• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Concealing an app from DTrace
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Concealing an app from DTrace

  • Subject: Re: Concealing an app from DTrace
  • From: Don Quixote de la Mancha <email@hidden>
  • Date: Tue, 01 May 2012 22:04:03 -0700
On Tue, May 1, 2012 at 6:28 PM, Kyle Sluder <email@hidden> wrote:

>> I was just wondering if this is still true or true in general...that it is not possible to conceal an application from DTrace.

> On May 1, 2012, at 6:04 PM, Eric Gorr <email@hidden> wrote:
> It is true and will be true as long as your are able to compile your own kernel. Think about it.

Even if you couldn't compiler your own kernel there are all kinds of
ways to defeat this:

- Hot-Patch the running kernel by editing its memory space with a
kernel debugger or even just a hex editor.

- Load a device driver (Kernel Extension in the case of iOS and OS X)
that does the hot-patching.

- Patch the executable binary of the program that you want to crack,
by writing some No-Op instructions over the code that sets that flag.

- Build from source any of the libraries that are in the call chain
from the attempt to set the flag to the context switch into the
kernel.

- Replace any of those libraries at runtime, when they dynamic
libraries are linked, in just the same way as Guard Malloc replaces
the regular memory allocation library.

- Rather than replace a library, insert a "shim", that is, what
appears to the app to be a library, but is just a thin veneer that
calls through to the regular library, but in certain routines it
either alerts the input parameters, the output results, or it just
returns immediately when called rather than calling down to lower
levels.

When I was at Working Software in the early nineties, most of our
products were what the company founder describes as "Virus-Like
Hacks", with the difference that our products' users wanted them on
theirs Macs, paid good money for them, and they were packaged in
full-color boxes with attractive, well-written manuals.

--
Don Quixote de la Mancha
Dulcinea Technologies Corporation
Software of Elegance and Beauty
http://www.dulcineatech.com
email@hidden
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Concealing an app from DTrace
      • From: Ken Thomases <email@hidden>
    • Re: Concealing an app from DTrace
      • From: Eric Gorr <email@hidden>
References: 
 >Concealing an app from DTrace (From: Eric Gorr <email@hidden>)
 >Re: Concealing an app from DTrace (From: Kyle Sluder <email@hidden>)

  • Prev by Date: Re: Concealing an app from DTrace
  • Next by Date: Re: Nil and nil Macro Conflict
  • Previous by thread: Re: Concealing an app from DTrace
  • Next by thread: Re: Concealing an app from DTrace
  • Index(es):
    • Date
    • Thread