysctl: -> 0x7fff78d252bc <+0>: pushq %rbp 0x7fff78d252bd <+1>: movq %rsp, %rbp 0x7fff78d252c0 <+4>: movl (%rdi), %eax 0x7fff78d252c2 <+6>: cmpl $0x8, %eax Target 0: (Heimdall) stopped. (lldb) expr typedef struct { int values[4]; } i4; *(i4 *)$rdi (i4) $0 = { values = ([0] = 1, [1] = 14, [2] = 1, [3] = 24598) } (lldb) expr typedef struct {int values[4];}i4; (*(i4 *)$rdi).values[3]=123456 (int) $1 = 123456 (lldb) continue Process 24598 resuming Passed! Process 24598 exited with status = 0 (0x00000000)
  • 20. bool ios_execp_info_check() { struct ios_execp_info { exception_mask_t masks[EXC_TYPES_COUNT]; mach_port_t ports[EXC_TYPES_COUNT]; exception_behavior_t behaviors[EXC_TYPES_COUNT]; thread_state_flavor_t flavors[EXC_TYPES_COUNT]; mach_msg_type_number_t count; }; struct ios_execp_info *info = malloc(sizeof(struct ios_execp_info)); kern_return_t kr = task_get_exception_ports( mach_task_self(), EXC_MASK_ALL, info->masks, &info->count, info->ports, info->behaviors, info->flavors ); for (int i = 0; i < info->count; i++){ return (info->ports[i]!=0 || info->flavors[i]==THREAD_STATE_NONE); } return false; }
  • 21. #ifdef __arm64__ asm( "mov x0, #26n" "mov x1, #31n" "mov x2, #0n" "mov x3, #0n" "mov x16, #0n" "svc #128n" ); #endif
  • 23.
  • 25. Presentation finished with exit code 0 Thanks ;)