top | item 37293014

(no title)

ysfr | 2 years ago

Yes. Or if it's using dynamic libraries and not compiled static, you can use LD_PRELOAD and overwrite ptrace() to do nothing. You don't have to patch anything then, which might be easier.

   int ptrace(int request, int pid, void *addr, void *data) {
       return 0;
   }

And compile it:

  gcc -shared myptrace.c -o myptrace.so

Afterwards you can eiher

  LD_PRELOAD=./mytrace.so ./thebinary     # shell
  ltrace -S -l ./mytrace.so ./thebinary   # strace in shell

or for gdb

  set environment LD_PRELOAD=./mytrace.so

discuss

maffydub|2 years ago

Thanks, both! This was used in a static build that decrypted and checksummed its binary before execution, which ruled out naive implementations of the attacks above. I agree there are ways round these too, but I believe it was just intended to discourage amateurs rather than protect against serious hacking.