Bypass Linux Basic Anti Debugging

First of all, Hello everyone. Welcome to my new Writeup.

There are many methods to prevent Debugging in Linux. In this writeup we will see skipping the most used and simplest method.

Basic Logic of this process; If there is a Tracing operation with Ptrace, it is to detect it using ptrace.

Considering that there is a control like this:

#include <stdio.h>
#include <sys/ptrace.h>

int main()
{
	if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
		printf("Debugging Dedected , Fuck You !\n");
		return 1;
	}
	printf("Normal Execution\n");
	return 0;
}

Here we see that the ptrace system call checks if the argument named PTRACE_TRACEME is a child process for Debugging.

If the Process is traced;

printf (“Debugging Dedected, Fuck You! \ n”);

message, If not We get the message:

printf (“Normal Execution \ n”);

** How Can We bypass The Control Made In This Situation?**

The solution I found for this is using LD_PRELOAD; Hijacking the ptrace () Function

First of all ptrace (); We’re creating a fake library to replace it as follows:

> long ptrace(int request, int pid, int addr, int data)
> {
>     return 0;
> } 

Compiling : gcc evillib.c -o evillib.so -fPIC -shared -ldl -D_GNU_SOURCE

After compilation, we assign the resulting library location to the LD_PRELOAD environment variable. and then when we run it with gdb

printf (“Normal Execution \ n”);

We get This message. So we successfully bypassed Control.

To automate this, I share with you the little tool I wrote:

https://github.com/noopslide/Ptrace-Anti-Debugging-Bypass/blob/master/ptracebypass.py

Video on How to Use the Tool:

Thank you for your time.
good hackings.

2 Likes

To expand on this, two blog posts that I’ve read recently talk about ptrace and general anti-debugging in a deeper level.

1 Like

This topic was automatically closed after 121 days. New replies are no longer allowed.