Full Disclosure mailing list archives
detecting if tracing is happening
From: Andrew Griffiths <andrewg () d2 net au>
Date: Sat, 07 Jun 2003 07:16:18 +1000
Hi all,In the hope of generating more signal on this list, I thought I'd throw this up for discussion: http://felinemenace.org/~andrewg/stuff/at.c
Basically, programs on the x86 can detect the presence of tracing programs like gdb, strace, ltrace without using external syscalls or relying on oddities from the ptrace() interface by checking whether or not the TRACE flag is set.
This techinque/idea I noticed a while ago (probably several years ago), when reading some old virus documents (probably something about real mode. or so *shrug*)
As far appliablity, it seems to get false positives on my AMD 1.4G cpu and RH 2.4.18-27.7.x kernel, although on some intel boxes, and reports from other people say they don't get any false positives... Then again, generally, I get wierdness... *shrug* (gdb reporting that the currently debugged proccess is running without the traceflag being set and stuff.)
As for other things, I don't claim this to be new/exciting, just something that might be useful/entertaining for people on this list. (A lot of people seem to trust strace for
Thanks, Andrew Griffiths --<Kahless> geez, u climb the highest mountain, netstumble the highest mast, but
you suck one cock........ <Clonefish> No thanks <Kahless> hey, it wasn't an invitation........ <RokLobsta> or you help luigi build his house, guiseppe to get his business going and you save the town from a meteor, but you fuck one goat.... <Kahless> that's the one <Clonefish> Mmmmkay..... <swarm> um <swarm> next topic plz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- detecting if tracing is happening Andrew Griffiths (Jun 07)