I need to implement debugging detection technology under Linux. So the main idea is that my piece of code creates a second stream through the cache. After that, the created thread should check if the debugger is present during the cycle, sleep for a few seconds. My question is how to implement debugger detection via ptrace in a multi-threaded environment inside an infinite loop. My problem is that after calling ptrace (PTRACE_TRACEME, 0, 1, 0) a second debugger is detected (this is reasonable and correct, of course). So should I disable the tracer somehow at the end of the loop or use ptrace differently? Here is the code snippet:
new_thread: ; PTRACE xor rdi, rdi xor rsi, rsi xor rdx, rdx inc rdx xor r10, r10 mov rax, 101 ; ptrace syscall syscall cmp rax, 0 jge __nondbg call _dbg db 'debugged!', 0xa, 0 _dbg: mov rdi, 1 pop rsi mov rdx, 10 mov rax, 1 ; syscall write syscall ; exit_group call mov rdi, 127 mov rax, 231 ; exit_group syscall syscall __nondbg: call _nondbg db 'non-debugged!', 0xa, 0 _nondbg: mov rdi, 1 pop rsi mov rdx, 14 mov rax, 1 ; syscall write syscall ; ========== ; SLEEP..... ; ========== push 0 ; value should be a parameter push 5 ; value should be a parameter mov rdi, rsp xor rsi, rsi mov rax, 35 ; syscall nanosleep syscall ; syscall pop rax pop rax jmp new_thread
source share