Onyx The Black Cat v0.3

March 25, 2009 in Tools | 12 comments

Version 0.3 is here. A couple small bugs are fixed, module features can be controled via sysctl variables (enable or disable features) and code is split into different source files (it was a mess in a single file!). Tiger support is removed so it’s ready to work with Leopard 10.5.6. Check the README file for more info.

As a bonus I discovered that DTrace equivalent to PT_DENY_ATTACH (P_LNOATTACH) is bypassed due to our ptrace hijack. Didn’t knew about this one :) Check the source for antidebug.c to understand why this happens.

Code: onyx-the-black-cat-v0-3.tgz (SHA1(onyx-the-black-cat-v0-3.tgz)= 194c2e7481113b562c6e23a2b5059769bc9e8ffb)

12 comments

  1. tracemac’s avatar

    tracemac on March 26, 2009 at 8:32 pm

    Hi fG,
    today I tried onyx the black cat and got an kernel panic – this happens while applemail was receiving emails.
    After a restart mail was messed up – no accounts and no emails – all lost. :(
    I’m working on a ppc mac with mac os x 10.5.6
    Hope you can fix that.

    tracemac

    1. fG!’s avatar

      fG! on March 27, 2009 at 1:09 am

      Hello,

      I’m only supporting Intel x86 because I don’t have access to a PPC Mac. I will try to give a look at the code and try to understand where it can fail. Can you post the crash report so I can give a look ?

      Thanks,
      fG!

  2. John Doe’s avatar

    John Doe on March 31, 2009 at 6:04 pm

    There is no .kext file provided in v0.3′s post. Or what am I missing?

    1. fG!’s avatar

      fG! on April 1, 2009 at 12:03 am

      Hello,

      Only source is posted. You will need to compile it with Xcode 3.x :)

      fG!

  3. t0mm1gun’s avatar

    t0mm1gun on April 15, 2009 at 4:05 pm

    There are still apps like “Vector Magic” (http://vectormagic.com/desktop) on which you cannot bypass the ptrace traps with this kext.
    It would be great to get them bypassed too in a further release of “Onyx The Black Cat”. ;-)

    1. fG!’s avatar

      fG! on April 15, 2009 at 11:32 pm

      Hummmm downloading that one and checking it :) It should be some other trick ! I will give some news as soon as I find them!

    2. fG!’s avatar

      fG! on April 15, 2009 at 11:39 pm

      I have tested Vector Magic and I can attach gdb without any problem (with Onyx active of course). It doesn’t seem to have the ptrace trick but instead seems to use the sysctl anti-debug trick.

  4. tracemac’s avatar

    tracemac on April 16, 2009 at 8:17 pm

    I second your last message fG, no prob here with Vector Magic, too (on ppc)

    btw: any news about the kernel panic prob?

    tm

    1. fG!’s avatar

      fG! on April 16, 2009 at 10:40 pm

      Hi,

      I still had no time to give a look at the code. I will try to give a look next week. Sorry :/

  5. Owner’s avatar

    Owner on July 1, 2009 at 11:58 am

    How do I make this compatible with 10.5.7 ? (or is it already?)

    1. fG!’s avatar

      fG! on July 1, 2009 at 12:08 pm

      It should be already compatible. If not you just need to modify the Info.plist and change the key com.apple.kernel to 9.7.0, which is 10.5.7 version (you can always grab that from uname -a).
      It’s working without any problem with 10.5.7 on Intel Macs. I use it on my live machine and on a 10.5.0 vmware machine.

  6. Owner’s avatar

    Owner on July 1, 2009 at 1:22 pm

    Thanks, changing it to 9.7.0 worked fine.

Comments are now closed.