Suffering from post-conference boredom I decided to redo Onyx The Black Cat kernel extension to kickstart again my brain and get back to serious work. There were also some people asking for an updated version so here it is!
This reworked version uses kernel control interface to enable/disable its features. It is much better than sysctl used before. It is also compatible with Snow Leopard, Lion, and Mountain Lion, and, hopefully, it should run without any problems in future versions. It uses a disassembler to locate the places that need to be patched. That part of the code is not pretty but it works. The symbols are read from the /mach_kernel at disk to maintain compatibility with Snow Leopard and below.
It contains measures to bypass the PT_DENY_ATTACH, sysctl, and kauth anti-debug tricks. Also contains an option to reenable the possiblity of task_for_pid() the kernel task (useful for testing stuff and maybe forensics), and another to patch the CPU resume flag. For some (weird?) reason Apple clears up the resume flag from EFLAGS (if I am not mistaken, similar situation happens with Windows 98), making it impossible to use that single step feature when building your custom debuggers (very useful for quick single-stepping hacks).
Tested with Snow Leopard 10.6.8 (32 and 64 bit), Lion 10.7.5 (64 bit), and Mountain Lion 10.8.3 (64 bit).
Code is available at github.
Enjoy,
fG!