sysctl是系统函数,所以仍然使用fishhook。
跟破解ptrace防护一样,创建动态库,在动态库中进行hook,关键代码如下:
#import "SysctlInject.h"
#import <sys/sysctl.h>
#import "fishhook.h"
@implementation SysctlInject
//声明一个原系统函数的指针,保存原函数地址
int (*sys_sysctl)(int *, u_int, void *, size_t *, void *, size_t);
//自定义函数
int my_sysctl(int *name, u_int namelen, void *info, size_t *infoSize, void *newInfo, size_t newInfoSize) {
if (namelen == 4 &&
name[0] == CTL_KERN &&
name[1] == KERN_PROC &&
name[2] == KERN_PROC_PID&&
info &&
*infoSize == sizeof(struct kinfo_proc)) {
int err = sys_sysctl(name, namelen, info, infoSize, newInfo, newInfoSize);
struct kinfo_proc *myInfo = (struct kinfo_proc *)info;
if ((myInfo->kp_proc.p_flag & P_TRACED) != 0) { //被调试
myInfo->kp_proc.p_flag ^= P_TRACED; //使用异或进行取反
}
return err;
}
return sys_sysctl(name, namelen, info, infoSize, newInfo, newInfoSize);
}
+ (void)load {
struct rebinding rebind;
rebind.name = "sysctl";
rebind.replacement = my_sysctl;
rebind.replaced = (void *)&sys_sysctl;
struct rebinding bind[] = {rebind};
rebind_symbols(bind, 1);
}
@end
网友评论