一、防护

ptrace

• 使用ptrace防护的特点是调试状态开启的时候会闪退，但是直接开启的时候却不会闪退。
• ptrace是系统函数，此函数提供一个进程去监听和控制另一个进程，并且可以检测被控制进程的内存和寄存器里面的数据。ptrace可以用来实现断点调试和系统调用跟踪。

/*
 * Copyright (c) 2000-2005 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 *
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */
/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
/*-
 * Copyright (c) 1984, 1993
 *    The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    This product includes software developed by the University of
 *    California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *    @(#)ptrace.h    8.2 (Berkeley) 1/4/94
 */

#ifndef    _SYS_PTRACE_H_
#define    _SYS_PTRACE_H_

#include <sys/appleapiopts.h>
#include <sys/cdefs.h>

enum {
    ePtAttachDeprecated __deprecated_enum_msg("PT_ATTACH is deprecated. See PT_ATTACHEXC") = 10
};


#define    PT_TRACE_ME    0    /* child declares it's being traced */
#define    PT_READ_I    1    /* read word in child's I space */
#define    PT_READ_D    2    /* read word in child's D space */
#define    PT_READ_U    3    /* read word in child's user structure */
#define    PT_WRITE_I    4    /* write word in child's I space */
#define    PT_WRITE_D    5    /* write word in child's D space */
#define    PT_WRITE_U    6    /* write word in child's user structure */
#define    PT_CONTINUE    7    /* continue the child */
#define    PT_KILL        8    /* kill the child process */
#define    PT_STEP        9    /* single step the child */
#define    PT_ATTACH    ePtAttachDeprecated    /* trace some running process */
#define    PT_DETACH    11    /* stop tracing a process */
#define    PT_SIGEXC    12    /* signals as exceptions for current_proc */
#define PT_THUPDATE    13    /* signal for thread# */
#define PT_ATTACHEXC    14    /* attach to running process with signal exception */

#define    PT_FORCEQUOTA    30    /* Enforce quota for root */
#define    PT_DENY_ATTACH    31

#define    PT_FIRSTMACH    32    /* for machine-specific requests */

__BEGIN_DECLS


int    ptrace(int _request, pid_t _pid, caddr_t _addr, int _data);


__END_DECLS

#endif    /* !_SYS_PTRACE_H_ */

• 使用起来很简单 -- ptrace(PT_DENY_ATTACH, 0, 0, 0);
  创建一个新的头文件，粘贴上面的代码。

#import "ViewController.h"
#import "MyPtraceHeader.h"

@interface ViewController ()

@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];
    // Do any additional setup after loading the view, typically from a nib.
    ptrace(PT_DENY_ATTACH, 0, 0, 0);
}

@end

sysctl

• sysctl主要用来判断当前是否是debug状态，并不会像ptrace那样，检测到debug状态就闪退，sysctl可以自己控制接下来要干什么事情。

BOOL isDebugger(){
    int name[4];
    name[0] = CTL_KERN;
    name[1] = KERN_PROC;
    name[2] = KERN_PROC_PID;
    name[3] = getpid();
    
    struct kinfo_proc info;
    size_t info_size = sizeof(info);
    sysctl(name, 4, &info, &info_size, NULL, 0);
    int flag = info.kp_proc.p_flag & P_TRACED;
    NSLog(@"%d",flag);
    return ((info.kp_proc.p_flag & P_TRACED) != 0);
}

• 使用

#import "ViewController.h"
#import <sys/sysctl.h>

@interface ViewController ()

@end

@implementation ViewController

static dispatch_source_t timer ;
void debuggerCheck(){
 timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(0, 0));
    dispatch_source_set_timer(timer, DISPATCH_TIME_NOW, 1.0 * NSEC_PER_SEC, 0.0 * NSEC_PER_SEC);
    dispatch_source_set_event_handler(timer, ^{
        if (isDebugger()) {
            NSLog(@"debug状态！");
        }else
        {
            NSLog(@"没有debug！");
        }
    });
    dispatch_resume(timer);
}

BOOL isDebugger(){
    int name[4];//里面放字节码。查询的信息
    name[0] = CTL_KERN;//内核查询
    name[1] = KERN_PROC;//查询进程
    name[2] = KERN_PROC_PID;//传递的参数是进程的ID
    name[3] = getpid();//PID的值
    
  //看info.kp_proc.p_flag 的第12位。如果为1，表示调试状态。
  //接受查询结果的结构体
    struct kinfo_proc info;
    size_t info_size = sizeof(info);
    sysctl(name, 4, &info, &info_size, NULL, 0);
    int flag = info.kp_proc.p_flag & P_TRACED;
    NSLog(@"%d",flag);
    return ((info.kp_proc.p_flag & P_TRACED) != 0);
}
- (void)viewDidLoad {
    [super viewDidLoad];
    debuggerCheck();
    
}
@end

输出结果

二、破解

• ptrace和sysctl都是系统函数。所以我们就利用fishhook来hook这两个参数。
• ptrace破解

#import "HookLib.h"
#import "MyPtraceHeader.h"
#import "fishhook.h"
@implementation HookLib

+ (void)load
{
    struct rebinding rebind;
    //函数的名称
    rebind.name = "ptrace";
    //新的函数地址
    rebind.replacement = myPtrace;
    //保存原始函数地址的变量的指针
    rebind.replaced = (void *)&ptrace_p;
    //定义数组
    struct rebinding rebinds[] = {rebind};
    /*
     参数一 : 存放rebinding结构体的数组
     参数二 : 数组的长度
     */
    rebind_symbols(rebinds, 1);
}
/**
 用来保存旧函数的指针
 */
int  (*ptrace_p)(int _request, pid_t _pid, caddr_t _addr, int _data);

/**
 新的函数

 @param _request 请求做的事情
 @param _pid 请求的进程id
 @param _addr 地址
 @param _data 数据 -- 取决于第一个参数
 @return int
 */
int  myPtrace(int _request, pid_t _pid, caddr_t _addr, int _data){
    printf("hook住了");
    if (_request != PT_DENY_ATTACH) {
        return ptrace_p(_request,_pid,_addr,_data);
    }
    return 0;
}
@end

• sysctl破解

#import "HookSysctl.h"
#import <sys/sysctl.h>
#import "fishhook.h"
@implementation HookSysctl
//原始函数指针
int  (*sysctl_p)(int *, u_int, void *, size_t *, void *, size_t);

//新函数地址
int my_sysctl(int *name, u_int namelen, void *info, size_t *infosize, void *newInfo, size_t newInfoSize){
    if (namelen == 4
        && name[0] == CTL_KERN
        && name[1] == KERN_PROC
        && name[2] == KERN_PROC_PID
        && info
        && (int)*infosize == sizeof(struct kinfo_proc)) {
        
        int err = sysctl_p(name,namelen,info,infosize,newInfo,newInfoSize);
        struct kinfo_proc * myinfo = (struct kinfo_proc *)info;
        if ((myinfo->kp_proc.p_flag & P_TRACED) != 0) {
            //使用异或可以取反
            myinfo->kp_proc.p_flag ^= P_TRACED;
        }
        
        return err;
    }
    
    
    return sysctl_p(name,namelen,info,infosize,newInfo,newInfoSize);
}

+(void)load
{
    
    //交换
    rebind_symbols((struct rebinding[1]){{"sysctl",my_sysctl,(void *)&sysctl_p}}, 1);
}
@end

三、再防护（防止hook）

• 利用库的加载顺序，在别人hook前，让防护代码先执行。

• 具体步骤。
  

  1、创建一个库。
  image.png
  
  2、写防护代码（把之前的防护代码写到这里）

#import "antiDebugCode.h"
#import <sys/sysctl.h>
#import "MyPtraceHeader.h"

@implementation antiDebugCode
//检测调试
BOOL isDebugger(){
    int name[4];//里面放字节码。查询的信息
    name[0] = CTL_KERN;//内核查询
    name[1] = KERN_PROC;//查询进程
    name[2] = KERN_PROC_PID;//传递的参数是进程的ID
    name[3] = getpid();//PID的值
    
    struct kinfo_proc info;//接受查询结果的结构体
    size_t info_size = sizeof(info);
    if(sysctl(name, 4, &info, &info_size, 0, 0)){
        NSLog(@"查询失败");
        return NO;
    }
    //看info.kp_proc.p_flag 的第12位。如果为1，表示调试状态。
    //(info.kp_proc.p_flag & P_TRACED)
    
    return ((info.kp_proc.p_flag & P_TRACED) != 0);
}

static dispatch_source_t timer;
void debugCheck(){
    timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(0, 0));
    dispatch_source_set_timer(timer, DISPATCH_TIME_NOW, 1.0 * NSEC_PER_SEC, 0.0 * NSEC_PER_SEC);
    dispatch_source_set_event_handler(timer, ^{
        if (isDebugger()) {
            NSLog(@"调试状态！！");
        }else{
            NSLog(@"正常！");
        }
    });
    dispatch_resume(timer);
}



+(void)load
{
    debugCheck();
    ptrace(PT_DENY_ATTACH, 0, 0, 0);
    
}
@end

四、再破解

• 利用二进制工具修改二进制文件。

• 具体步骤。
  

  1、下一个ptrace符号断点
  image.png
  
  2、断住之后，使用bt查看调用栈，找到调用ptrace的库及方法。
  image.png
  
  
  3、利用Hopper查看二进制文件
  image.png
  
  4、修改二进制选中此行，点击键盘alt+a
  
  
  
  5、导出新的二进制文件
  File --> Produce New Executable
  

  6、覆盖之前.app文件里面的MachO,重新运行就可以了。

五、使用其它方式调用系统函数（以下都用ptrace为例）

利用dlopen+dlsym调用

• 直接调用ptrace(PT_DENY_ATTACH, 0, 0, 0);然后下一个断点，查看使用的是哪个库
  image.png
• 编写调用代码

    //使用一个char数组拼接一个ptrace字符串 （此拼接方式可以让逆向的人在使用工具查看汇编时无法直接看到此字符串）
    unsigned char funcName[] = {
        ('q' ^ 'p'),
        ('q' ^ 't'),
        ('q' ^ 'r'),
        ('q' ^ 'a'),
        ('q' ^ 'c'),
        ('q' ^ 'e'),
        ('q' ^ '\0'),
    };
    unsigned char * p = funcName;
    //再次异或之后恢复原本的值
    while (((*p) ^= 'q') != '\0') p++;

    //通过dlopen拿到句柄
    void * handle = dlopen("/usr/lib/system/libsystem_kernel.dylib", RTLD_LAZY);
    //定义函数指针
    int (*ptrace_p)(int _request, pid_t _pid, caddr_t _addr, int _data);
    //如果拿到句柄
    if (handle) {
        //通过dlsym拿到函数指针
        ptrace_p = dlsym(handle, (const char *)funcName);
        //如果拿到函数指针
        if (ptrace_p) {
            //调用所需函数
            ptrace_p(PT_DENY_ATTACH, 0, 0, 0 );
        }
    }

• 使用dlopen+dlsym方式调用，lldb对ptrace下断点还是可以断住的。

利用syscall调用系统函数

• 编写调用代码（<sys/syscall.h>中可以查找系统函数编号）

/**
参数一：参数是函数编号
其它参数：给参数一的函数提供参数
*/
syscall(SYS_ptrace,PT_DENY_ATTACH,0,0);

• syscall方式调用，lldb对ptrace下断点是无法断住的。

利用汇编调用系统函数

• <sys/syscall.h>中可以查找系统函数编号

  
  
  image.png
• 汇编代码（CPU架构是arm64）

//安全防护-反调试
//volatile代表不优化此汇编代码
    asm volatile(
                 "mov x0,#31\n"//参数1
                 "mov x1,#0\n"//参数2
                 "mov x2,#0\n"//参数3
                 "mov x3,#0\n"//参数4
                 "mov x16,#26\n"//中断根据x16 里面的值，跳转ptrace
                 "svc #0x80\n"//这条指令就是触发中断去找x16执行（系统级别的跳转！）
                 );

六、总结

攻防博弈，找到你就赢。