This repository has been archived by the owner on Mar 12, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
/
PRTS_KAADBG.cpp
216 lines (177 loc) · 6.48 KB
/
PRTS_KAADBG.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
//
// Demo: Anti Anti-Debug in iOS Kernel
// Created by Proteas on 2017/11/29.
//
#include <IOKit/IOLib.h>
#include <IOKit/IOService.h>
extern "C" {
// external function
extern int proc_pid(struct proc *);
extern void proc_name(int, char *, int);
extern int proc_is64bit(struct proc *);
extern vm_offset_t ml_io_map( vm_offset_t phys_addr, vm_size_t size);
// external types
#if CONFIG_REQUIRES_U32_MUNGING
#define PAD_(t) (sizeof(uint64_t) <= sizeof(t) ? 0 : sizeof(uint64_t) - sizeof(t))
#else
#define PAD_(t) (sizeof(uint32_t) <= sizeof(t) ? 0 : sizeof(uint32_t) - sizeof(t))
#endif /* CONFIG_REQUIRES_U32_MUNGING */
#if BYTE_ORDER == LITTLE_ENDIAN
#define PADL_(t) 0
#define PADR_(t) PAD_(t)
#else
#define PADL_(t) PAD_(t)
#define PADR_(t) 0
#endif
// ptrace_args
struct ptrace_args {
char req_l_[PADL_(int)]; int req; char req_r_[PADR_(int)];
char pid_l_[PADL_(pid_t)]; pid_t pid; char pid_r_[PADR_(pid_t)];
char addr_l_[PADL_(user_addr_t)]; user_addr_t addr; char addr_r_[PADR_(user_addr_t)];
char data_l_[PADL_(int)]; int data; char data_r_[PADR_(int)];
};
// sysctl_args
struct sysctl_args {
char name_l_[PADL_(user_addr_t)]; user_addr_t name; char name_r_[PADR_(user_addr_t)];
char namelen_l_[PADL_(u_int)]; u_int namelen; char namelen_r_[PADR_(u_int)];
char old_l_[PADL_(user_addr_t)]; user_addr_t old; char old_r_[PADR_(user_addr_t)];
char oldlenp_l_[PADL_(user_addr_t)]; user_addr_t oldlenp; char oldlenp_r_[PADR_(user_addr_t)];
char new_l_[PADL_(user_addr_t)]; user_addr_t new_a; char new_r_[PADR_(user_addr_t)];
char newlen_l_[PADL_(user_size_t)]; user_size_t newlen; char newlen_r_[PADR_(user_size_t)];
};
// user64_time_t
typedef int64_t user64_time_t __attribute__((aligned(8)));
// user64_timeval
struct user64_timeval {
user64_time_t tv_sec;
int tv_usec;
};
// user64_extern_proc
struct user64_extern_proc {
union {
struct {
uint64_t __p_forw;
uint64_t __p_back;
} p_st1;
struct user64_timeval __p_starttime;
} p_un;
uint64_t p_vmspace;
uint64_t p_sigacts;
int p_flag;
};
// user64_kinfo_proc
struct user64_kinfo_proc {
struct user64_extern_proc kp_proc;
};
} /* extern "C" */
/*******************************************************************************/
extern "C" {
// depends on device and os ver
static uint64_t gOffsetPtrace = 0x00000000004fa350;
static uint64_t gOffsetSysctl = 0x00000000004fb3d0;
static vm_offset_t gKernPhyAddr = 0x800C04000;
static vm_size_t gKernMapSize = 0x600000; // far enough for hook
/*******************************************************************************/
// function ptr type
typedef int (*ptrace_t)(struct proc *, struct ptrace_args *, int *);
typedef int (*sysctl_t)(struct proc *, struct sysctl_args *, int *);
// original function address
static ptrace_t g_orig_ptrace = NULL;
static sysctl_t g_orig_sysctl = NULL;
/*******************************************************************************/
// ptrs_ptrace
static int ptrs_ptrace(struct proc *p, struct ptrace_args *uap, int *retv)
{
#define PT_ATTACH 10
#define PT_DENY_ATTACH 31
#define SIGSEGV 11
int pid = proc_pid(p);
char procName[32] = {0};
if(uap->req == PT_DENY_ATTACH) {
proc_name(pid, procName, sizeof(procName));
IOLog("[PRTS][KAADBG] anti ptrace: %d, %s\n", pid, procName);
return 0;
}
return g_orig_ptrace(p, uap, retv);
}
/*******************************************************************************/
// ptrs_sysctl
static int ptrs_sysctl(struct proc *p, struct sysctl_args *uap, int *retv)
{
#define CTL_KERN 1
#define KERN_PROC 14
#define KERN_PROC_PID 1
#define P_TRACED 0x00000800
int mib[4] = {0};
char procName[32] = {0};
int err = 0;
pid_t pid = proc_pid(p);
int ret = g_orig_sysctl(p, uap, retv);
proc_name(pid, procName, sizeof(procName));
if (strcmp(procName, "debugserver") == 0) {
return ret;
}
err = copyin(uap->name, &mib, sizeof(mib));
if (err != 0){
IOLog("[PRTS][KAADBG] sysctl: copyin fail: %d\n", err);
return ret;
}
if((mib[0] == CTL_KERN && mib[1] == KERN_PROC && mib[2] == KERN_PROC_PID) &&
(uap->old != 0) && (proc_is64bit(p) == 1)) {
IOLog("[PRTS][KAADBG] anti sysctl - QUERY: %d, %s\n", pid, procName);
static const size_t bufSize = 648;
char buf[bufSize] = {0};
struct user64_kinfo_proc *kpr = (struct user64_kinfo_proc *)buf;
err = copyin(uap->old, buf, bufSize); IOSleep(100);
if (err != 0 ){
IOLog("[PRTS][KAADBG] sysctl: copyin fail: %d\n", err);
return ret;
}
if ((kpr->kp_proc.p_flag & P_TRACED) != 0) {
kpr->kp_proc.p_flag ^= P_TRACED;
err = copyout(buf, uap->old, bufSize); IOSleep(100);
if (err != 0){
IOLog("[PRTS][KAADBG] sysctl: copyout fail: %d\n", err);
return ret;
}
IOLog("[PRTS][KAADBG] anti sysctl - ^P_TRACED: %d, %s\n", pid, procName);
}
}
return ret;
}
/*******************************************************************************/
} /* extern "C" */
/*******************************************************************************/
// class: PRTS_KAADBG
class PRTS_KAADBG : public IOService
{
OSDeclareDefaultStructors(PRTS_KAADBG)
public:
virtual bool start (IOService *provider) APPLE_KEXT_OVERRIDE
{
if (IOService::start(provider) == false) {
return false;
}
this->registerService();
// map kernel
vm_offset_t gKernelBaseRemapped = ml_io_map(gKernPhyAddr, gKernMapSize);
// offset to position
uint64_t *ptracePtr = (uint64_t *)(gKernelBaseRemapped + gOffsetPtrace);
uint64_t *sysctlPtr = (uint64_t *)(gKernelBaseRemapped + gOffsetSysctl);
// save original function address
g_orig_ptrace = (ptrace_t)(*ptracePtr);
g_orig_sysctl = (sysctl_t)(*sysctlPtr);
// hook
*ptracePtr = (uint64_t)ptrs_ptrace;
*sysctlPtr = (uint64_t)ptrs_sysctl;
IOLog("[PRTS][KAADBG] success to hook ptrace and sysctl\n");
return true;
}
virtual void free (void) APPLE_KEXT_OVERRIDE
{
IOService::free();
}
};
/*******************************************************************************/
OSDefineMetaClassAndStructors(PRTS_KAADBG, IOService)
/*******************************************************************************/