Disable PT_DENY_ATTACH and sysctl debugger checking

Author: wutian

IPAPatch.xcodeproj/project.pbxproj

@@ -7,6 +7,10 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		C63AC1A51E838BB70094B1C5 /* fishhook.c in Sources */ = {isa = PBXBuildFile; fileRef = C63AC1A21E838BB70094B1C5 /* fishhook.c */; };
+		C63AC1A61E838BB70094B1C5 /* fishhook.h in Headers */ = {isa = PBXBuildFile; fileRef = C63AC1A31E838BB70094B1C5 /* fishhook.h */; };
+		C63AC1AA1E8392210094B1C5 /* IPAPatchBypassAntiDebugging.h in Headers */ = {isa = PBXBuildFile; fileRef = C63AC1A81E8392210094B1C5 /* IPAPatchBypassAntiDebugging.h */; };
+		C63AC1AB1E8392210094B1C5 /* IPAPatchBypassAntiDebugging.m in Sources */ = {isa = PBXBuildFile; fileRef = C63AC1A91E8392210094B1C5 /* IPAPatchBypassAntiDebugging.m */; };
 		C64288391E7BF9E900C0BBB0 /* ProjectConfigurationWarning.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C64288371E7BF9E900C0BBB0 /* ProjectConfigurationWarning.cpp */; };
 		C6B263271E7BC9DF009B4DEA /* IPAPatchEntry.h in Headers */ = {isa = PBXBuildFile; fileRef = C6B263251E7BC9DF009B4DEA /* IPAPatchEntry.h */; };
 		C6B263281E7BC9DF009B4DEA /* IPAPatchEntry.m in Sources */ = {isa = PBXBuildFile; fileRef = C6B263261E7BC9DF009B4DEA /* IPAPatchEntry.m */; };
@@ -25,6 +29,11 @@
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
+		C63AC1A21E838BB70094B1C5 /* fishhook.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = fishhook.c; sourceTree = "<group>"; };
+		C63AC1A31E838BB70094B1C5 /* fishhook.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = fishhook.h; sourceTree = "<group>"; };
+		C63AC1A41E838BB70094B1C5 /* LICENSE */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = LICENSE; sourceTree = "<group>"; };
+		C63AC1A81E8392210094B1C5 /* IPAPatchBypassAntiDebugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IPAPatchBypassAntiDebugging.h; sourceTree = "<group>"; };
+		C63AC1A91E8392210094B1C5 /* IPAPatchBypassAntiDebugging.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IPAPatchBypassAntiDebugging.m; sourceTree = "<group>"; };
 		C64288371E7BF9E900C0BBB0 /* ProjectConfigurationWarning.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ProjectConfigurationWarning.cpp; sourceTree = "<group>"; };
 		C64288381E7BF9E900C0BBB0 /* ProjectConfigurationWarning.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = ProjectConfigurationWarning.hpp; sourceTree = "<group>"; };
 		C6B263071E7BC97B009B4DEA /* IPAPatch.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = IPAPatch.framework; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -57,6 +66,24 @@
 /* End PBXFrameworksBuildPhase section */
 
 /* Begin PBXGroup section */
+		C63AC1A01E838B8E0094B1C5 /* Vendors */ = {
+			isa = PBXGroup;
+			children = (
+				C63AC1A11E838BB70094B1C5 /* fishhook */,
+			);
+			path = Vendors;
+			sourceTree = "<group>";
+		};
+		C63AC1A11E838BB70094B1C5 /* fishhook */ = {
+			isa = PBXGroup;
+			children = (
+				C63AC1A31E838BB70094B1C5 /* fishhook.h */,
+				C63AC1A21E838BB70094B1C5 /* fishhook.c */,
+				C63AC1A41E838BB70094B1C5 /* LICENSE */,
+			);
+			path = fishhook;
+			sourceTree = "<group>";
+		};
 		C6B262FD1E7BC97B009B4DEA = {
 			isa = PBXGroup;
 			children = (
@@ -79,9 +106,12 @@
 		C6B263091E7BC97B009B4DEA /* IPAPatch */ = {
 			isa = PBXGroup;
 			children = (
+				C63AC1A01E838B8E0094B1C5 /* Vendors */,
 				C6B2630B1E7BC97B009B4DEA /* Info.plist */,
 				C6B263251E7BC9DF009B4DEA /* IPAPatchEntry.h */,
 				C6B263261E7BC9DF009B4DEA /* IPAPatchEntry.m */,
+				C63AC1A81E8392210094B1C5 /* IPAPatchBypassAntiDebugging.h */,
+				C63AC1A91E8392210094B1C5 /* IPAPatchBypassAntiDebugging.m */,
 			);
 			path = IPAPatch;
 			sourceTree = "<group>";
@@ -123,6 +153,8 @@
 			buildActionMask = 2147483647;
 			files = (
 				C6B263271E7BC9DF009B4DEA /* IPAPatchEntry.h in Headers */,
+				C63AC1A61E838BB70094B1C5 /* fishhook.h in Headers */,
+				C63AC1AA1E8392210094B1C5 /* IPAPatchBypassAntiDebugging.h in Headers */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -244,7 +276,9 @@
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				C63AC1AB1E8392210094B1C5 /* IPAPatchBypassAntiDebugging.m in Sources */,
 				C6B263281E7BC9DF009B4DEA /* IPAPatchEntry.m in Sources */,
+				C63AC1A51E838BB70094B1C5 /* fishhook.c in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

IPAPatch/IPAPatchBypassAntiDebugging.h

@@ -0,0 +1,13 @@
+//
+//  IPAPatchBypassAntiDebugging.h
+//  IPAPatch
+//
+//  Created by wutian on 2017/3/23.
+//  Copyright © 2017年 Weibo. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+@interface IPAPatchBypassAntiDebugging : NSObject
+
+@end

IPAPatch/IPAPatchBypassAntiDebugging.m

@@ -0,0 +1,127 @@
+//
+//  IPAPatchBypassAntiDebugging.m
+//  IPAPatch
+//
+//  Created by wutian on 2017/3/23.
+//  Copyright © 2017年 Weibo. All rights reserved.
+//
+
+#import "IPAPatchBypassAntiDebugging.h"
+#import "fishhook.h"
+#import <dlfcn.h>
+#import <sys/sysctl.h>
+
+#define TESTS_BYPASS 0
+
+// Sources:
+// https://www.coredump.gr/articles/ios-anti-debugging-protections-part-1/
+// https://www.coredump.gr/articles/ios-anti-debugging-protections-part-2/
+// https://www.theiphonewiki.com/wiki/Bugging_Debuggers
+
+// Bypassing PT_DENY_ATTACH technique
+
+static void * (*original_dlsym)(void *, const char *);
+
+int fake_ptrace(int _request, pid_t _pid, caddr_t _addr, int _data)
+{
+    return 0;
+}
+
+void * hooked_dlsym(void * __handle, const char * __symbol)
+{
+    if (strcmp(__symbol, "ptrace") == 0) {
+        return &fake_ptrace;
+    }
+    
+    return original_dlsym(__handle, __symbol);
+}
+
+static void disable_pt_deny_attach()
+{
+    original_dlsym = dlsym(RTLD_DEFAULT, "dlsym");
+    rebind_symbols((struct rebinding[1]){{"dlsym", hooked_dlsym}}, 1);
+}
+
+// Bypassing sysctl debugger checking technique
+
+static int (*original_sysctl)(int *, u_int, void *, size_t *, void *, size_t);
+
+typedef struct kinfo_proc ipa_kinfo_proc;
+
+int	hooked_sysctl(int * arg0, u_int arg1, void * arg2, size_t * arg3, void * arg4, size_t arg5)
+{
+    bool modify_needed = arg1 == 4 && arg0[0] == CTL_KERN && arg0[1] == KERN_PROC && arg0[2] == KERN_PROC_PID && arg2 && arg3 && (*arg3 >= sizeof(struct kinfo_proc));
+    
+    int ret = original_sysctl(arg0, arg1, arg2, arg3, arg4, arg5);
+    
+    if (modify_needed) {
+        ipa_kinfo_proc * pointer = arg2;
+        ipa_kinfo_proc info = *pointer;
+        info.kp_proc.p_flag = 0;
+        *pointer = info;
+    }
+    
+    return ret;
+}
+
+static void disable_sysctl_debugger_checking()
+{
+    original_sysctl = dlsym(RTLD_DEFAULT, "sysctl");
+    rebind_symbols((struct rebinding[1]){{"sysctl", hooked_sysctl}}, 1);
+}
+
+#if TESTS_BYPASS
+// Tests
+static void test_aniti_debugger();
+#endif
+
+@implementation IPAPatchBypassAntiDebugging
+
++ (void)load
+{
+    disable_pt_deny_attach();
+    disable_sysctl_debugger_checking();
+    
+#if TESTS_BYPASS
+    test_aniti_debugger();
+#endif
+}
+
+@end
+
+#if TESTS_BYPASS
+
+typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
+
+#if !defined(PT_DENY_ATTACH)
+#define PT_DENY_ATTACH 31
+#endif
+
+static void test_aniti_debugger()
+{
+    void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW);
+    ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace");
+    ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);
+    dlclose(handle);
+    
+    int name[4];
+    struct kinfo_proc info;
+    size_t info_size = sizeof(info);
+    
+    info.kp_proc.p_flag = 0;
+    
+    name[0] = CTL_KERN;
+    name[1] = KERN_PROC;
+    name[2] = KERN_PROC_PID;
+    name[3] = getpid();
+    
+    if (sysctl(name, 4, &info, &info_size, NULL, 0) == -1) {
+        perror("sysctl");
+        exit(-1);
+    }
+    bool debugging = ((info.kp_proc.p_flag & P_TRACED) != 0);
+    
+    NSCAssert(!debugging, @"Debug checking should be disabled");
+}
+
+#endif // TESTS_BYPASS

IPAPatch/Vendors/fishhook/LICENSE

@@ -0,0 +1,22 @@
+// Copyright (c) 2013, Facebook, Inc.
+// All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//   * Redistributions of source code must retain the above copyright notice,
+//     this list of conditions and the following disclaimer.
+//   * Redistributions in binary form must reproduce the above copyright notice,
+//     this list of conditions and the following disclaimer in the documentation
+//     and/or other materials provided with the distribution.
+//   * Neither the name Facebook nor the names of its contributors may be used to
+//     endorse or promote products derived from this software without specific
+//     prior written permission.
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.