Fixing ptrace on Mac OS X 10.5 Leopard

Linked by Eugenia Loli-Queru on Wed 23rd Jan 2008 22:04 UTC, submitted by Tyr.

PT_DENY_ATTACH is a non-standard ptrace() request type that prevents a debugger from attaching to the calling process. Adam Leventhal recently discovered that Leopard extends PT_DENY_ATTACH to prevent introspection into processes using dtrace. This article will cover disabling PT_DENY_ATTACH for all processes on Mac OS X 10.5. Over the previous few years, I've provided similar hacks for both Mac OS X 10.4, and 10.3.

3 5 Comment(s)

Post a Comment

Not surprising

by tyrione (1) on Wed 23rd Jan 2008 23:23 UTC

Member since:
2005-11-21
Fans: 2

Since Landon used to work in the Kernel/BSD Group at Apple it's not a stretch to think he knows something about the inner workings of OS X.

Reply Permalink Bookmark Score: 3

Im off to crack now ...

by Cass (1.8) on Thu 24th Jan 2008 00:21 UTC

Member since:
2006-03-17
Fans: 0

Think ill guy buy a bluray drive, hire movies, dtrace them so i can crack them and sell the copies on ebay, then ill go hack the itunes drm and give the spoils away for free on bit torrent ... Ill have to look around to see what other stuff i can do after that :-)

Or i might just go apply the patch and be happy my drace will work as advertised ... undecided !

Ohh and good man Landon for taking the time to do this....

Edited 2008-01-24 00:22 UTC

Reply Permalink Bookmark Score: 2

RE: Im off to crack now ...

by Cass (1.8) on Thu 24th Jan 2008 00:52 UTC in reply to "Im off to crack now ..."

Member since:
2006-03-17
Fans: 0

Damn edit expired on me .. apologies for the double post .. This patch works it seems, Adams test d script shows the probe firing every 10 secs even with iTunes running, only 5 mins to compile and attach teh extension too, dmesg shows exactly what Landon says :-)

Macintosh-2:Deployment Cass$ ps -ef |grep iTunes|egrep -v "Helper|grep"
501 34206 141 0 0:01.14 ?? 0:04.11 /Applications/iTunes.app/Contents/MacOS/iTunes -psn_0_1511793

Macintosh-2:Deployment Cass$ sudo dtrace -s test.d |grep tick
dtrace: script 'test.d' matched 2 probes
0 22128 :tick-10s
0 22128 :tick-10s
0 22128 :tick-10s
0 22128 :tick-10s
0 22128 :tick-10s

acintosh-2:Deployment Cass$ sudo dtrace -s test2.d
dtrace: script 'test2.d' matched 2 probes
CPU ID FUNCTION:NAME
0 22196 :tick-1s
2000

0 22196 :tick-1s
1998

0 22196 :tick-1s
1997

0 22196 :tick-1s
1996

0 22196 :tick-1s
1997

Nice work Landon

Edited 2008-01-24 00:56 UTC

Reply Permalink Bookmark Score: 2

Welcome to the world of OS X rootkits...

by PlatformAgnostic (3.04) on Thu 24th Jan 2008 15:25 UTC

Member since:
2006-01-02
Fans: 9

I can see it already. Mac OS is gaining market share, so this nice how-to article will probably get some gears turning in certain corners of the net (well, they probably were already, to be honest).

Reply Permalink Bookmark Score: 2

RE: Welcome to the world of OS X rootkits...

by Tyr. (2.64) on Thu 24th Jan 2008 15:38 UTC in reply to "Welcome to the world of OS X rootkits..."

Member since:
2005-07-06
Fans: 2

I can see it already. Mac OS is gaining market share, so this nice how-to article will probably get some gears turning in certain corners of the net (well, they probably were already, to be honest).

To install a kext (kernel extension) file as the author does you need to be able to create files with root:wheel. If someone already has that ability all hope is pretty much gone.

Reply Permalink Bookmark Score: 2

OSNews