I am developing an OS X application that I would like to conceal from inspection by DTrace. I'm aware of the P_LNOATTACH flag, but everything I've read tells me that there are ways around it. Is it possible?
Asked
Active
Viewed 774 times
2 Answers
4
As noted, you can use ptrace(2) with PT_DENY_ATTACH, but DTrace or a debugger can intercept those calls and disable them. Further, you want your users using DTrace on your program. If there's a problem, let them help you diagnose it. The only truly proprietary software executes on controlled environments like appliances and the cloud -- once you hand a user your bits, the only thing in the way of understanding what you're doing is time.
ahl
- 902
- 5
- 12
1
Yes, it's possible. Try running DTrace against iTunes; it doesn't work.
You have to call the ptrace function with PT_DENY_ATTACH.
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man2/ptrace.2.html
However, there are ways around it with various kext's. Google around and you'll find some of them.
for 10.6 & 10.7: https://github.com/dwalters/pt_deny_attach
Hmm, Looks like it's broken with 10.8 due to ASLR: Detecting, and Shirking Off, the Debugger
Community
- 1
- 1
Dan Pritts
- 1,274
- 16
- 14
-
You could improve the answer by pointing to a kext that works with 10.7.x – ericg May 02 '12 at 03:46