hankbao/antidebugging.m

## antidebugging.m
//
//  main.m
//  antidebugging
//
//  Created by Vincent Tan on 7/8/15.
//  Copyright (c) 2015 Vincent Tan. All rights reserved.
//

#import <UIKit/UIKit.h>
#import "AppDelegate.h"

// For debugger_ptrace. Ref: https://www.theiphonewiki.com/wiki/Bugging_Debuggers
#import <dlfcn.h>
#import <sys/types.h>

// For debugger_sysctl
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/sysctl.h>
#include <stdlib.h>

// For ioctl
#include <termios.h>
#include <sys/ioctl.h>

// For task_get_exception_ports
#include <mach/task.h>
#include <mach/mach_init.h>


typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);

#if !defined(PT_DENY_ATTACH)
#define PT_DENY_ATTACH 31
#endif  // !defined(PT_DENY_ATTACH)

/*!
 @brief This is the basic ptrace functionality.
 @link http://www.coredump.gr/articles/ios-anti-debugging-protections-part-1/
 */
void debugger_ptrace()
{
    void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW);
    ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace");
    ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);
    dlclose(handle);
}


/*!
 @brief This function uses sysctl to check for attached debuggers.
 @link https://developer.apple.com/library/mac/qa/qa1361/_index.html
 @link http://www.coredump.gr/articles/ios-anti-debugging-protections-part-2/
 */
static bool debugger_sysctl(void)
// Returns true if the current process is being debugged (either
// running under the debugger or has a debugger attached post facto).
{
    int mib[4];
    struct kinfo_proc info;
    size_t info_size = sizeof(info);

    // Initialize the flags so that, if sysctl fails for some bizarre
    // reason, we get a predictable result.

    info.kp_proc.p_flag = 0;

    // Initialize mib, which tells sysctl the info we want, in this case
    // we're looking for information about a specific process ID.

    mib[0] = CTL_KERN;
    mib[1] = KERN_PROC;
    mib[2] = KERN_PROC_PID;
    mib[3] = getpid();

    // Call sysctl.

    if (sysctl(mib, 4, &info, &info_size, NULL, 0) == -1)
    {
        perror("perror sysctl");
        exit(-1);
    }

    // We're being debugged if the P_TRACED flag is set.

    return ((info.kp_proc.p_flag & P_TRACED) != 0);
}


int main(int argc, char * argv[]) {

    // If enabled the program should exit with code 055 in GDB
    // Program exited with code 055.
    debugger_ptrace();
    NSLog(@"Bypassed ptrace()");

    // If enabled the program should exit with code 0377 in GDB
    // Program exited with code 0377.
    if (debugger_sysctl())
    {
        return -1;
    } else {
        NSLog(@"Bypassed sysctl()");
    }

    // Another way of calling ptrace.
    // Ref: https://www.theiphonewiki.com/wiki/Kernel_Syscalls
    syscall(26, 31, 0, 0);
    NSLog(@"Bypassed syscall()");


    // Ref: https://reverse.put.as/wp-content/uploads/2012/07/Secuinside-2012-Presentation.pdf
    struct ios_execp_info
    {
        exception_mask_t masks[EXC_TYPES_COUNT];
        mach_port_t ports[EXC_TYPES_COUNT];
        exception_behavior_t behaviors[EXC_TYPES_COUNT];
        thread_state_flavor_t flavors[EXC_TYPES_COUNT];
        mach_msg_type_number_t count;
    };
    struct ios_execp_info *info = malloc(sizeof(struct ios_execp_info));
    kern_return_t kr = task_get_exception_ports(mach_task_self(), EXC_MASK_ALL, info->masks, &info->count, info->ports, info->behaviors, info->flavors);

    for (int i = 0; i < info->count; i++)
    {
        if (info->ports[i] !=0 || info->flavors[i] == THREAD_STATE_NONE)
        {
            NSLog(@"Being debugged... task_get_exception_ports");
        } else {
            NSLog(@"task_get_exception_ports bypassed");
        }
    }


    // Another way of figuring out if LLDB is attached.
    if (isatty(1)) {
        NSLog(@"Being Debugged isatty");
    } else {
        NSLog(@"isatty() bypassed");
    }

    // Yet another way of figuring out if LLDB is attached.
    if (!ioctl(1, TIOCGWINSZ)) {
        NSLog(@"Being Debugged ioctl");
    } else {
        NSLog(@"ioctl bypassed");
    }


    // Everything above relies on libraries. It is easy enough to hook these libraries and return the required
    // result to bypass those checks. So here it is implemented in ARM assembly. Not very fun to bypass these.
    #ifdef __arm__
    asm volatile (
                  "mov r0, #31\n"
                  "mov r1, #0\n"
                  "mov r2, #0\n"
                  "mov r12, #26\n"
                  "svc #80\n"
                  );
    NSLog(@"Bypassed syscall() ASM");
    #endif
    #ifdef __arm64__
    asm volatile (
                  "mov x0, #26\n"
                  "mov x1, #31\n"
                  "mov x2, #0\n"
                  "mov x3, #0\n"
                  "mov x16, #0\n"
                  "svc #128\n"
                  );
    NSLog(@"Bypassed syscall() ASM64");
    #endif


    @autoreleasepool {
        return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
    }
}
	//
	// main.m
	// antidebugging
	//
	// Created by Vincent Tan on 7/8/15.
	// Copyright (c) 2015 Vincent Tan. All rights reserved.
	//

	#import <UIKit/UIKit.h>
	#import "AppDelegate.h"

	// For debugger_ptrace. Ref: https://www.theiphonewiki.com/wiki/Bugging_Debuggers
	#import <dlfcn.h>
	#import <sys/types.h>

	// For debugger_sysctl
	#include <stdio.h>
	#include <sys/types.h>
	#include <unistd.h>
	#include <sys/sysctl.h>
	#include <stdlib.h>

	// For ioctl
	#include <termios.h>
	#include <sys/ioctl.h>

	// For task_get_exception_ports
	#include <mach/task.h>
	#include <mach/mach_init.h>




	typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);

	#if !defined(PT_DENY_ATTACH)
	#define PT_DENY_ATTACH 31
	#endif // !defined(PT_DENY_ATTACH)

	/*!
	@brief This is the basic ptrace functionality.
	@link http://www.coredump.gr/articles/ios-anti-debugging-protections-part-1/
	*/
	void debugger_ptrace()
	{
	void* handle = dlopen(0, RTLD_GLOBAL \| RTLD_NOW);
	ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace");
	ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);
	dlclose(handle);
	}




	/*!
	@brief This function uses sysctl to check for attached debuggers.
	@link https://developer.apple.com/library/mac/qa/qa1361/_index.html
	@link http://www.coredump.gr/articles/ios-anti-debugging-protections-part-2/
	*/
	static bool debugger_sysctl(void)
	// Returns true if the current process is being debugged (either
	// running under the debugger or has a debugger attached post facto).
	{
	int mib[4];
	struct kinfo_proc info;
	size_t info_size = sizeof(info);

	// Initialize the flags so that, if sysctl fails for some bizarre
	// reason, we get a predictable result.

	info.kp_proc.p_flag = 0;

	// Initialize mib, which tells sysctl the info we want, in this case
	// we're looking for information about a specific process ID.

	mib[0] = CTL_KERN;
	mib[1] = KERN_PROC;
	mib[2] = KERN_PROC_PID;
	mib[3] = getpid();

	// Call sysctl.

	if (sysctl(mib, 4, &info, &info_size, NULL, 0) == -1)
	{
	perror("perror sysctl");
	exit(-1);
	}

	// We're being debugged if the P_TRACED flag is set.

	return ((info.kp_proc.p_flag & P_TRACED) != 0);
	}






	int main(int argc, char * argv[]) {

	// If enabled the program should exit with code 055 in GDB
	// Program exited with code 055.
	debugger_ptrace();
	NSLog(@"Bypassed ptrace()");

	// If enabled the program should exit with code 0377 in GDB
	// Program exited with code 0377.
	if (debugger_sysctl())
	{
	return -1;
	} else {
	NSLog(@"Bypassed sysctl()");
	}

	// Another way of calling ptrace.
	// Ref: https://www.theiphonewiki.com/wiki/Kernel_Syscalls
	syscall(26, 31, 0, 0);
	NSLog(@"Bypassed syscall()");


	// Ref: https://reverse.put.as/wp-content/uploads/2012/07/Secuinside-2012-Presentation.pdf
	struct ios_execp_info
	{
	exception_mask_t masks[EXC_TYPES_COUNT];
	mach_port_t ports[EXC_TYPES_COUNT];
	exception_behavior_t behaviors[EXC_TYPES_COUNT];
	thread_state_flavor_t flavors[EXC_TYPES_COUNT];
	mach_msg_type_number_t count;
	};
	struct ios_execp_info *info = malloc(sizeof(struct ios_execp_info));
	kern_return_t kr = task_get_exception_ports(mach_task_self(), EXC_MASK_ALL, info->masks, &info->count, info->ports, info->behaviors, info->flavors);

	for (int i = 0; i < info->count; i++)
	{
	if (info->ports[i] !=0 \|\| info->flavors[i] == THREAD_STATE_NONE)
	{
	NSLog(@"Being debugged... task_get_exception_ports");
	} else {
	NSLog(@"task_get_exception_ports bypassed");
	}
	}


	// Another way of figuring out if LLDB is attached.
	if (isatty(1)) {
	NSLog(@"Being Debugged isatty");
	} else {
	NSLog(@"isatty() bypassed");
	}

	// Yet another way of figuring out if LLDB is attached.
	if (!ioctl(1, TIOCGWINSZ)) {
	NSLog(@"Being Debugged ioctl");
	} else {
	NSLog(@"ioctl bypassed");
	}



	// Everything above relies on libraries. It is easy enough to hook these libraries and return the required
	// result to bypass those checks. So here it is implemented in ARM assembly. Not very fun to bypass these.
	#ifdef __arm__
	asm volatile (
	"mov r0, #31\n"
	"mov r1, #0\n"
	"mov r2, #0\n"
	"mov r12, #26\n"
	"svc #80\n"
	);
	NSLog(@"Bypassed syscall() ASM");
	#endif
	#ifdef __arm64__
	asm volatile (
	"mov x0, #26\n"
	"mov x1, #31\n"
	"mov x2, #0\n"
	"mov x3, #0\n"
	"mov x16, #0\n"
	"svc #128\n"
	);
	NSLog(@"Bypassed syscall() ASM64");
	#endif




	@autoreleasepool {
	return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
	}
	}