Bypass Linux Basic Anti Debugging

First of all, Hello everyone. Welcome to my new Writeup.

There are many methods to prevent Debugging in Linux. In this writeup we will see skipping the most used and simplest method.

Basic Logic of this process; If there is a Tracing operation with Ptrace, it is to detect it using ptrace.

Considering that there is a control like this:

#include <stdio.h>
#include <sys/ptrace.h>

int main()
{
	if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
		printf("Debugging Dedected , Fuck You !\n");
		return 1;
	}
	printf("Normal Execution\n");
	return 0;
}

Here we see that the ptrace system call checks if the argument named PTRACE_TRACEME is a child process for Debugging.

If the Process is traced;

printf (“Debugging Dedected, Fuck You! \ n”);

message, If not We get the message:

printf (“Normal Execution \ n”);

** How Can We bypass The Control Made In This Situation?**

The solution I found for this is using LD_PRELOAD; Hijacking the ptrace () Function

First of all ptrace (); We’re creating a fake library to replace it as follows:

> long ptrace(int request, int pid, int addr, int data)
> {
>     return 0;
> } 

Compiling : gcc evillib.c -o evillib.so -fPIC -shared -ldl -D_GNU_SOURCE

After compilation, we assign the resulting library location to the LD_PRELOAD environment variable. and then when we run it with gdb

printf (“Normal Execution \ n”);

We get This message. So we successfully bypassed Control.

To automate this, I share with you the little tool I wrote:

Video on How to Use the Tool:

Thank you for your time.
good hackings.

1 Like

From the manual page of ptrace
“PTRACE_TRACEME Indicate that this process is to be traced by its parent. A process probably shouldn’t make this request if its parent isn’t expecting to trace it. ( pid , addr , and data are ignored.)” Why would you set set the third argument to 1?

By the way - 64bit
(gdb) catch syscall ptrace
(gdb) commands 1
set ($rbx) = 0
continue
end

To expand on this, two blog posts that I’ve read recently talk about ptrace and general anti-debugging in a deeper level.