Re: Concealing an app from DTrace
Re: Concealing an app from DTrace
- Subject: Re: Concealing an app from DTrace
- From: Ken Thomases <email@hidden>
- Date: Wed, 02 May 2012 06:52:12 -0500
On May 2, 2012, at 12:04 AM, Don Quixote de la Mancha wrote:
> On Tue, May 1, 2012 at 6:28 PM, Kyle Sluder <email@hidden> wrote:
>
>>> I was just wondering if this is still true or true in general...that it is not possible to conceal an application from DTrace.
>
>> On May 1, 2012, at 6:04 PM, Eric Gorr <email@hidden> wrote:
>> It is true and will be true as long as your are able to compile your own kernel. Think about it.
>
> Even if you couldn't compiler your own kernel there are all kinds of
> ways to defeat this:
> [... snip ...]
My recollection is that it was even easier to defeat. You just start the target program with the debugger, as opposed to attaching to it already running, break on ptrace() where it attempts to deny attaching, and simply short-circuit the call.
Regards,
Ken
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden