From eeea0b91c0997357fe02e08d3aac63185751dee2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Mei=C3=9Fner?= <AlexanderMeissner@gmx.net>
Date: Tue, 23 Sep 2014 16:15:54 +0200
Subject: [PATCH] Improved ptrace patch and added a appropriate test Fixed
 missing include warnings in tests

---
 kext/antidebug.c       | 11 +++++++++--
 tests/testptrace.c     |  6 ++++--
 tests/testptraceTrap.c | 27 +++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100755 tests/testptraceTrap.c

diff --git a/kext/antidebug.c b/kext/antidebug.c
index cf69c6f..4960324 100644
--- a/kext/antidebug.c
+++ b/kext/antidebug.c
@@ -48,6 +48,7 @@
 #include "cpu_protections.h"
 
 /* ptrace request */
+#define PT_ATTACH               10
 #define PT_DENY_ATTACH          31
 #define P_LNOATTACH     0x00001000
 #define P_LTRACED       0x00000400
@@ -225,16 +226,22 @@ ustack();
 int 
 onyx_ptrace(struct proc *p, struct ptrace_args *uap, int *retval)
 {
+    /* retrieve pid using exported functions so we don't need definition of struct proc */
+    pid_t pid = proc_pid(p);
 	char processname[MAXCOMLEN+1] = {0};
     // verify if it's a PT_DENY_ATTACH request and fix for all processes that call it
     if (uap->req == PT_DENY_ATTACH)
     {
-        /* retrieve pid using exported functions so we don't need definition of struct proc */
-        pid_t pid = proc_pid(p);
         proc_name(pid, processname, sizeof(processname));
         LOG_INFO("Blocked PT_DENY_ATTACH/P_LNOATTACH in PID %d (%s)", pid, processname);
         return 0;
     }
+    // for the extra tricky ones : simulate exact behavior
+    else if (uap->req == PT_ATTACH && uap->pid == pid)
+    {
+        proc_signal(pid, SIGSEGV);
+        return 22;
+    }
     // else it's business as usual, we are not interested in messing with other requests
     else
     {
diff --git a/tests/testptrace.c b/tests/testptrace.c
index 0c249fa..6cdd4f1 100644
--- a/tests/testptrace.c
+++ b/tests/testptrace.c
@@ -1,12 +1,14 @@
 /*
  * test PT_DENY_ATTACH
  */
+#include <stdio.h>
+#include <unistd.h>
 #include <sys/types.h>
 #include <sys/ptrace.h>
 
 int main()
 {
-  ptrace(PT_DENY_ATTACH, -1, 0, 0);
+  ptrace(PT_DENY_ATTACH, 0, 0, 0);
   sleep(2);
   printf("Buh!\n");
-}
+}
\ No newline at end of file
diff --git a/tests/testptraceTrap.c b/tests/testptraceTrap.c
new file mode 100755
index 0000000..9bd3738
--- /dev/null
+++ b/tests/testptraceTrap.c
@@ -0,0 +1,27 @@
+/*
+ * test PT_DENY_ATTACH and SIGSEGV
+ */
+#include <stdio.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+
+unsigned int trap = 1;
+
+void signalHandler(int signal)
+{
+  trap = 0;
+}
+
+int main()
+{
+  ptrace(PT_DENY_ATTACH, 0, 0, 0);
+  signal(11, signalHandler);
+  ptrace(PT_ATTACH, getpid(), 0, 0);
+  signal(11, 0);
+  if(trap)
+    ((unsigned int*)0)[0] = 0;
+  sleep(2);
+  printf("Buh!\n");
+}
\ No newline at end of file