kernel flag inspection via sysctl

Created the Saturday 11 January 2025. Updated 4 days, 10 hours ago.

The sysctl anti-debugging technique can be abused by malware to detect and evade debugging tools on macOS or BSD-like systems. By querying the kernel for process information, malware checks flags (e.g., 0x800) to see if a debugger is attached. If detected, the malware can terminate, alter behavior, or enter a dormant state to avoid analysis.

This technique blends with legitimate system calls, it makes detection harder, and allow to bypass sandboxes analysis. BANSHEE Stealer (11aa6eeca2547fcf807129787bec0d576de1a29b56945c5a8fb16ed8bf68f782) uses this method to evade reverse-engineering and maintain stealth.

Technique Identifier

U0135

Code Snippets

import ctypes
import os
import sys
import platform

def is_debugger_attached():
    try:
        libc = ctypes.CDLL('/usr/lib/libc.dylib')
        
        # Define function prototype for sysctl
        libc.sysctl.argtypes = [
            ctypes.POINTER(ctypes.c_int),
            ctypes.c_uint,
            ctypes.c_void_p,
            ctypes.POINTER(ctypes.c_size_t),
            ctypes.c_void_p,
            ctypes.c_size_t
        ]
        
        # flags
        kinfo_proc = (ctypes.c_byte * 648)()  # Size for arm64
        size = ctypes.c_size_t(ctypes.sizeof(kinfo_proc))
        
        # MIB for sysctl
        CTL_KERN = 1
        KERN_PROC = 14
        KERN_PROC_PID = 1
        
        mib = (ctypes.c_int * 4)(CTL_KERN, KERN_PROC, KERN_PROC_PID, os.getpid())
        

        ret = libc.sysctl(mib, 4, kinfo_proc, ctypes.byref(size), None, 0)
        print(f"sysctl return: {ret}")
        
        if ret == 0:
            # The p_flag field is at offset 0x18 (24) in arm64
            p_flag = int.from_bytes(kinfo_proc[24:28], byteorder='little')
            print(f"Process flags: {p_flag:08x}")
            
            P_TRACED = 0x00000800    # Being traced (debugged)
            P_TRACED_SYS = 0x00000200  # System trace flag
            
            is_traced = bool(p_flag & (P_TRACED | P_TRACED_SYS))
            print(f"Trace flags check: {p_flag & (P_TRACED | P_TRACED_SYS):08x}")
            return is_traced
            
    except Exception as e:
        print(f"Error: {str(e)}")
        return False

# Alternative method using vmmap
def check_debugger_vmmap():
    try:
        import subprocess
        cmd = f"vmmap {os.getpid()}"
        result = subprocess.run(cmd.split(), capture_output=True, text=True)
        return "LLDB" in result.stdout or "debugserver" in result.stdout
    except:
        return False

print("Starting debugger check...")
print(f"Current PID: {os.getpid()}")
print(f"Platform: {platform.machine()}")

print("\nMethod 1: sysctl")
if is_debugger_attached():
    print("⚠️ Debugger detected!")
else:
    print("✅ No debugger attached")

print("\nMethod 2: vmmap")
if check_debugger_vmmap():
    print("⚠️ Debugger detected!")
else:
    print("✅ No debugger attached")

About Author Open Snippet

Author: Thomas Roccia (fr0gger) / Target Platform: Macos

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.elastic.co/security-labs/beyond-the-wail