Results 1 to 14 of 14

Thread: linux anti anti debugging tut

  1. #1

    Lightbulb linux anti anti debugging tut

    hi all,

    i have written a basic but detailed linux anti anti debugging tutorial,

    you can grab it here

    hope it is useful,

    cheers, 0xf001
    Attached Files Attached Files

  2. #2
    lifewire
    Guest
    Nice and clear paper, however, 90% of it could applied to win32 too (besides of the usage of the linux tools like the debugger and such).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    hi lifewire!

    i am aware of that - as said it is basic, the tools and how to use them with examples is what I tried to give hints for newbies who do not know where to start because gdb does not break etc

    cheers, 0xf001

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    i dunno why it looks garish in notepad all the 0x0d 0x0a got hardcoded
    and every line is merged inside one another

    probably some unix -->windows crlf problem i would assume

    btw you started using objdump

  5. #5
    blabberer

    exactly, you could use an editor which "understands" unix textfiles, or use wordpad MFC,ultraedit, .... OR view it under linux

    and no, I did not start using objdump. I just started to use the -M option, hehe
    this is the beginners version, objdump is available everywhere, so it is easy to explain

    Of course - if any corrupted section header, nothing will work anymore. Therefore another tut is in the works

  6. #6
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    3) Detecting debugging (ptrace)

    Euhm wouldn't it be a hell of a lot easier to use LD_PRELOAD here, with your own ptrace() function

  7. #7
    Hi SiNTAX,

    this would of course be an option. but then you can not debug your binary anymore with gdb, since it wants to also use ptrace()

    you have to code gdb detection into the ptrace function and there I think it gets more complicated, but it is another option.

    I have a little example attached, just for fun

    Code:
    // ptrace.c -- Our little ptrace dummy  --
    int ptrace(int i, int j, int k, int l)
    {
    	printf("  PTRACE CALLED!\n");
    }
    
    // antiptrace.c -- Our little ptrace test executable  --
    int main()
    {
      if (ptrace(0,0,1,0) < 0)
      {
        printf("DEBUGGER PRESENT!\n");
        exit(1);
      }
      printf("Hello World!\n");
    }
    now if you run this it says Hello World!

    Running in gdb it says DEBUGGER PRESENT! and Hello World

    If we compile the above code with
    Code:
    gcc antiptrace.c -o antiptrace
    gcc -shared ptrace.c -o ptrace.so
    and set LD_PRELOAD=ptrace.so and run it in the debugger it says
    Code:
    # gdb antiptrace
    GNU gdb 6.0-2
    Copyright 2003 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB.  Type "show warranty" for details.
    This GDB was configured as "i586-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".
    
    gdb> bp _start
    Breakpoint 1 at 0x8048300: file ../sysdeps/i386/elf/start.S, line 48.
    gdb> 
    gdb> run
      PTRACE CALLED!
      PTRACE CALLED!
    Hello World!
    
    Program exited with code 010.
    You can't do that without a process to debug.
    _______________________________________________________________________________
    Error while running hook_stop:
    No registers.
    gdb> 
    gdb> q
    but of course the breakpoint did not work, therefore the program did not detect us

    has anyone a good gdb detection method in his ptrace.c ?

    cheers, 0xf001

  8. #8
    Or, incidentially, there is an easier method to bypass the LD_PRELOAD trick, as shown below.

    Code:
    gdb> help set environment
    Set environment variable value to give the program.
    Arguments are VAR VALUE where VAR is variable name and VALUE is value.
    VALUES of environment variables are uninterpreted strings.
    This does not affect the program until the next "run" command.
    http://www.felinemenace.org || http://www.pulltheplug.org

  9. #9
    the elegant solution

    thanks, 0xf001

  10. #10
    Wizard Extraordinaire
    Join Date
    Sep 2002
    Posts
    127
    0xf001,

    just test for the TRACEME flag, otherwise pass the call onto the real ptrace().

  11. #11
    hi sintax,

    yes i know. the above code snippet is just to illustrate the concept

    the question afterwards was how to explicitly detect gdb, since any ptrace calls can be made by the executable. as i do not often use gdb , i did not realize yet you can set the environment from gdb as well

  12. #12
    Hmm, I'll have to post my anti-debug binary if/when I finish it. There will be countless fun I'd imagine

    Just need motivation and stuff.
    http://www.felinemenace.org || http://www.pulltheplug.org

  13. #13
    hi andrewg!

    please do so I highly appreciate it

    we can then test your antidebuggings and see if we find a way around it

    thanks, 0xf001

  14. #14
    hi,

    I have updated the anti anti debugging tutorial. it is extended and a little bit cleaned up ...

    enjoy, 0xf001
    Attached Files Attached Files
    Last edited by 0xf001; January 22nd, 2005 at 06:39.

Similar Threads

  1. Protected Mode Segmentation as a powerful anti-debugging measure
    By j00ru vx tech blog in forum Blogs Forum
    Replies: 1
    Last Post: June 19th, 2011, 06:56
  2. Is this new anti-debugging method or Ollydbg error?
    By Raygun in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 16th, 2005, 12:51
  3. Replies: 10
    Last Post: May 24th, 2003, 14:12
  4. Anything new on heh, on the subject of anti debugging....
    By MCooly in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: December 8th, 2000, 06:12
  5. heh, on the subject of anti debugging....
    By Lord Soth in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: November 30th, 2000, 18:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •