Landon Fuller (http://landonf.bikemonkey.org/code/macosx) created a kernel module to bypass the PTRACE_DENY_ATTACH “anti-debug” feature of Mac OS X. For the Tiger version he used a deprecated API, removed on Leopard. For Leopard he re-routes the ptrace syscall to his own version by patching the syscall table. Since the Leopard version is much more interesting because we can use it to re-route other interesting syscalls (for cases where DYLD_INSERT_LIBRARIES trick isn’t interesting to use), I fixed his great code to be used for Tiger.
I added the open() syscall, and if you want to use it you should uncomment the code for it (check the source code, it’s there.
If you are using other version than 10.4.11, you should edit the Info.plist file and replace the com.apple.kernel string for the correct one (hint: use uname -a to get it).
Grab the code here:
As usual, have fun 🙂