问题
I am developing an OS X application that I would like to conceal from inspection by DTrace. I'm aware of the P_LNOATTACH flag, but everything I've read tells me that there are ways around it. Is it possible?
回答1:
Yes, it's possible. Try running DTrace against iTunes; it doesn't work.
You have to call the ptrace function with PT_DENY_ATTACH.
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man2/ptrace.2.html
However, there are ways around it with various kext's. Google around and you'll find some of them.
for 10.6 & 10.7: https://github.com/dwalters/pt_deny_attach
Hmm, Looks like it's broken with 10.8 due to ASLR: Detecting, and Shirking Off, the Debugger
回答2:
As noted, you can use ptrace(2) with PT_DENY_ATTACH, but DTrace or a debugger can intercept those calls and disable them. Further, you want your users using DTrace on your program. If there's a problem, let them help you diagnose it. The only truly proprietary software executes on controlled environments like appliances and the cloud -- once you hand a user your bits, the only thing in the way of understanding what you're doing is time.
回答3:
According to various sources around the web, including Wikipedia's DTrace article and Ars Technica, if the P_LNOATTACH flag is set for a process, Apple's DTrace implementation won't execute any probes on it.
来源:https://stackoverflow.com/questions/10406419/is-it-possible-to-conceal-a-os-x-app-from-dtrace