一、简介
在破解一款App的时候,在实际破解之前肯定是在做调试。LLDB之所以能附加进程是因为debugserver,而debugserver附加是通过ptrace函数来trace process的。
ptrace是系统函数,此函数提供一个进程去监听和控制另一个进程,并且可以检测被控制进程的内存和寄存器里面的数据。ptrace可以用来实现断点调试和系统调用跟踪。
同时 ptrace 提供了一个非常有用的参数,那就是PT_DENY_ATTACH,这个参数用于告诉系统阻止调试器依附。所以,最常用的反调试方案就是通过调用 ptrace 来实现反调试。
二、获取ptrace.h头文件
prace.h是系统的C语言文件,但是ptrace头文件不能直接导入app工程。可以新建命令行工程,#import <sys/ptrace.h>后command+左键点击#import <sys/ptrace.h>进入到ptrace.h文件内,把内容全部复制到自己工程中新建的header文件PtraceHeader.h中,那么自己的工程想调用ptrace就可以导入PtraceHeader.h直接进行调用。
2.1、首先用Xcode创建一个命令行程序
新建命令行.png
2.2、命令行程序的 mian.m 中导入 ptrace 头文件
#import <sys/ptrace.h>引入ptrace文件。
引入ptrace.png
2.3、查看 ptrace.h 的定义,复制ptrace.h中的代码
查看ptrace.png
ptrace.h内部代码如下:
/*
* Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
/*-
* Copyright (c) 1984, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)ptrace.h 8.2 (Berkeley) 1/4/94
*/
#ifndef _SYS_PTRACE_H_
#define _SYS_PTRACE_H_
#include <sys/appleapiopts.h>
#include <sys/cdefs.h>
enum {
ePtAttachDeprecated __deprecated_enum_msg("PT_ATTACH is deprecated. See PT_ATTACHEXC") = 10
};
#define PT_TRACE_ME 0 /* child declares it's being traced */
#define PT_READ_I 1 /* read word in child's I space */
#define PT_READ_D 2 /* read word in child's D space */
#define PT_READ_U 3 /* read word in child's user structure */
#define PT_WRITE_I 4 /* write word in child's I space */
#define PT_WRITE_D 5 /* write word in child's D space */
#define PT_WRITE_U 6 /* write word in child's user structure */
#define PT_CONTINUE 7 /* continue the child */
#define PT_KILL 8 /* kill the child process */
#define PT_STEP 9 /* single step the child */
#define PT_ATTACH ePtAttachDeprecated /* trace some running process */
#define PT_DETACH 11 /* stop tracing a process */
#define PT_SIGEXC 12 /* signals as exceptions for current_proc */
#define PT_THUPDATE 13 /* signal for thread# */
#define PT_ATTACHEXC 14 /* attach to running process with signal exception */
#define PT_FORCEQUOTA 30 /* Enforce quota for root */
#define PT_DENY_ATTACH 31
#define PT_FIRSTMACH 32 /* for machine-specific requests */
__BEGIN_DECLS
int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
__END_DECLS
#endif /* !_SYS_PTRACE_H_ */
2.4、创建自己的ptrace头文件
创建一个头文件PtraceHeader.h,将之前获取的ptrace.h的代码粘贴进去。
三、使用ptrace进行防护
首先用Xcode创建一个工程名为ptraceDemo的iOS工程。在ViewController.m中导入头文件PtraceHeader.h,并使用ptrace函数进行反调试防护。
ptrace函数的原型为:
int ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);
/*
参数1: ptrace要做的事情(PT_DENY_ATTACH代表拒绝附加)
参数2: 要操作的进程的id (0表示当前进程)
参数3: 地址
参数4:数据
参数3和参数4取决与第一个参数
*/
使用ptrace(PT_DENY_ATTACH, 0, 0, 0);代码即可反调试。
反调试代码
通过Xcode在iPhone手机运行ptraceDemo,发现运行后程序直接闪退了。而在手机桌面点击app图标后正常运行。
这是因为通过Xcode安装应用到手机,lldb默认会附加到应用,ptrace会拒绝附加,所以会闪退。
四、总结
4.1、特点
ptrace防护的特点:
1、重签名应用后,通过Xcode运行闪退
2、手动打开应用正常运行
如果程序有以上特点,说明应用很可能采用了ptrace进行防护。
4.2、验证ptrace的使用
接下来可以通过对重签名后的应用添加符号断点,来验证app确实是用了ptrace。
添加符号断点
image.png
运行app后出现下图情况,说明app确实使用了ptrace防护
image.png
网友评论