├── README.md
├── lldb
    └── AntiAntiDebug.py
└── tweak
    └── antiantidebug
        ├── AntiAntiDebug.plist
        ├── Makefile
        ├── Tweak.xm
        └── control


/README.md:
--------------------------------------------------------------------------------
1 | 文章链接:
2 | 
3 | [关于反调试&反反调试那些事](http://www.alonemonkey.com/2017/05/25/antiantidebug/)


--------------------------------------------------------------------------------
/lldb/AntiAntiDebug.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | """
  5 | 反反调试脚本，过了反调试后记得:
  6 | aadebug -d
  7 | 否则会很卡，如果有定时器定时检测，建议写tweak
  8 | """
  9 | 
 10 | import lldb
 11 | import fblldbbase as fb
 12 | import fblldbobjcruntimehelpers as objc
 13 | 
 14 | def lldbcommands():
 15 |     return [
 16 |         AMAntiAntiDebug()
 17 |     ]
 18 | 
 19 | class AMAntiAntiDebug(fb.FBCommand):
 20 |     def name(self):
 21 |         return 'aadebug'
 22 | 
 23 |     def description(self):
 24 |         return "anti anti debug ptrace syscall sysctl"
 25 | 
 26 |     def options(self):
 27 |         return [
 28 |             fb.FBCommandArgument(short='-d', long='--disable', arg='disable', boolean=True, default=False, help='disable anti anti debug.')
 29 |         ]
 30 | 
 31 |     def run(self, arguments, options):
 32 |         if options.disable:
 33 |             target = lldb.debugger.GetSelectedTarget()
 34 |             target.BreakpointDelete(self.ptrace.id)
 35 |             target.BreakpointDelete(self.syscall.id)
 36 |             target.BreakpointDelete(self.sysctl.id)
 37 |             print "anti anti debug is disabled!!!"
 38 |         else:
 39 |             self.antiPtrace()
 40 |             self.antiSyscall()
 41 |             self.antiSysctl()
 42 |             print "anti anti debug finished!!!"
 43 | 
 44 |     def antiPtrace(self):
 45 |         ptrace = lldb.debugger.GetSelectedTarget().BreakpointCreateByName("ptrace")
 46 |         if isMac():
 47 |             ptrace.SetCondition('$rdi==31')
 48 |         elif is64Bit():
 49 |             ptrace.SetCondition('$x0==31')
 50 |         else:
 51 |             ptrace.SetCondition('$r0==31')
 52 |         ptrace.SetScriptCallbackFunction('sys.modules[\'' + __name__ + '\'].ptrace_callback')
 53 |         self.ptrace = ptrace
 54 | 
 55 |     def antiSyscall(self):
 56 |         syscall = lldb.debugger.GetSelectedTarget().BreakpointCreateByName("syscall")
 57 |         if isMac():
 58 |             syscall.SetCondition('$rdi==26 && $rsi==31')
 59 |         elif is64Bit():
 60 |             syscall.SetCondition('$x0==26 && *(int *)$sp==31')
 61 |         else:
 62 |             syscall.SetCondition('$r0==26 && $r1==31')
 63 |         syscall.SetScriptCallbackFunction('sys.modules[\'' + __name__ + '\'].syscall_callback')
 64 |         self.syscall = syscall
 65 | 
 66 |     def antiSysctl(self):
 67 |         sysctl = lldb.debugger.GetSelectedTarget().BreakpointCreateByName("sysctl")
 68 |         if isMac():
 69 |             sysctl.SetCondition('$rsi==4 && *(int *)$rdi==1 && *(int *)($rdi+4)==14 && *(int *)($rdi+8)==1')
 70 |         elif is64Bit():
 71 |             sysctl.SetCondition('$x1==4 && *(int *)$x0==1 && *(int *)($x0+4)==14 && *(int *)($x0+8)==1')
 72 |         else:
 73 |             sysctl.SetCondition('$r1==4 && *(int *)$r0==1 && *(int *)($r0+4)==14 && *(int *)($r0+8)==1')
 74 |         sysctl.SetScriptCallbackFunction('sys.modules[\'' + __name__ + '\'].sysctl_callback')
 75 |         self.sysctl = sysctl
 76 | 
 77 |     def antiExit(self):
 78 |         self.exit = lldb.debugger.GetSelectedTarget().BreakpointCreateByName("exit")
 79 |         exit.SetScriptCallbackFunction('sys.modules[\'' + __name__ + '\'].exit_callback')
 80 | 
 81 | #暂时只考虑armv7和arm64
 82 | def is64Bit():
 83 |     arch = objc.currentArch()
 84 |     if arch == "arm64":
 85 |         return True
 86 |     return False
 87 | 
 88 | def isMac():
 89 |     arch = objc.currentArch()
 90 |     if arch == "x86_64":
 91 |         return True
 92 |     return False
 93 | 
 94 | def ptrace_callback(frame, bp_loc, internal_dict):
 95 |     print "find ptrace"
 96 |     register = "x0"
 97 |     if isMac():
 98 |         register = "rdi"
 99 |     elif not is64Bit():
100 |         register = "r0"
101 |     frame.FindRegister(register).value = "0"
102 |     lldb.debugger.HandleCommand('continue')
103 | 
104 | def syscall_callback(frame, bp_loc, internal_dict):
105 |     print "find syscall"
106 |     #不知道怎么用api修改sp指向的内容QAQ
107 |     lldb.debugger.GetSelectedTarget().GetProcess().SetSelectedThread(frame.GetThread())
108 |     if isMac():
109 |         lldb.debugger.HandleCommand('register write $rsi 0')
110 |     elif is64Bit():
111 |         lldb.debugger.HandleCommand('memory write "$sp" 0')
112 |     else:
113 |         lldb.debugger.HandleCommand('register write $r1 0')
114 |     lldb.debugger.HandleCommand('continue')
115 | 
116 | def sysctl_callback(frame, bp_loc, internal_dict):
117 |     module = frame.GetThread().GetFrameAtIndex(1).GetModule()
118 |     currentModule = lldb.debugger.GetSelectedTarget().GetModuleAtIndex(0)
119 |     if str(module)[:20] == str(currentModule)[:20]:  # to fix that 
120 |         print "find sysctl"
121 |         register = "x2"
122 |         if isMac():
123 |             register = "rdx"
124 |         elif not is64Bit():
125 |             register = "r2"
126 |         frame.FindRegister(register).value = "0"
127 |     lldb.debugger.HandleCommand('continue')
128 | 
129 | def exit_callback(frame, bp_loc, internal_dict):
130 |     print "find exit"
131 |     lldb.debugger.GetSelectedTarget().GetProcess().SetSelectedThread(frame.GetThread())
132 |     lldb.debugger.HandleCommand('thread return')
133 |     lldb.debugger.HandleCommand('continue')


--------------------------------------------------------------------------------
/tweak/antiantidebug/AntiAntiDebug.plist:
--------------------------------------------------------------------------------
1 | { Filter = { Bundles = ( "com.autonavi.amap" ); }; }
2 | 


--------------------------------------------------------------------------------
/tweak/antiantidebug/Makefile:
--------------------------------------------------------------------------------
 1 | export THEOS_DEVICE_IP = 127.0.0.1
 2 | export THEOS_DEVICE_PORT = 2222
 3 | 
 4 | include $(THEOS)/makefiles/common.mk
 5 | 
 6 | TWEAK_NAME = AntiAntiDebug
 7 | AntiAntiDebug_FILES = Tweak.xm
 8 | 
 9 | include $(THEOS_MAKE_PATH)/tweak.mk
10 | 
11 | after-install::
12 | 	install.exec "killall -9 SpringBoard"
13 | 


--------------------------------------------------------------------------------
/tweak/antiantidebug/Tweak.xm:
--------------------------------------------------------------------------------
 1 | #import <substrate.h>
 2 | #import <sys/sysctl.h>
 3 | 
 4 | static int (*orig_ptrace) (int request, pid_t pid, caddr_t addr, int data);
 5 | static int my_ptrace (int request, pid_t pid, caddr_t addr, int data){
 6 |     if(request == 31){
 7 | 		NSLog(@"[AntiAntiDebug] - ptrace request is PT_DENY_ATTACH");
 8 | 		return 0;
 9 | 	}
10 | 	return orig_ptrace(request,pid,addr,data);
11 | }
12 | 
13 | static void* (*orig_dlsym)(void* handle, const char* symbol);
14 | static void* my_dlsym(void* handle, const char* symbol){
15 | 	if(strcmp(symbol, "ptrace") == 0){
16 | 		NSLog(@"[AntiAntiDebug] - dlsym get ptrace symbol");
17 | 		return (void*)my_ptrace;
18 |     }
19 |    	return orig_dlsym(handle, symbol);
20 | }
21 | 
22 | static int (*orig_sysctl)(int * name, u_int namelen, void * info, size_t * infosize, void * newinfo, size_t newinfosize);
23 | static int my_sysctl(int * name, u_int namelen, void * info, size_t * infosize, void * newinfo, size_t newinfosize){
24 | 	int ret = orig_sysctl(name,namelen,info,infosize,newinfo,newinfosize);
25 | 	if(namelen == 4 && name[0] == 1 && name[1] == 14 && name[2] == 1){
26 | 		struct kinfo_proc *info_ptr = (struct kinfo_proc *)info;
27 |         if(info_ptr && (info_ptr->kp_proc.p_flag & P_TRACED) != 0){
28 |             NSLog(@"[AntiAntiDebug] - sysctl query trace status.");
29 |             info_ptr->kp_proc.p_flag ^= P_TRACED;
30 |             if((info_ptr->kp_proc.p_flag & P_TRACED) == 0){
31 |                 NSLog(@"[AntiAntiDebug] trace status reomve success!");
32 |             }
33 |         }
34 | 	}
35 | 	return ret;
36 | }
37 | 
38 | static void* (*orig_syscall)(int code, va_list args);
39 | static void* my_syscall(int code, va_list args){
40 | 	int request;
41 |     va_list newArgs;
42 |     va_copy(newArgs, args);
43 |     if(code == 26){
44 |         request = (long)args;
45 |         if(request == 31){
46 |             NSLog(@"[AntiAntiDebug] - syscall call ptrace, and request is PT_DENY_ATTACH");
47 |             return nil;
48 |         }
49 |     }
50 |     return (void*)orig_syscall(code, newArgs);
51 | }
52 | 
53 | %ctor{
54 | 	MSHookFunction((void *)MSFindSymbol(NULL,"_ptrace"),(void*)my_ptrace,(void**)&orig_ptrace);
55 | 	MSHookFunction((void *)dlsym,(void*)my_dlsym,(void**)&orig_dlsym);
56 | 	MSHookFunction((void *)sysctl,(void*)my_sysctl,(void**)&orig_sysctl);
57 | 	MSHookFunction((void *)syscall,(void*)my_syscall,(void**)&orig_syscall);
58 | 
59 | 	NSLog(@"[AntiAntiDebug] Module loaded!!!");
60 | }
61 | 


--------------------------------------------------------------------------------
/tweak/antiantidebug/control:
--------------------------------------------------------------------------------
 1 | Package: com.monkey.antiantidebug
 2 | Name: AntiAntiDebug
 3 | Depends: mobilesubstrate
 4 | Version: 0.0.1
 5 | Architecture: iphoneos-arm
 6 | Description: Anti Anti Debug Tweak!
 7 | Maintainer: AloneMonkey
 8 | Author: AloneMonkey
 9 | Section: Tweaks
10 | 


--------------------------------------------------------------------------------