[英]Detecting debugger on Mac OS X
I am trying to detect whether my process is being run in a debugger or not and, while in Windows there are many solutions and in Linux I use:我试图检测我的进程是否正在调试器中运行,而在 Windows 中有很多解决方案,而在 Linux 中我使用:
ptrace(PTRACE_ME,0,0,0)
and check its return value, I did not manage to perform the same basic check on Mac OS X. I tried to use the并检查其返回值,我没有设法在 Mac OS X 上执行相同的基本检查。我尝试使用
ptrace(PT_TRACE_ME,0,0,0)
call but it always returns 0 even when run under gdb.调用但即使在 gdb 下运行它也总是返回 0。
If I change the request to PT_DENY_ATTACH
it correctly stops the debugging but that is not what I want to achieve.如果我将请求更改为PT_DENY_ATTACH
它会正确停止调试,但这不是我想要实现的。 Any ideas?有任何想法吗?
You can just call the function AmIBeingDebugged()
from Apple Technical Q&A QA1361 , which is reproduced here because Apple sometimes breaks documentation links and makes old documentation hard to find:您可以直接调用Apple Technical Q&A QA1361 中的AmIBeingDebugged()
函数,此处复制该函数,因为 Apple 有时会破坏文档链接并使旧文档难以找到:
#include <assert.h>
#include <stdbool.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/sysctl.h>
static bool AmIBeingDebugged(void)
// Returns true if the current process is being debugged (either
// running under the debugger or has a debugger attached post facto).
{
int junk;
int mib[4];
struct kinfo_proc info;
size_t size;
// Initialize the flags so that, if sysctl fails for some bizarre
// reason, we get a predictable result.
info.kp_proc.p_flag = 0;
// Initialize mib, which tells sysctl the info we want, in this case
// we're looking for information about a specific process ID.
mib[0] = CTL_KERN;
mib[1] = KERN_PROC;
mib[2] = KERN_PROC_PID;
mib[3] = getpid();
// Call sysctl.
size = sizeof(info);
junk = sysctl(mib, sizeof(mib) / sizeof(*mib), &info, &size, NULL, 0);
assert(junk == 0);
// We're being debugged if the P_TRACED flag is set.
return ( (info.kp_proc.p_flag & P_TRACED) != 0 );
}
#include <mach/task.h>
#include <mach/mach_init.h>
#include <stdbool.h>
static bool amIAnInferior(void)
{
mach_msg_type_number_t count = 0;
exception_mask_t masks[EXC_TYPES_COUNT];
mach_port_t ports[EXC_TYPES_COUNT];
exception_behavior_t behaviors[EXC_TYPES_COUNT];
thread_state_flavor_t flavors[EXC_TYPES_COUNT];
exception_mask_t mask = EXC_MASK_ALL & ~(EXC_MASK_RESOURCE | EXC_MASK_GUARD);
kern_return_t result = task_get_exception_ports(mach_task_self(), mask, masks, &count, ports, behaviors, flavors);
if (result == KERN_SUCCESS)
{
for (mach_msg_type_number_t portIndex = 0; portIndex < count; portIndex++)
{
if (MACH_PORT_VALID(ports[portIndex]))
{
return true;
}
}
}
return false;
}
This looks and sees if there is an active exception handler in our process (for EXC_BREAKPOINT, EXC_BAD_ACCESS, etc).这会查看我们的进程中是否有活动的异常处理程序(对于 EXC_BREAKPOINT、EXC_BAD_ACCESS 等)。 Ptrace is not required to achieve this in a debugger, thus relying only on a ptrace flag to be set is not quite ideal.在调试器中不需要 ptrace 来实现这一点,因此仅依靠要设置的 ptrace 标志不是很理想。
This approach is mentioned in http://reverse.put.as/wp-content/uploads/2012/07/Secuinside-2012-Presentation.pdf这种方法在http://reverse.put.as/wp-content/uploads/2012/07/Secuinside-2012-Presentation.pdf 中提到
My blog post describes this in more detail.我的博客文章更详细地描述了这一点。
Here's a Swift version of the function from Apple Technical Q&A QA1361 :这是Apple Technical Q&A QA1361中该函数的 Swift 版本:
import Foundation
extension ProcessInfo {
/// - returns: true if the process is being debugged, else false.
public func isBeingDebugged() -> Bool {
// https://developer.apple.com/library/archive/qa/qa1361/_index.html
// Technical Q&A QA1361: Detecting the Debugger
var mib: [Int32] = [
CTL_KERN,
KERN_PROC,
KERN_PROC_PID,
processIdentifier
]
var info = kinfo_proc()
var size: size_t = MemoryLayout.size(ofValue: info)
let rc = sysctl(&mib, UInt32(mib.count), &info, &size, nil, 0)
assert(rc == 0)
return (info.kp_proc.p_flag & P_TRACED) != 0
}
}
Usage:用法:
if ProcessInfo.processInfo.isBeingDebugged() {
print("running under the debugger")
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.