前言:反调试分两种1)一是阻止调试器的附加 2)另一种是检测调试器是否存在

反调试

1.ptrace(process trace进程跟踪)

为了方便软件的开发和调试 ,UNIX早期版本就提供了一种对运行进程进行跟踪和控制的手段,那就是系统调用ptrace.通过ptrace可以实现对另一个进程实现调试和跟踪.同时,ptrace提供了一个非常有用的参数,那就是PT_DENY_ATTACH,这个参数用于告诉系统阻止调试器依附

我们创建一个mac项目 因为ptrace在iphone上不提供头文件

/*

 * Copyright(c)2000-2005 Apple Computer,Inc. All rights reserved.

 *

 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@

 *

 * This file contains Original Code and/or Modifications of Original Code

 * as defined in and that are subject to the Apple Public Source License

 * Version 2.0(the 'License'). You may not use this file except in

 * compliance with the License. The rights granted to you under the License

 * may not be used to create,or enable the creation or redistribution of,

 * unlawful or unlicensed copies of an Apple operating system,or to

 * circumvent,violate,or enable the circumvention or violation of,any

 * terms of an Apple operating system software license agreement.

 *

 * Please obtain a copy of the License at

 * http://www.opensource.apple.com/apsl/ and read it before using this file.

 *

 * The Original Code and all software distributed under the License are

 * distributed on an 'AS IS' basis,WITHOUT WARRANTY OF ANY KIND,EITHER

 * EXPRESS OR IMPLIED,AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,

 * INCLUDING WITHOUT LIMITATION,ANY WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE,QUIET ENJOYMENT OR NON-INFRINGEMENT.

 * Please see the License for the specific language governing rights and

 * limitations under the License.

 *

 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@

 */

/* Copyright(c)1995 NeXT Computer,Inc. All Rights Reserved */

/*-

 * Copyright(c)1984,1993

 *    The Regents of the University of California.  All rights reserved.

 *

 * Redistribution and use in source and binary forms,with or without

 * modification,are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice,this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice,this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * 3. All advertising materials mentioning features or use of this software

 *    must display the following acknowledgement:

 *    This product includes software developed by the University of

 *    California,Berkeley and its contributors.

 * 4. Neither the name of the University nor the names of its contributors

 *    may be used to endorse or promote products derived from this software

 *    without specific prior written permission.

 *

 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND

 * ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING,BUT NOT LIMITED TO,THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

 * FOR ANY DIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIAL

 * DAMAGES(INCLUDING,BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS

 * OR SERVICES;LOSS OF USE,DATA,OR PROFITS;OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT,STRICT

 * LIABILITY,OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE)ARISING IN ANY WAY

 * OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF

 * SUCH DAMAGE.

 *

 *    @(#)ptrace.h    8.2(Berkeley)1/4/94

 */

#ifndef _SYS_PTRACE_H_

#define _SYS_PTRACE_H_

#include <sys/appleapiopts.h>

#include <sys/cdefs.h>

enum {

    ePtAttachDeprecated __deprecated_enum_msg("PT_ATTACH is deprecated. See PT_ATTACHEXC")= 10

};

#define PT_TRACE_ME    0      /* child declares it's being traced */

#define PT_READ_I      1      /* read word in child's I space */

#define PT_READ_D      2      /* read word in child's D space */

#define PT_READ_U      3      /* read word in child's user structure */

#define PT_WRITE_I      4      /* write word in child's I space */

#define PT_WRITE_D      5      /* write word in child's D space */

#define PT_WRITE_U      6      /* write word in child's user structure */

#define PT_CONTINUE    7      /* continue the child */

#define PT_KILL        8      /* kill the child process */

#define PT_STEP        9      /* single step the child */

#define PT_ATTACH      ePtAttachDeprecated    /* trace some running process */

#define PT_DETACH      11      /* stop tracing a process */

#define PT_SIGEXC      12      /* signals as exceptions for current_proc */

#define PT_THUPDATE    13      /* signal for thread# */

#define PT_ATTACHEXC    14      /* attach to running process with signal exception */

#define PT_FORCEQUOTA  30      /* Enforce quota for root */

#define PT_DENY_ATTACH  31

#define PT_FIRSTMACH    32      /* for machine-specific requests */

__BEGIN_DECLS

int    ptrace(int _request,pid_t _pid,caddr_t _addr,int _data);

__END_DECLS

#endif  /* !_SYS_PTRACE_H_ */

!!!这个里面有个31 为阻止调试

2.写入函数

/**

 arg1:ptrace要做的事情

 arg2:要操作进程的ID

 arg3(地址)\arg4(数据):取决于arg1

 */

    ptrace(PT_DENY_ATTACH,0,0,0);

然后我们来Xcode调试发现进程断开了 这样就做到了防止调试

反反调试

思考:

我们首先思考下 ptrace是系统函数 我们hook系统函数的fishhook刚好可以解决这个问题 那么我们接下来我们hook这个ptrace这个函数

1).我们新建一个动态库

利用fishhook去hook这个ptrace这个函数 简单粗暴就能更改原工程达到hook的目的

3.反反反调试

为了防止被其他人注入动态库hook我的函数 我可以自己注入动态库先调用ptarce

这里要注意一点 

1)工程优先加载自己工程的动态库 

2)然后加载注入的动态库 按照添加编译的顺序执行

3)最后加载我们的target 按照添加编译的顺序执行

按照这个原理我们就可以防止别人注入动态库