当前位置: 文江博客话题详情

检测 Mac OS X 上的调试器

发布于 2024-08-20 02:35:34 字数 321 浏览 3 评论 0原文

我试图检测我的进程是否正在调试器中运行,虽然在 Windows 中有很多解决方案,在 Linux 中我使用:

ptrace(PTRACE_ME,0,0,0)

并检查其返回值,但我没有设法在 Mac OS 上执行相同的基本检查X. 我尝试使用该

ptrace(PT_TRACE_ME,0,0,0)

调用,但即使在 gdb 下运行,它总是返回 0。

如果我将请求更改为 PT_DENY_ATTACH ,它会正确停止调试,但这不是我想要实现的目标。有什么想法吗?

原文

I am trying to detect whether my process is being run in a debugger or not and, while in Windows there are many solutions and in Linux I use:

ptrace(PTRACE_ME,0,0,0)

and check its return value, I did not manage to perform the same basic check on Mac OS X.
I tried to use the

ptrace(PT_TRACE_ME,0,0,0)

call but it always returns 0 even when run under gdb.

If I change the request to PT_DENY_ATTACH it correctly stops the debugging but that is not what I want to achieve. Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

殊姿 2024-08-27 02:35:34

您只需从 调用函数 AmIBeingDebugged() Apple 技术问答 QA1361,此处转载是因为 Apple 有时会破坏文档链接并使旧文档难以找到:

#include <assert.h>
#include <stdbool.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/sysctl.h>

static bool AmIBeingDebugged(void)
    // Returns true if the current process is being debugged (either 
    // running under the debugger or has a debugger attached post facto).
{
    int                 junk;
    int                 mib[4];
    struct kinfo_proc   info;
    size_t              size;

    // Initialize the flags so that, if sysctl fails for some bizarre 
    // reason, we get a predictable result.

    info.kp_proc.p_flag = 0;

    // Initialize mib, which tells sysctl the info we want, in this case
    // we're looking for information about a specific process ID.

    mib[0] = CTL_KERN;
    mib[1] = KERN_PROC;
    mib[2] = KERN_PROC_PID;
    mib[3] = getpid();

    // Call sysctl.

    size = sizeof(info);
    junk = sysctl(mib, sizeof(mib) / sizeof(*mib), &info, &size, NULL, 0);
    assert(junk == 0);

    // We're being debugged if the P_TRACED flag is set.

    return ( (info.kp_proc.p_flag & P_TRACED) != 0 );
}

You can just call the function AmIBeingDebugged() from Apple Technical Q&A QA1361, which is reproduced here because Apple sometimes breaks documentation links and makes old documentation hard to find:

#include <assert.h>
#include <stdbool.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/sysctl.h>

static bool AmIBeingDebugged(void)
    // Returns true if the current process is being debugged (either 
    // running under the debugger or has a debugger attached post facto).
{
    int                 junk;
    int                 mib[4];
    struct kinfo_proc   info;
    size_t              size;

    // Initialize the flags so that, if sysctl fails for some bizarre 
    // reason, we get a predictable result.

    info.kp_proc.p_flag = 0;

    // Initialize mib, which tells sysctl the info we want, in this case
    // we're looking for information about a specific process ID.

    mib[0] = CTL_KERN;
    mib[1] = KERN_PROC;
    mib[2] = KERN_PROC_PID;
    mib[3] = getpid();

    // Call sysctl.

    size = sizeof(info);
    junk = sysctl(mib, sizeof(mib) / sizeof(*mib), &info, &size, NULL, 0);
    assert(junk == 0);

    // We're being debugged if the P_TRACED flag is set.

    return ( (info.kp_proc.p_flag & P_TRACED) != 0 );
}
回复 原文
暗喜 2024-08-27 02:35:34
#include <mach/task.h>
#include <mach/mach_init.h>
#include <stdbool.h>

static bool amIAnInferior(void)
{
    mach_msg_type_number_t count = 0;
    exception_mask_t masks[EXC_TYPES_COUNT];
    mach_port_t ports[EXC_TYPES_COUNT];
    exception_behavior_t behaviors[EXC_TYPES_COUNT];
    thread_state_flavor_t flavors[EXC_TYPES_COUNT];

    exception_mask_t mask = EXC_MASK_ALL & ~(EXC_MASK_RESOURCE | EXC_MASK_GUARD);
    kern_return_t result = task_get_exception_ports(mach_task_self(), mask, masks, &count, ports, behaviors, flavors);
    if (result == KERN_SUCCESS)
    {
        for (mach_msg_type_number_t portIndex = 0; portIndex < count; portIndex++)
        {
            if (MACH_PORT_VALID(ports[portIndex]))
            {
                return true;
            }
        }
    }
    return false;
}

这会查看我们的进程中是否有活动的异常处理程序(对于 EXC_BREAKPOINT、EXC_BAD_ACCESS 等)。在调试器中不需要 ptrace 来实现此目的,因此仅依赖于要设置的 ptrace 标志并不是很理想。

http://reverse 中提到了这种方法。 put.as/wp-content/uploads/2012/07/Secuinside-2012-Presentation.pdf

我的博客文章对此进行了更详细的描述。

#include <mach/task.h>
#include <mach/mach_init.h>
#include <stdbool.h>

static bool amIAnInferior(void)
{
    mach_msg_type_number_t count = 0;
    exception_mask_t masks[EXC_TYPES_COUNT];
    mach_port_t ports[EXC_TYPES_COUNT];
    exception_behavior_t behaviors[EXC_TYPES_COUNT];
    thread_state_flavor_t flavors[EXC_TYPES_COUNT];

    exception_mask_t mask = EXC_MASK_ALL & ~(EXC_MASK_RESOURCE | EXC_MASK_GUARD);
    kern_return_t result = task_get_exception_ports(mach_task_self(), mask, masks, &count, ports, behaviors, flavors);
    if (result == KERN_SUCCESS)
    {
        for (mach_msg_type_number_t portIndex = 0; portIndex < count; portIndex++)
        {
            if (MACH_PORT_VALID(ports[portIndex]))
            {
                return true;
            }
        }
    }
    return false;
}

This looks and sees if there is an active exception handler in our process (for EXC_BREAKPOINT, EXC_BAD_ACCESS, etc). Ptrace is not required to achieve this in a debugger, thus relying only on a ptrace flag to be set is not quite ideal.

This approach is mentioned in http://reverse.put.as/wp-content/uploads/2012/07/Secuinside-2012-Presentation.pdf

My blog post describes this in more detail.

回复 原文
铁轨上的流浪者 2024-08-27 02:35:34

以下是来自 Apple 技术问答 QA1361:

import Foundation

extension ProcessInfo {
    /// - returns: true if the process is being debugged, else false.
    public func isBeingDebugged() -> Bool {
        // https://developer.apple.com/library/archive/qa/qa1361/_index.html
        // Technical Q&A QA1361: Detecting the Debugger

        var mib: [Int32] = [
            CTL_KERN,
            KERN_PROC,
            KERN_PROC_PID,
            processIdentifier
        ]

        var info = kinfo_proc()
        var size: size_t = MemoryLayout.size(ofValue: info)

        let rc = sysctl(&mib, UInt32(mib.count), &info, &size, nil, 0)
        assert(rc == 0)

        return (info.kp_proc.p_flag & P_TRACED) != 0
    }
}

用法:

if ProcessInfo.processInfo.isBeingDebugged() {
     print("running under the debugger")
}

Here's a Swift version of the function from Apple Technical Q&A QA1361:

import Foundation

extension ProcessInfo {
    /// - returns: true if the process is being debugged, else false.
    public func isBeingDebugged() -> Bool {
        // https://developer.apple.com/library/archive/qa/qa1361/_index.html
        // Technical Q&A QA1361: Detecting the Debugger

        var mib: [Int32] = [
            CTL_KERN,
            KERN_PROC,
            KERN_PROC_PID,
            processIdentifier
        ]

        var info = kinfo_proc()
        var size: size_t = MemoryLayout.size(ofValue: info)

        let rc = sysctl(&mib, UInt32(mib.count), &info, &size, nil, 0)
        assert(rc == 0)

        return (info.kp_proc.p_flag & P_TRACED) != 0
    }
}

Usage:

if ProcessInfo.processInfo.isBeingDebugged() {
     print("running under the debugger")
}
回复 原文
~没有更多了~

关于作者

月朦胧

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文