The Ptrace Anti-RE Trick

We used to place an INT3 vectored exception handler on function entry points and do everything interesting inside the exception handler. This made the execution stack basically invisible to every debugger since it doesn&#x27;t debug exception handlers. You can enable&#x2F;disable interrupts and tracing and whatever you need to do inside the exception handler to guarantee that nobody can see what you are doing and&#x2F;or verify that no other program has registered another exception handler before doing anything interesting.<p>If you need to hook functions in third party software, this trick can be used to hook the function without modifying any of the functions code. All you need to do is modify some pointer used by the function to zero, and it will raise an exception as soon as something like p-&gt; is executed on that pointer, then your exception handler can execute whatever code you need (i.e. write over stack, write to memory, exfiltrate handles) and on exit all you need to do is restore the correct register containing the pointer and wind back the execution counter by the size of the de-reference instruction.<p>Please don&#x27;t use this knowledge to hurt people ...

This &quot;self-debugging&quot; technique is common in the Windows world too:<p><a href="http:&#x2F;&#x2F;profile.maff1t.com&#x2F;AntiDebugging&#x2F;" rel="nofollow noreferrer">http:&#x2F;&#x2F;profile.maff1t.com&#x2F;AntiDebugging&#x2F;</a><p>Interestingly enough, VirtualBox does this too, and they call it &quot;hardening&quot;, but IMHO it&#x27;s quite an unexpected and hostile behaviour which is more characteristic of malware.

Thankfully this is easy to circumvent: have your debugger catch the ptrace syscall and lie about the result. Also, if antivirus programs haven&#x27;t already added a signature for any programs that do that, they should.

Windows also has many similar evasion techniques, like checking if there is a top level exception handler. I use scyllahide, but even on gdb you can break at ptrace and patch it or for automated analysis, just flag anything that used ptrace but isn&#x27;t a debugger and run it in a sandbox without ptracing it. Audit subsystem might be enough.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;x64dbg&#x2F;ScyllaHide">https:&#x2F;&#x2F;github.com&#x2F;x64dbg&#x2F;ScyllaHide</a>

If I remember it right, only 1 ptrace can be attached. So this seems easy to fix:. Just ptrace yourself, and nobody else will.<p>As a bonus, write important state to memory supposed to be read-only. If someone hooked your ptrace, the hook has to reimplement ptrace in a lot more detail. Or use breakpoints as a mechanism to call subroutines.

In an old $DAY_JOB I used a variant of this as a way to make certain internal errors execute a breakpoint when debugged, and generate an error log if not debugged. iirc this did not happen until after an error had already occurred, so it was not very useful as anti-RE.

I&#x27;ve seen this used preemptively - have the process ptrace itself on startup (and then do nothing with it) to make it impossible (or at least far-from-trivial) for other interested parties to ptrace it.

Some android malware also checks TracerPid in &#x2F;proc&#x2F;*&#x2F;status <a href="https:&#x2F;&#x2F;github.com&#x2F;Cloudef&#x2F;android2gnulinux&#x2F;blob&#x2F;master&#x2F;src&#x2F;libc-antiantidebug.c">https:&#x2F;&#x2F;github.com&#x2F;Cloudef&#x2F;android2gnulinux&#x2F;blob&#x2F;master&#x2F;src&#x2F;...</a>

There are also differences in the handling of `SIGTRAP`. For a serious use, this can implement `breakpoint()` function.

Tricks for windows<p><a href="https:&#x2F;&#x2F;anti-debug.checkpoint.com" rel="nofollow noreferrer">https:&#x2F;&#x2F;anti-debug.checkpoint.com</a>