Log in

View Full Version : linux anti anti debugging tut


0xf001
January 15th, 2005, 23:55
hi all,

i have written a basic but detailed linux anti anti debugging tutorial,

you can grab it here

hope it is useful,

cheers, 0xf001

lifewire
January 16th, 2005, 07:15
Nice and clear paper, however, 90% of it could applied to win32 too (besides of the usage of the linux tools like the debugger and such).

0xf001
January 16th, 2005, 07:44
hi lifewire!

i am aware of that - as said it is basic, the tools and how to use them with examples is what I tried to give hints for newbies who do not know where to start because gdb does not break etc

cheers, 0xf001

blabberer
January 16th, 2005, 08:07
i dunno why it looks garish in notepad all the 0x0d 0x0a got hardcoded
and every line is merged inside one another

probably some unix -->windows crlf problem i would assume

btw you started using objdump

0xf001
January 16th, 2005, 08:30
blabberer

exactly, you could use an editor which "understands" unix textfiles, or use wordpad MFC,ultraedit, .... OR view it under linux

and no, I did not start using objdump. I just started to use the -M option, hehe
this is the beginners version, objdump is available everywhere, so it is easy to explain

Of course - if any corrupted section header, nothing will work anymore. Therefore another tut is in the works

SiNTAX
January 18th, 2005, 05:48
3) Detecting debugging (ptrace)

Euhm wouldn't it be a hell of a lot easier to use LD_PRELOAD here, with your own ptrace() function

0xf001
January 18th, 2005, 17:02
Hi SiNTAX,

this would of course be an option. but then you can not debug your binary anymore with gdb, since it wants to also use ptrace()

you have to code gdb detection into the ptrace function and there I think it gets more complicated, but it is another option.

I have a little example attached, just for fun

Code:


// ptrace.c -- Our little ptrace dummy --
int ptrace(int i, int j, int k, int l)
{
printf(" PTRACE CALLED!\n";
}

// antiptrace.c -- Our little ptrace test executable --
int main()
{
if (ptrace(0,0,1,0) < 0)
{
printf("DEBUGGER PRESENT!\n";
exit(1);
}
printf("Hello World!\n";
}


now if you run this it says Hello World!

Running in gdb it says DEBUGGER PRESENT! and Hello World

If we compile the above code with
Code:

gcc antiptrace.c -o antiptrace
gcc -shared ptrace.c -o ptrace.so

and set LD_PRELOAD=ptrace.so and run it in the debugger it says
Code:

# gdb antiptrace
GNU gdb 6.0-2
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i586-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

gdb> bp _start
Breakpoint 1 at 0x8048300: file ../sysdeps/i386/elf/start.S, line 48.
gdb>
gdb> run
PTRACE CALLED!
PTRACE CALLED!
Hello World!

Program exited with code 010.
You can't do that without a process to debug.
_______________________________________________________________________________
Error while running hook_stop:
No registers.
gdb>
gdb> q


but of course the breakpoint did not work, therefore the program did not detect us

has anyone a good gdb detection method in his ptrace.c ?

cheers, 0xf001

andrewg
January 18th, 2005, 17:44
Or, incidentially, there is an easier method to bypass the LD_PRELOAD trick, as shown below.

Code:
gdb> help set environment
Set environment variable value to give the program.
Arguments are VAR VALUE where VAR is variable name and VALUE is value.
VALUES of environment variables are uninterpreted strings.
This does not affect the program until the next "run" command.



0xf001
January 18th, 2005, 17:54
the elegant solution

thanks, 0xf001

SiNTAX
January 18th, 2005, 18:14
0xf001,

just test for the TRACEME flag, otherwise pass the call onto the real ptrace().

0xf001
January 18th, 2005, 18:39
hi sintax,

yes i know. the above code snippet is just to illustrate the concept

the question afterwards was how to explicitly detect gdb, since any ptrace calls can be made by the executable. as i do not often use gdb , i did not realize yet you can set the environment from gdb as well

andrewg
January 18th, 2005, 20:03
Hmm, I'll have to post my anti-debug binary if/when I finish it. There will be countless fun I'd imagine

Just need motivation and stuff.

0xf001
January 19th, 2005, 08:24
hi andrewg!

please do so I highly appreciate it

we can then test your antidebuggings and see if we find a way around it

thanks, 0xf001

0xf001
January 21st, 2005, 19:48
hi,

I have updated the anti anti debugging tutorial. it is extended and a little bit cleaned up ...

enjoy, 0xf001