Onyx The Black Cat v0.1 – Anti Anti-debug kernel module

Here it is my crazy idea to create an anti anti-debug kernel module so reversing efforts get a little easier and faster against “hostile” code.

This module will protect you against the classic PT_DENY_ATTACH trick and the sysctl debugger detection trick http://developer.apple.com/qa/qa2004/qa1361.html.

For now it’s only compatible with Mac OS X Tiger v10.4.11. Soon I will make it compatible with Leopard.
Grab the binaries here: onyx-the-black-cat.kext.v0.1.tgz.
This is a small program to test the sysctl trick: antidebug.c.
XCode Project source code here: onyx-the-black-cat.src.tgz.

More updates very soon. Meanwhile enjoy this :-).

fG!

Some good reading:

• Attacking FreeBSD with Kernel Modules by pragmatic / THC <http://packetstormsecurity.org/papers/unix/bsdkern.htm>

• Fun and Games with FreeBSD Kernel Modules by Stephanie Wehner <http://www.r4k.net/mod/fbsdfun.html>

• Designing BSD Rootkits: An Introduction to Kernel Hacking by Joseph Kong, No Starch Press