Kernel module for syscall interception and fixing ptrace

Landon Fuller http://landonf.bikemonkey.org/code/macosx created a kernel module to bypass the PTRACE_DENY_ATTACH “anti-debug” feature of Mac OS X. For the Tiger version he used a deprecated API, removed on Leopard. For Leopard he re-routes the ptrace syscall to his own version by patching the syscall table. Since Leopard version is more interesting because we can use it to re-route other interesting syscalls (for cases where DYLD_INSERT_LIBRARIES trick isn’t interesting to use), I fixed his great code to be used with Tiger.

I added the open() syscall, and if you want to use it you should uncomment the code for it (check the source code, it’s there).

If you are using other version than 10.4.11, you should edit the Info.plist file and replace the com.apple.kernel string with the correct one (hint: use uname -a to get it).

Grab the code: pt_deny_attach-201-tiger.tar.gz

As usual, have fun :-)