In our previous Hacker’s Corner article, we covered some simple anti-debugging. Here, we will see some better techniques.
Last time we tried to attach to own process, and used that as detection/prevention mechanism for debugging by someone else. Here, we will improve it by making it much harder to run code under debugger. This technique relies on using incorrect code, and patching it dynamically to make it correct. The patching part is done by same ptrace mechanism.
Here, we have to ensure that our incorrect code should not kill the code. Instead we should be able to intercept the error, and then patch the code on the fly before re-attempting the execution. There are many ways to achieve this:
1. Raising a signal like SIGCONT
2. Forcibly triggering CPU fault (like illegal instruction fault)
3. Segmentation Fault
4. and many more…
For sake of example, we will use an illegal syscall (that does not even exist) for our incorrect code. To ensure that we get a signal right before said code is called, we will raise SIGCONT, and capture that. The scheme goes something like this:
2. Run protected function in child process
3. Wait for child process to change its status
4. Continue the process until it hits a syscall.
5. Check if syscall number matches to illegal syscall number used.
6. Change the syscall to correct one.
7. Let the process run. Go back to step 3.
1. Attach to self
2. Raise SIGCONT
3. Run the code