#include <sys/ptrace.h>
#include <stdio.h>
int main()
{
if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
printf("Gdb is debugging me, exit.\n");
return 1;
}
printf("No debugger, continuing\n");
return 0;
}
有些程序不想被gdb調試,它們就會在程序中調用“ptrace
”函數,一旦返回失敗,就證明程序正在被gdb等類似的程序追蹤,所以就直接退出。以上面程序為例:
(gdb) start
Temporary breakpoint 1 at 0x400508: file a.c, line 6.
Starting program: /data2/home/nanxiao/a
Temporary breakpoint 1, main () at a.c:6
6 if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
(gdb) n
7 printf("Gdb is debugging me, exit.\n");
(gdb)
Gdb is debugging me, exit.
8 return 1;
破解這類程序的辦法就是為ptrace
調用設置catchpoint
,通過修改ptrace
的返回值,達到目的。仍以上面程序為例:
(gdb) catch syscall ptrace
Catchpoint 2 (syscall 'ptrace' [101])
(gdb) r
Starting program: /data2/home/nanxiao/a
Catchpoint 2 (call to syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) c
Continuing.
Catchpoint 2 (returned from syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) set $rax = 0
(gdb) c
Continuing.
No debugger, continuing
[Inferior 1 (process 11491) exited normally]
可以看到,通過修改rax
寄存器的值,達到修改返回值的目的,從而讓gdb可以繼續調試程序(打印“No debugger, continuing
”)。
詳細過程,可以參見這篇文章避開 PTRACE_TRACME 反追蹤技巧.
nanxiao