通過為ptrace調用設置catchpoint破解anti-debugging的程序

例子

#include <sys/ptrace.h>
#include <stdio.h>
 
int main()                                                                      
{
        if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
                printf("Gdb is debugging me, exit.\n");
                return 1;
        }
        printf("No debugger, continuing\n");
        return 0;
}

技巧

有些程序不想被gdb調試,它們就會在程序中調用“ptrace”函數,一旦返回失敗,就證明程序正在被gdb等類似的程序追蹤,所以就直接退出。以上面程序為例:

(gdb) start
Temporary breakpoint 1 at 0x400508: file a.c, line 6.
Starting program: /data2/home/nanxiao/a

Temporary breakpoint 1, main () at a.c:6
6                       if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
(gdb) n
7                               printf("Gdb is debugging me, exit.\n");
(gdb)
Gdb is debugging me, exit.
8                               return 1;

破解這類程序的辦法就是為ptrace調用設置catchpoint,通過修改ptrace的返回值,達到目的。仍以上面程序為例:

(gdb) catch syscall ptrace
Catchpoint 2 (syscall 'ptrace' [101])
(gdb) r
Starting program: /data2/home/nanxiao/a

Catchpoint 2 (call to syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) c
Continuing.

Catchpoint 2 (returned from syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) set $rax = 0
(gdb) c
Continuing.
No debugger, continuing
[Inferior 1 (process 11491) exited normally]

可以看到,通過修改rax寄存器的值,達到修改返回值的目的,從而讓gdb可以繼續調試程序(打印“No debugger, continuing”)。
詳細過程,可以參見這篇文章避開 PTRACE_TRACME 反追蹤技巧.

貢獻者

nanxiao


书籍推荐