Giaour
May 21st, 2007, 06:15
Is there a method to detect if a program being debugged using ptrace if the app in question is complex enough?
Classics..
Is not working because complex-enough-app usually relies on proper signal handling which is ruined by ptrace.
"nanosleep" method which is described at http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=8 is also not working in modern glibc (or that's just me?) and also causes significatant slowdown (one second until signal is delivered) of application startup.
LKM-based solutions should work (ofcourse), but I'd really like to avoid it.
Classics..
Code:
if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
printf("ptraced\n";
exit(1);
}
Is not working because complex-enough-app usually relies on proper signal handling which is ruined by ptrace.
"nanosleep" method which is described at http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=8 is also not working in modern glibc (or that's just me?) and also causes significatant slowdown (one second until signal is delivered) of application startup.
LKM-based solutions should work (ofcourse), but I'd really like to avoid it.