PT_DENY_ATTACH is a non-standard ptrace() request type that prevents a debugger from attaching to the calling process. Adam Leventhal recently discovered that Leopard extends PT_DENY_ATTACH to prevent introspection into processes using dtrace. This article will cover disabling PT_DENY_ATTACH for all processes on Mac OS X 10.5. Over the previous few years, I’ve provided similar hacks for both Mac OS X 10.4, and 10.3.
Since Landon used to work in the Kernel/BSD Group at Apple it’s not a stretch to think he knows something about the inner workings of OS X.
Think ill guy buy a bluray drive, hire movies, dtrace them so i can crack them and sell the copies on ebay, then ill go hack the itunes drm and give the spoils away for free on bit torrent … Ill have to look around to see what other stuff i can do after that 🙂
Or i might just go apply the patch and be happy my drace will work as advertised … undecided !
Ohh and good man Landon for taking the time to do this….
Edited 2008-01-24 00:22 UTC
Damn edit expired on me .. apologies for the double post .. This patch works it seems, Adams test d script shows the probe firing every 10 secs even with iTunes running, only 5 mins to compile and attach teh extension too, dmesg shows exactly what Landon says 🙂
Macintosh-2:Deployment Cass$ ps -ef |grep iTunes|egrep -v “Helper|grep”
501 34206 141 0 0:01.14 ?? 0:04.11 /Applications/iTunes.app/Contents/MacOS/iTunes -psn_0_1511793
Macintosh-2:Deployment Cass$ sudo dtrace -s test.d |grep tick
dtrace: script ‘test.d’ matched 2 probes
0 22128 :tick-10s
0 22128 :tick-10s
0 22128 :tick-10s
0 22128 :tick-10s
0 22128 :tick-10s
acintosh-2:Deployment Cass$ sudo dtrace -s test2.d
dtrace: script ‘test2.d’ matched 2 probes
CPU ID FUNCTION:NAME
0 22196 :tick-1s
2000
0 22196 :tick-1s
1998
0 22196 :tick-1s
1997
0 22196 :tick-1s
1996
0 22196 :tick-1s
1997
Nice work Landon
Edited 2008-01-24 00:56 UTC
I can see it already. Mac OS is gaining market share, so this nice how-to article will probably get some gears turning in certain corners of the net (well, they probably were already, to be honest).
To install a kext (kernel extension) file as the author does you need to be able to create files with root:wheel. If someone already has that ability all hope is pretty much gone.