Re: Concealing an app from DTrace
Re: Concealing an app from DTrace
- Subject: Re: Concealing an app from DTrace
- From: Eric Gorr <email@hidden>
- Date: Wed, 02 May 2012 07:07:38 -0400
Thanks Don. This is what I was looking for in response to my inquiry.
Sent from my iPad
On May 2, 2012, at 1:04 AM, Don Quixote de la Mancha <email@hidden> wrote:
> On Tue, May 1, 2012 at 6:28 PM, Kyle Sluder <email@hidden> wrote:
>
>>> I was just wondering if this is still true or true in general...that it is not possible to conceal an application from DTrace.
>
>> On May 1, 2012, at 6:04 PM, Eric Gorr <email@hidden> wrote:
>> It is true and will be true as long as your are able to compile your own kernel. Think about it.
>
> Even if you couldn't compiler your own kernel there are all kinds of
> ways to defeat this:
>
> - Hot-Patch the running kernel by editing its memory space with a
> kernel debugger or even just a hex editor.
>
> - Load a device driver (Kernel Extension in the case of iOS and OS X)
> that does the hot-patching.
>
> - Patch the executable binary of the program that you want to crack,
> by writing some No-Op instructions over the code that sets that flag.
>
> - Build from source any of the libraries that are in the call chain
> from the attempt to set the flag to the context switch into the
> kernel.
>
> - Replace any of those libraries at runtime, when they dynamic
> libraries are linked, in just the same way as Guard Malloc replaces
> the regular memory allocation library.
>
> - Rather than replace a library, insert a "shim", that is, what
> appears to the app to be a library, but is just a thin veneer that
> calls through to the regular library, but in certain routines it
> either alerts the input parameters, the output results, or it just
> returns immediately when called rather than calling down to lower
> levels.
>
> When I was at Working Software in the early nineties, most of our
> products were what the company founder describes as "Virus-Like
> Hacks", with the difference that our products' users wanted them on
> theirs Macs, paid good money for them, and they were packaged in
> full-color boxes with attractive, well-written manuals.
>
> --
> Don Quixote de la Mancha
> Dulcinea Technologies Corporation
> Software of Elegance and Beauty
> http://www.dulcineatech.com
> email@hidden
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden