Clownpertino - A simple macOS debugger detection trick
This is a simple PoC on how to detect LLDB debugger based on the always active image notifier breakpoint.
Follow the corresponding blogpost here.
Enjoy,
fG!
The put.as team, Scott, #dc351, 0xOpoSec, and all the good friends around the world.
A special fuck you to all the nazi and fascist scum around the world. Punch them hard!
Compile:
clang -o clownpertino clownpertino.cJust run it under lldb and you should see the debugger detected message:
% lldb ./clownpertino
(lldb) target create "./clownpertino"
Current executable set to '/Users/timapple/clownpertino' (x86_64).
(lldb) r
Process 728 launched: '/Users/timapple/clownpertino' (x86_64)
dyld version: 17
dyld string: 1284.13
dyld base address: 0x7ff80225f000
dyld base magic: 0xfeedfacf
Notifier address: 0x7ff802298130
Notifier symbol: 0x39130
Notifier content: 0xe58948cc
DEBUGGER DETECTED! Hey Tim Apple, why don't you give me a $1m instead of selling out to Trump?
Process 728 exited with status = 1 (0x00000001)
(lldb) A working compiler and lldb, aka full Xcode or Command Line Tools for Xcode :P