目录
当前位置: 首页 > 文档资料 > 100个 gdb 小技巧 >

通过为ptrace调用设置catchpoint破解anti-debugging的程序

优质
小牛编辑
131浏览
2023-12-01
#include <sys/ptrace.h>
#include <stdio.h>

int main()                                                                      
{
        if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
                printf("Gdb is debugging me, exit.\n");
                return 1;
        }
        printf("No debugger, continuing\n");
        return 0;
}

技巧

有些程序不想被gdb调试,它们就会在程序中调用“ptrace”函数,一旦返回失败,就证明程序正在被gdb等类似的程序追踪,所以就直接退出。以上面程序为例:

(gdb) start
Temporary breakpoint 1 at 0x400508: file a.c, line 6.
Starting program: /data2/home/nanxiao/a

Temporary breakpoint 1, main () at a.c:6
6                       if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
(gdb) n
7                               printf("Gdb is debugging me, exit.\n");
(gdb)
Gdb is debugging me, exit.
8                               return 1;

破解这类程序的办法就是为ptrace调用设置catchpoint,通过修改ptrace的返回值,达到目的。仍以上面程序为例:

(gdb) catch syscall ptrace
Catchpoint 2 (syscall 'ptrace' [101])
(gdb) r
Starting program: /data2/home/nanxiao/a

Catchpoint 2 (call to syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) c
Continuing.

Catchpoint 2 (returned from syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) set $rax = 0
(gdb) c
Continuing.
No debugger, continuing
[Inferior 1 (process 11491) exited normally]

可以看到,通过修改rax寄存器的值,达到修改返回值的目的,从而让gdb可以继续调试程序(打印“No debugger, continuing”)。
详细过程,可以参见 这篇文章避開 PTRACE_TRACME 反追蹤技巧.