2010-02-23 Linux antidebug 1
When ptrace is used for programm debugin then only one ptrace can be attached to programm
when we trying run ptrace with PTRACE_TRACEME then we get -1. I tested with gdb,ald. Also this method should
work with IDApro
#include <stdlib.h> #include <stdio.h> #include <sys/ptrace.h> long int ptraced() { return (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1); } int main() { if ( ptraced() ) { printf("Ptraced!\n"); } return 0; }
Source
2010-02-26 Linux antidebug 2
This is dirty solution it checks programms argv[0] name with your defined name
when running debuger such as gdb or ald name is chaned to fullpath name
user defined name from terminal is './main'.
#include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> int main( int argc , char **argv ) { pid_t pid,ppid; FILE *f; char str[128]; char spid[10]; //openfile and write ppid f = fopen( "pid.txt" , "w" ); pid = getpid(); fprintf(f,"%d ",pid); fclose( f ); f = fopen( "pid.txt" , "r" ); fscanf( f , "%s" , spid ); fclose( f ); strcpy( str , "cat /proc/" ); strcat( str , &spid[0] ); strcat( str , "/cmdline"); printf( "[%s]\n", spid ); system( str ); printf("\n"); }
Dirty function that makes dirty solution at one place
int badppid( const char *real_name ) { pid_t pid,ppid; FILE *f; char str[128]; char spid[10]; f = fopen( "pid.txt" , "w" ); pid = getpid(); fprintf(f,"%d ",pid); fclose( f ); f = fopen( "pid.txt" , "r" ); fscanf( f , "%s" , spid ); fclose( f ); strcpy( str , "cat /proc/" ); strcat( str , &spid[0] ); strcat( str , "/cmdline > name.txt"); system( str ); f = fopen( "name.txt" , "r" ); fscanf( f , "%s" , str ); fclose( f ); if ( strncmp(str,real_name,strlen(real_name)) != 0 ) { return -1; } return 0; }
Source
2010-03-05 Linux antidebug 3
Now we will try to make disasm output whery unclear. We make jump with eax register
Programm 1
main: push lbl+1 pop eax jmp eax lbl: db 0xe8 mov eax, 4 mov ebx, 1 mov ecx, msg1 mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 int 80hOutput is same as source. Nothing changes
Dissassembler output 1
│ ....... ! main: ;xref o80482d7 │ │ ....... ! push offset_804837d │ │ 8048379 ! pop eax │ │ 804837a ! jmp eax │ │ 804837c db 0e8h │ │ 804837d ! │ │ ....... ! offset_804837d: ;xref o8048374 │ │ ....... ! mov eax, 4 │ │ 8048382 ! mov ebx, 1 │ │ 8048387 ! mov ecx, strz_I_am_running__8049568 │ │ 804838c ! mov edx, 0eh │ │ 8048391 ! int 80h │ │ 8048393 ! mov eax, 1 │ │ 8048398 ! mov ebx, 0 │ │ 804839d ! int 80hHere we add only one instruction. We get jump adress and add 1. Disasm cannot calculate adress of jmp.
Programm 2
Like in first programm disasm think that we push correct adress and disasm it. And our byte 0xe9 is used
for disasm output. That nice.
main: push lbl pop eax inc eax jmp eax lbl: db 0xe9 mov eax, 4 mov ebx, 1 mov ecx, msg1 mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 int 80h
Dissassembler output 2
│ ....... ! main: ;xref o80482d7 │ │ ....... ! push offset_804837d │ │ 8048379 ! pop eax │ │ 804837a ! inc eax │ │ 804837b ! jmp eax │ │ 804837d ! │ │ ....... ! offset_804837d: ;xref o8048374 │ │ ....... ! jmp 804883ah │ │ 8048382 add [ebx+1], bh │ │ 8048388 mov ecx, 8049568h │ │ 804838d mov edx, 0eh │ │ 8048392 int 80h │ │ 8048394 mov eax, 1 │ │ 8048399 mov ebx, 0 │ │ 804839e int 80h
Now we add nop instruction after every line of our code. It doesnt have any imapct on programm work.
Programm 3
main: push lbl pop eax inc eax jmp eax lbl: db 0xe9 mov eax, 4 nop mov ebx, 1 nop mov ecx, msg1 nop mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 jmp lbl2+1 lbl2: db 0xe9 int 80hDisasm output now is very nice. Output isnt very good. For first time when you view this output it is very unclear
about what exactly is done by this code.
Dissassembler output 3
│ ....... ! main: ;xref o80482d7 │ │ ....... ! push offset_804837d │ │ 8048379 ! pop eax │ │ 804837a ! inc eax │ │ 804837b ! jmp eax │ │ 804837d ! │ │ ....... ! offset_804837d: ;xref o8048374 │ │ ....... ! jmp 804883ah │ │ 8048382 add [eax+1bbh], dl │ │ 8048388 add [eax+49578b9h], dl │ │ 804838e or [eax+0ebah], dl │ │ 8048394 add ch, cl │ │ 8048396 cmp byte ptr [eax+1], 0bbh │ │ 804839d add [eax], al │ │ 804839f add [eax], al │ │ 80483a1 jmp 80483a4h │ │ 80483a3 jmp 98950475h
Here is one more way how to make unclear jumo to other place. We using function
and inside function we change return adress by 1.
Programm 4
Thats also works fine. Disasm dont know real return adress ans and use 0xe8 as he think is better.
main: call fun db 0xe8 mov eax, 4 mov ebx, 1 mov ecx, msg1 mov edx, msg1_size int 80h mov eax, 1 mov ebx, 0 int 80h fun: pop ebp inc ebp push ebp ret
Dissassembler output 4
│ ....... ! main: ;xref o80482d7 │ │ ....... ! call sub_804839c │ │ 8048379 ! call 8048836h │ │ 804837e ! add [ebx+1], bh │ │ 8048384 ! mov ecx, strz_I_am_running__8049568 │ │ 8048389 ! mov edx, 0eh │ │ 804838e ! int 80h │ │ 8048390 ! mov eax, 1 │ │ 8048395 ! mov ebx, 0 │ │ 804839a ! int 80h │ │ 804839c ! │ │ ....... ! ;----------------------- │ │ ....... ! ; S U B R O U T I N E │ │ ....... ! ;----------------------- │ │ ....... ! sub_804839c: ;xref c8048374 │ │ ....... ! pop ebp │ │ 804839d ! inc ebp │ │ 804839e ! push ebp │ │ 804839f ! ret
Source