一步一步在debugserver中绕过ptrace反调试

snakeninny · 2017 年5 月 13 日 15:34

编辑: 新手请Refer楼下来获得完整的信息 -- @Aimer

其实相关的内容论坛里已经翻来覆去地讨论了好多次了，只要用好搜索，都可以找到答案，但是不知道什么原因，还是有很多朋友卡在了这个地方。既然有问题，那就争取用一个帖子解决问题吧。

以下操作在iPhone SE，iOS 9.3.3中完成，操作对象是“无秘”，一个有损阴德的死妈App。

一、利用`ps`命令拿到无秘的全路径

首先启动无秘，然后ssh到设备上，用ps命令查看其全路径：

FunMaker-SE:~ root# ps -e
  PID TTY           TIME CMD
    1 ??         8:57.70 /sbin/launchd
  225 ??         7:15.96 /usr/sbin/syslogd
...
13410 ??         0:15.52 /var/containers/Bundle/Application/24550860-1E7B-4A59-9753-9E7040DF0DAA/WMMimi.app/WMMimi
...

二、双击home键，杀掉无秘

三、用debugserver启动无秘

FunMaker-SE:~ root# debugserver *:1234 -x auto /var/containers/Bundle/Application/24550860-1E7B-4A59-9753-9E7040DF0DAA/WMMimi.app/WMMimi
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-340.3.124
 for arm64.
Listening to port 1234 for a connection from *...

四、用LLDB连接debugserver

FunMaker-MBP:~ snakeninny$ lldb
(lldb) process connect connect://YourIP:1234
Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x00000001200b9000 dyld`_dyld_start, stop reason = signal SIGSTOP
    frame #0: 0x00000001200b9000 dyld`_dyld_start
dyld`_dyld_start:
->  0x1200b9000 <+0>:  mov    x28, sp
    0x1200b9004 <+4>:  and    sp, x28, #0xfffffffffffffff0
    0x1200b9008 <+8>:  movz   x0, #0
    0x1200b900c <+12>: movz   x1, #0
(lldb)

五、在`ptrace`上断点

(lldb) b ptrace
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 13747 resuming
1 location added to breakpoint 1
Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x000000018127c180 libsystem_kernel.dylib`__ptrace, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000018127c180 libsystem_kernel.dylib`__ptrace
libsystem_kernel.dylib`__ptrace:
->  0x18127c180 <+0>:  adrp   x9, 126570
    0x18127c184 <+4>:  add    x9, x9, #208              ; =208 
    0x18127c188 <+8>:  str    wzr, [x9]
    0x18127c18c <+12>: movz   x16, #0x1a
(lldb)

六、修改ptrace参数

(lldb) b ptrace
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 13747 resuming
1 location added to breakpoint 1
Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x000000018127c180 libsystem_kernel.dylib`__ptrace, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000018127c180 libsystem_kernel.dylib`__ptrace
libsystem_kernel.dylib`__ptrace:
->  0x18127c180 <+0>:  adrp   x9, 126570
    0x18127c184 <+4>:  add    x9, x9, #208              ; =208 
    0x18127c188 <+8>:  str    wzr, [x9]
    0x18127c18c <+12>: movz   x16, #0x1a
(lldb) p $x0
(unsigned long) $0 = 31
(lldb) register write $x0 10
(lldb) c
Process 13747 resuming

七、搞定

Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x0000000181260fd8 libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
    frame #0: 0x0000000181260fd8 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x181260fd8 <+8>: ret    

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x181260fdc <+0>: movn   x16, #0x1f
    0x181260fe0 <+4>: svc    #0x80
    0x181260fe4 <+8>: ret    
(lldb) po [[NSBundle mainBundle] bundleIdentifier]
com.wumii.apps.miliao

以上每一步的“为什么”，论坛里都有答案，搜一搜吧。

Zhang · 2017 年5 月 13 日 16:43

nope.
原始问题是直接使用syscall来进行调用的反调试如何处理
所以应该是断在或者hook syscall() 没记错的话这玩意在libsystem里，只是一个underlying汇编指令的跨平台封装 之后根据从内核里dump的syscall 表(可通过joker获得)做判断syscall编号.
这里 ptrace()也只不过是对应syscall的wrapper而已，以群内有人展示过的为例（当然很少见到这么干的app就是了），这个sample直接调用syscall()来处理，这样你的方法就无效

那么完美的解决方案是什么呢，当然是patch另一头，也就是kernel里对应的handler，然而目前为止这在iOS上并不知道任何公开的实现方法

因此目前~~唯一指定~~我认为靠谱完整的解决方案是配合syscall() 函数的 inline hook(if possible)再加上静态反编译搜索svc/swi指令(防inline asm)

NOTE: 我并不认为我的上文是值得单独看帖描述的东西所以至少我个人是不考虑单独写篇东西丢在泥潭
声明: 我是kernel萌新

EDIT2:重新排版+修改用词，增加一些细节

Zhang · 2017 年5 月 13 日 16:59

泥潭的成员应该都知道了，这部分纯粹给萌新科普用吧。
以下是iOS10的syscall table，注意第26个: )
所以你只需要syscall(26,31,0,0,0) (如果我没记错ptrace反调试的const的话) 即可绕过狗神的反反调试

如果你需要patch的话下面的sysent地址是你的入口。具体技术只做过OS X上的就不献丑了：）

This is a 64-bit kernel from iOS 10.x, or later (3705.0.0.2.3)
ARM64 Exception Vector is at file offset @0x7b000 (Addr: 0xfffffff00747f000)
Syscalls at address 0xfffffff0074664c8
Sysent offset in file (for patching purposes):  624c8
Suppressing enosys (fffffff00779fd74) and old (fffffff00779fd54)
1.. exit                 0xfffffff007774e8c
2.. fork                 0xfffffff007779424
3.. read                 0xfffffff00779fda4
4.. write                0xfffffff0077a0468
5.. open                 0xfffffff0075aa324
6.. close                0xfffffff00775da74
7.. wait4                0xfffffff00777622c
9.. link                 0xfffffff0075ab5e4
10.. unlink               0xfffffff0075ac594
12.. chdir                0xfffffff0075a948c
13.. fchdir               0xfffffff0075a91c8
14.. mknod                0xfffffff0075aae04
15.. chmod                0xfffffff0075ae738
16.. chown                0xfffffff0075aea88
18.. getfsstat            0xfffffff0075a8a5c
20.. getpid               0xfffffff0077809d4
23.. setuid               0xfffffff007781004
24.. getuid               0xfffffff007780ad4
25.. geteuid              0xfffffff007780b2c
26.. ptrace               0xfffffff00779b690
27.. recvmsg              0xfffffff0077daa20
28.. sendmsg              0xfffffff0077d9a90
29.. recvfrom             0xfffffff0077da478
30.. accept               0xfffffff0077d820c
31.. getpeername          0xfffffff0077dbb74
32.. getsockname          0xfffffff0077dba40
33.. access               0xfffffff0075ad1f4
34.. chflags              0xfffffff0075ae0bc
35.. fchflags             0xfffffff0075ae304
36.. sync                 0xfffffff0075a7cf4
37.. kill                 0xfffffff0077878ec
39.. getppid              0xfffffff0077809e4
41.. dup                  0xfffffff0077590ec
42.. pipe                 0xfffffff0077a6d58
43.. getegid              0xfffffff007780cc8
46.. sigaction            0xfffffff007785730
47.. getgid               0xfffffff007780c70
48.. sigprocmask          0xfffffff007785e68
49.. getlogin             0xfffffff00778249c
50.. setlogin             0xfffffff007782560
51.. acct                 0xfffffff007751fac
52.. sigpending           0xfffffff007786184
53.. sigaltstack          0xfffffff007787788
54.. ioctl                0xfffffff0077a0d58
55.. reboot               0xfffffff00779ab84
56.. revoke               0xfffffff0075b2260
57.. symlink              0xfffffff0075abbfc
58.. readlink             0xfffffff0075add94
59.. execve               0xfffffff007772390
60.. umask                0xfffffff0075b2208
61.. chroot               0xfffffff0075a9790
65.. msync                0xfffffff00777aba8
66.. vfork                0xfffffff007778060
73.. munmap               0xfffffff00777ac94
74.. mprotect             0xfffffff00777ad3c
75.. madvise              0xfffffff00777ae64
78.. mincore              0xfffffff00777af50
79.. getgroups            0xfffffff007780d20
80.. setgroups            0xfffffff007782434
81.. getpgrp              0xfffffff0077809f4
82.. setpgid              0xfffffff007780e44
83.. setitimer            0xfffffff00779a084
85.. swapon               0xfffffff0077f14b0
86.. getitimer            0xfffffff007799db8
89.. getdtablesize        0xfffffff007758abc
90.. dup2                 0xfffffff007759904
92.. fcntl                0xfffffff00775a6b8
93.. select               0xfffffff0077a1558
95.. fsync                0xfffffff0075af954
96.. setpriority          0xfffffff007782aec
97.. socket               0xfffffff0077d6e68
98.. connect              0xfffffff0077d8240
100.. getpriority          0xfffffff0077826a8
104.. bind                 0xfffffff0077d7314
105.. setsockopt           0xfffffff0077db514
106.. listen               0xfffffff0077d7670
111.. sigsuspend           0xfffffff0077861c4
116.. gettimeofday         0xfffffff007799760
117.. getrusage            0xfffffff007783dc8
118.. getsockopt           0xfffffff0077db790
120.. readv                0xfffffff0077a023c
121.. writev               0xfffffff0077a09e8
122.. settimeofday         0xfffffff0077998f8
123.. fchown               0xfffffff0075aed54
124.. fchmod               0xfffffff0075aea20
126.. setreuid             0xfffffff0077816ec
127.. setregid             0xfffffff007781ccc
128.. rename               0xfffffff0075b071c
131.. flock                0xfffffff007760070
132.. mkfifo               0xfffffff0075ab3dc
133.. sendto               0xfffffff0077d93b4
134.. shutdown             0xfffffff0077db4b4
135.. socketpair           0xfffffff0077d90a8
136.. mkdir                0xfffffff0075b18fc
137.. rmdir                0xfffffff0075b1a0c
138.. utimes               0xfffffff0075aef0c
139.. futimes              0xfffffff0075af2c8
140.. adjtime              0xfffffff007799a90
142.. gethostuuid          0xfffffff0077a4190
147.. setsid               0xfffffff007780dcc
151.. getpgid              0xfffffff007780a04
152.. setprivexec          0xfffffff0077809b4
153.. pread                0xfffffff0077a0144
154.. pwrite               0xfffffff0077a0804
157.. statfs               0xfffffff0075a8164
158.. fstatfs              0xfffffff0075a85b4
159.. unmount              0xfffffff0075a7128
165.. quotactl             0xfffffff0075a7e30
167.. mount                0xfffffff0075a6e30
169.. csops                0xfffffff00777f048
170.. csops_audittoken     0xfffffff00777fcdc
173.. waitid               0xfffffff0077767bc
177.. kdebug_typefilter    0xfffffff00774e784
178.. kdebug_trace_string  0xfffffff00774ed5c
179.. kdebug_trace64       0xfffffff00774e994
180.. kdebug_trace         0xfffffff00774e928
181.. setgid               0xfffffff0077819a4
182.. setegid              0xfffffff007781b4c
183.. seteuid              0xfffffff007781568
184.. sigreturn            0xfffffff007811434
187.. fdatasync            0xfffffff0075afa7c
188.. stat                 0xfffffff0075ada38
189.. fstat                0xfffffff00775e5d8
190.. lstat                0xfffffff0075adb10
191.. pathconf             0xfffffff0075adc5c
192.. fpathconf            0xfffffff00775e628
194.. getrlimit            0xfffffff007783b50
195.. setrlimit            0xfffffff007783390
196.. getdirentries        0xfffffff0075b1ce8
197.. mmap                 0xfffffff007779eb8
199.. lseek                0xfffffff0075acadc
200.. truncate             0xfffffff0075af3b8
201.. ftruncate            0xfffffff0075af59c
202.. __sysctl             0xfffffff00778f198
203.. mlock                0xfffffff00777b128
204.. munlock              0xfffffff00777b1dc
205.. undelete             0xfffffff0075ac038
216.. mkcomplex            0xfffffff0075aa194
220.. getattrlist          0xfffffff007585e28
221.. setattrlist          0xfffffff007586de0
222.. getdirentriesattr    0xfffffff0075b24a4
223.. exchangedata         0xfffffff0075b28b0
225.. searchfs             0xfffffff0075b2dd8
226.. delete               0xfffffff0075ac560
227.. copyfile             0xfffffff0075afab4
228.. fgetattrlist         0xfffffff007583bdc
229.. fsetattrlist         0xfffffff007587a8c
230.. poll                 0xfffffff0077a2804
231.. watchevent           0xfffffff0077a3544
232.. waitevent            0xfffffff0077a3890
233.. modwatch             0xfffffff0077a3bbc
234.. getxattr             0xfffffff0075b4974
235.. fgetxattr            0xfffffff0075b4c00
236.. setxattr             0xfffffff0075b4dfc
237.. fsetxattr            0xfffffff0075b4ffc
238.. removexattr          0xfffffff0075b51fc
239.. fremovexattr         0xfffffff0075b5388
240.. listxattr            0xfffffff0075b54fc
241.. flistxattr           0xfffffff0075b56b0
242.. fsctl                0xfffffff0075b32cc
243.. initgroups           0xfffffff0077821e0
244.. posix_spawn          0xfffffff00776f254
245.. ffsctl               0xfffffff0075b486c
250.. minherit             0xfffffff00777ae24
266.. shm_open             0xfffffff0077e3050
267.. shm_unlink           0xfffffff0077e39c8
268.. sem_open             0xfffffff0077e1b20
269.. sem_close            0xfffffff0077e2754
270.. sem_unlink           0xfffffff0077e24d8
271.. sem_wait             0xfffffff0077e28b8
272.. sem_trywait          0xfffffff0077e2ad0
273.. sem_post             0xfffffff0077e2bfc
274.. sem_getvalue         0xfffffff00778f4a4
277.. open_extended        0xfffffff0075aa000
278.. umask_extended       0xfffffff0075b2168
279.. stat_extended        0xfffffff0075ad414
280.. lstat_extended       0xfffffff0075adadc
281.. fstat_extended       0xfffffff00775dca0
282.. chmod_extended       0xfffffff0075ae39c
283.. fchmod_extended      0xfffffff0075ae844
284.. access_extended      0xfffffff0075accfc
285.. settid               0xfffffff007781f3c
286.. gettid               0xfffffff007780b84
287.. setsgroups           0xfffffff007782448
288.. getsgroups           0xfffffff007780dbc
289.. setwgroups           0xfffffff007782450
290.. getwgroups           0xfffffff007780dc4
291.. mkfifo_extended      0xfffffff0075ab2d4
292.. mkdir_extended       0xfffffff0075b14f4
294.. shared_region_check_np 0xfffffff0077f2824
296.. vm_pressure_monitor  0xfffffff0077f388c
297.. psynch_rw_longrdlock 0xfffffff0077e96d8
298.. psynch_rw_yieldwrlock 0xfffffff0077e97a0
299.. psynch_rw_downgrade  0xfffffff0077e97d8
300.. psynch_rw_upgrade    0xfffffff0077e97d0
301.. psynch_mutexwait     0xfffffff0077e9548
302.. psynch_mutexdrop     0xfffffff0077e9578
303.. psynch_cvbroad       0xfffffff0077e95a8
304.. psynch_cvsignal      0xfffffff0077e95ec
305.. psynch_cvwait        0xfffffff0077e963c
306.. psynch_rw_rdlock     0xfffffff0077e9708
307.. psynch_rw_wrlock     0xfffffff0077e9770
308.. psynch_rw_unlock     0xfffffff0077e9738
309.. psynch_rw_unlock2    0xfffffff0077e9768
310.. getsid               0xfffffff007780a60
311.. settid_with_pid      0xfffffff00778205c
312.. psynch_cvclrprepost  0xfffffff0077e968c
313.. aio_fsync            0xfffffff007753324
314.. aio_return           0xfffffff00775391c
315.. aio_suspend          0xfffffff007753d20
316.. aio_cancel           0xfffffff00775298c
317.. aio_error            0xfffffff00775321c
318.. aio_read             0xfffffff0077538e4
319.. aio_write            0xfffffff007754074
320.. lio_listio           0xfffffff0077540ac
322.. iopolicysys          0xfffffff00778425c
323.. process_policy       0xfffffff0077eea10
324.. mlockall             0xfffffff00777b25c
325.. munlockall           0xfffffff00777b264
327.. issetugid            0xfffffff007780ff0
328.. __pthread_kill       0xfffffff0077867b0
329.. __pthread_sigmask    0xfffffff00778742c
330.. __sigwait            0xfffffff00778750c
331.. __disable_threadsignal 0xfffffff007786304
332.. __pthread_markcancel 0xfffffff007786324
333.. __pthread_canceled   0xfffffff007786398
334.. __semwait_signal     0xfffffff00778661c
336.. proc_info            0xfffffff0077e982c
338.. stat64               0xfffffff0075ada70
339.. fstat64              0xfffffff00775e60c
340.. lstat64              0xfffffff0075adb48
341.. stat64_extended      0xfffffff0075adaa8
342.. lstat64_extended     0xfffffff0075adb80
343.. fstat64_extended     0xfffffff00775e5f4
344.. getdirentries64      0xfffffff0075b210c
345.. statfs64             0xfffffff0075a86d0
346.. fstatfs64            0xfffffff0075a8964
347.. getfsstat64          0xfffffff0075a8dec
348.. __pthread_chdir      0xfffffff0075a9788
349.. __pthread_fchdir     0xfffffff0075a9484
350.. audit                0xfffffff00774201c
351.. auditon              0xfffffff007742024
353.. getauid              0xfffffff00774202c
354.. setauid              0xfffffff007742034
357.. getaudit_addr        0xfffffff00774203c
358.. setaudit_addr        0xfffffff007742044
359.. auditctl             0xfffffff00774204c
360.. bsdthread_create     0xfffffff0077e9424
361.. bsdthread_terminate  0xfffffff0077e94a8
362.. kqueue               0xfffffff007764c5c
363.. kevent               0xfffffff007764c74
364.. lchown               0xfffffff0075aecd0
365.. stack_snapshot       0xfffffff0077513a8
366.. bsdthread_register   0xfffffff0077e944c
367.. workq_open           0xfffffff0077e9534
368.. workq_kernreturn     0xfffffff0077e9508
369.. kevent64             0xfffffff007766f78
370.. __old_semwait_signal 0xfffffff007786444
371.. __old_semwait_signal_nocancel 0xfffffff007786490
372.. thread_selfid        0xfffffff0077e94f4
373.. ledger               0xfffffff0077a432c
374.. kevent_qos           0xfffffff007766fe0
380.. __mac_execve         0xfffffff0077723c4
381.. __mac_syscall        0xfffffff0078c906c
382.. __mac_get_file       0xfffffff0078c87d0
383.. __mac_set_file       0xfffffff0078c8e08
384.. __mac_get_link       0xfffffff0078c8a58
385.. __mac_set_link       0xfffffff0078c9060
386.. __mac_get_proc       0xfffffff0078c7f7c
387.. __mac_set_proc       0xfffffff0078c80e8
388.. __mac_get_fd         0xfffffff0078c83bc
389.. __mac_set_fd         0xfffffff0078c8a64
390.. __mac_get_pid        0xfffffff0078c7dfc
394.. setlcid              0xfffffff0077a2628
395.. getlcid              0xfffffff0077a265c
396.. read_nocancel        0xfffffff00779fdd8
397.. write_nocancel       0xfffffff0077a049c
398.. open_nocancel        0xfffffff0075aa4a0
399.. close_nocancel       0xfffffff00775daa8
400.. wait4_nocancel       0xfffffff007775d0c
401.. recvmsg_nocancel     0xfffffff0077daa54
402.. sendmsg_nocancel     0xfffffff0077d9ac4
403.. recvfrom_nocancel    0xfffffff0077da4ac
404.. accept_nocancel      0xfffffff0077d789c
405.. msync_nocancel       0xfffffff00777abdc
406.. fcntl_nocancel       0xfffffff00775a6ec
407.. select_nocancel      0xfffffff0077a158c
408.. fsync_nocancel       0xfffffff0075afa74
409.. connect_nocancel     0xfffffff0077d8274
410.. sigsuspend_nocancel  0xfffffff0077862a0
411.. readv_nocancel       0xfffffff0077a0270
412.. writev_nocancel      0xfffffff0077a0a1c
413.. sendto_nocancel      0xfffffff0077d93e8
414.. pread_nocancel       0xfffffff0077a0178
415.. pwrite_nocancel      0xfffffff0077a0838
416.. waitid_nocancel      0xfffffff007776288
417.. poll_nocancel        0xfffffff0077a2838
420.. sem_wait_nocancel    0xfffffff0077e28ec
421.. aio_suspend_nocancel 0xfffffff007753d54
422.. __sigwait_nocancel   0xfffffff007787540
423.. __semwait_signal_nocancel 0xfffffff007786660
424.. __mac_mount          0xfffffff0075a6e70
425.. __mac_get_mount      0xfffffff0078c93d8
426.. __mac_getfsstat      0xfffffff0075a8a9c
427.. fsgetpath            0xfffffff0075b5850
428.. audit_session_self   0xfffffff007742004
429.. audit_session_join   0xfffffff00774200c
430.. fileport_makeport    0xfffffff007760208
431.. fileport_makefd      0xfffffff0077604d0
432.. audit_session_port   0xfffffff007742014
433.. pid_suspend          0xfffffff0077f2020
434.. pid_resume           0xfffffff0077f2150
435.. pid_hibernate        0xfffffff0077f23a8
436.. pid_shutdown_sockets 0xfffffff0077f2698
438.. shared_region_map_and_slide_np 0xfffffff0077f28f8
439.. kas_info             0xfffffff0077f3918
440.. memorystatus_control 0xfffffff007795640
441.. guarded_open_np      0xfffffff007760bc8
442.. guarded_close_np     0xfffffff007761024
443.. guarded_kqueue_np    0xfffffff007760f9c
444.. change_fdguard_np    0xfffffff0077611a4
445.. proc_rlimit_control  0xfffffff00779b65c
446.. proc_rlimit_control  0xfffffff007784abc
447.. proc_connectx        0xfffffff0077d8518
448.. proc_disconnectx     0xfffffff0077d8f64
449.. proc_peeloff         0xfffffff0077d8cfc
450.. proc_socket_delegate 0xfffffff0077d72f0
451.. proc_telemetry       0xfffffff0077a4964
452.. proc_uuid_policy     0xfffffff0077f6a9c
453.. memorystatus_get_level 0xfffffff007790a90
454.. system_override      0xfffffff0077ef5f0
455.. vfs_purge            0xfffffff0075b5954
456.. sfi_ctl              0xfffffff0077994f4
457.. sfi_pidctl           0xfffffff0077995a4
458.. coalition            0xfffffff0077a8304
459.. coalition_info       0xfffffff0077a866c
460.. necp_match_policy    0xfffffff00762317c
461.. getattrlistbulk      0xfffffff007586090
462.. clonefileat          0xfffffff0075afe1c
463.. openat               0xfffffff0075aa8f8
464.. openat_nocancel      0xfffffff0075aa5f4
465.. renameat             0xfffffff0075b14c0
466.. faccessat            0xfffffff0075ad3c8
467.. fchmodat             0xfffffff0075ae7b4
468.. fchownat             0xfffffff0075aed04
469.. fstatat              0xfffffff0075adbb4
470.. fstatat64            0xfffffff0075adc08
471.. linkat               0xfffffff0075abbac
472.. unlinkat             0xfffffff0075ac5c8
473.. readlinkat           0xfffffff0075ae060
474.. symlinkat            0xfffffff0075ac00c
475.. mkdirat              0xfffffff0075b1984
476.. getattrlistat        0xfffffff007586018
477.. proc_trace_log       0xfffffff007780690
478.. bsdthread_ctl        0xfffffff0077e94d0
479.. openbyid_np          0xfffffff0075aa958
480.. recvmsg_x            0xfffffff0077dacbc
481.. sendmsg_x            0xfffffff0077d9cd8
482.. thread_selfusage     0xfffffff007784cf8
484.. guarded_open_dprotected_np 0xfffffff007760dc4
485.. guarded_write_np     0xfffffff00776174c
486.. guarded_pwrite_np    0xfffffff00776184c
487.. guarded_writev_np    0xfffffff00776199c
488.. rename_ext           0xfffffff0075b148c
489.. mremap_encrypted     0xfffffff00777b26c
490.. netagent_trigger     0xfffffff007626fe4
491.. stack_snapshot_with_config 0xfffffff007751790
492.. microstackshot       0xfffffff007751990
493.. grab_pgo_data        0xfffffff0077f6b2c
494.. persona              0xfffffff0077a8b48
499.. work_interval_ctl    0xfffffff0077a9f50
500.. getentropy           0xfffffff00757f208
501.. necp_open            0xfffffff00761eb08
502.. necp_client_action   0xfffffff00761edd0
503.. __nexus_open         0xfffffff00780a714
504.. __nexus_register     0xfffffff00780aa30
505.. __nexus_deregister   0xfffffff00780acd4
506.. __nexus_create       0xfffffff00780ae30
507.. __nexus_destroy      0xfffffff00780b02c
508.. __nexus_get_opt      0xfffffff00780b194
509.. __nexus_set_opt      0xfffffff00780b294
510.. __channel_open       0xfffffff0077feab0
511.. __channel_get_info   0xfffffff0077fefc8
512.. __channel_sync       0xfffffff0077ff140
513.. __channel_get_opt    0xfffffff0077ffa20
514.. __channel_set_opt    0xfffffff0077ffb20
515.. ulock_wait           0xfffffff0077a94b8
516.. ulock_wake           0xfffffff0077a9d80
517.. fclonefileat         0xfffffff0075b063c
518.. fs_snapshot          0xfffffff0075b5a3c
520.. terminate_with_payload 0xfffffff007787f54

AloneMonkey · 2017 年5 月 13 日 17:02

需要pass的有以下几点:

直接pass ptrace 包括 dlsym的情况
pass syscall
pass sysctl 查询
pass inline asm

Zhang · 2017 年5 月 13 日 17:06

#tl;dr:
绝非完美解决方案。完美反调试需要具体案例具体分析（或者tweak／lldb插件内嵌一个反汇编引擎patch svc?)

我不反对这贴，但是我们需要向新人说明局限性。
EDIT: 请请请请请不要把我在论坛里的任何胡言乱语（包括这条）发上微博，如有必要请删除我的回复

everettjf · 2017 年5 月 13 日 17:45

搞这么复杂，我等新手如何上手，如何看到希望

Zhang · 2017 年5 月 13 日 18:01

最低限度我认为这贴也应该用syscall替代ptrace做指南【如果ptrace underlying用得是syscall wrapper】，或者两个都断【如果ptrace直接用的swi】

everettjf · 2017 年5 月 14 日 01:59

期待来个“两步两步在debugserver中绕过ptrace反调试”

Zhang · 2017 年5 月 14 日 02:21

大致思路跟原帖一样，把ptrace换成syscall，检测第一个参数查syscall表就行了。

inline 的就需要具体问题具体分析了

Ouroboros · 2017 年5 月 14 日 02:56

还没看到有人发过在函数中间hook的帖子, 虽然不是新东西了, 不过感觉ios上太多人只停留在MSHookFuntion上

everettjf · 2017 年5 月 14 日 05:35

syscall 有办法自己实现个么？
理论上都可以吧哈

111110 · 2017 年5 月 14 日 06:12

可以，理论上自己还能实现歼星舰操作系统呢

everettjf · 2017 年5 月 14 日 06:35

还可以找到外星人

Zhang · 2017 年5 月 14 日 12:22

svc指令哇

thomas_huang · 2017 年5 月 14 日 12:24

求教pass inline asm的方法，比如到处都这种anti-debug的：

mov x0, #26
mov x1, #31
mov x2, #0
mov x3, #0
mov x16, #0
svc #128

有什么简单的方法干掉的

thomas_huang · 2017 年5 月 14 日 12:24

这种svc的，有什么简单的方法干掉的？

难道说只能搞内核…

Zhang · 2017 年5 月 14 日 12:33

为啥不直接nop掉。

Hello from the kernel side~ I must have svc a thousand times~ To tell you kernel panic for everything you’ve done

thomas_huang · 2017 年5 月 14 日 12:35

我逆向过某些系统功能，依赖其他daemon process，而在依赖的某些daemon进程，会检查发送mach port message的进程有没有被调试…找了好久才找到原因，也算是一个坑…

thomas_huang · 2017 年5 月 14 日 12:37

你是说把指令直接改成nop吗? 但是人家到处放这个调用，找起来还是挺烦的…

Zhang · 2017 年5 月 14 日 12:39

我很乐意知道除了折腾kernel以外的方法但是目前似乎是没有。
内联一个反汇编引擎运行时搜索patch？