I wanted to place breakpoints to a binary written in C, so I don't have to type in all the breakpoints to
gdb, and generally just to learn new tricks :-) Because it has no real life benefits...but it's fun!
For starters, I've found out that I can send a
SIGTRAP multiple ways. The easier is to just
raise it:
#include <signal.h>
raise(SIGTRAP); // or SIGINT if you also like to live dangerously
The funnier way is to emit it directly in asm:
__asm__("int $3");
// or
__asm__("int3");
To be honest, the latter is a software interrupt, not a signal, but has the same effect. The IA32
Book ("Intel® 64 and IA-32 Architectures Software Developer’s Manual, Chapter 6.4.4") says:
The INT 3 instruction explicitly calls the breakpoint exception (#BP) handler.
So I'm gonna stay with "does the same", as it is a
deliberately tricky one.
But if you're not running through a debugger, it will leak to the kernel and that eventually stops your program (like, saying
"Trace/BPT trap". BPT --> breakpoint, see?). We need to emit this signal conditionally, which leads us to the next problem: at any given time, are we debugged/traced or not?
Time to look up some anti-debug techniques.
The first idea that got me is to simply try to have the program to debug itself [terms and conditions apply], with
PTRACE_TRACEME. The trick is that this call will fail if we are already debugged/traced. Then we can just flip a flag and have our signals protected with a condition.
#include <stdio.h>
#include <stdlib.h>
#include <signal.h> // raise, SIG*
#include <errno.h> // errno
#include <string.h> // strerror
#include <sys/ptrace.h> // ptrace
#include <sys/types.h>
int has_dbg()
{
long rc = ptrace(PTRACE_TRACEME, 0, 0, 0);
if (rc < 0) {
printf("traceme resulted in %ld, errno: %d, %s\n", rc, errno, strerror(errno));
return 1;
} else {
return 0;
}
}
Oopsie, there is a problem: you can't release TRACEME from the tracee, and while TRACEME is active, you cannot attach from the outside. While this anti debug technique is awesome for blocking out debuggers, we don't want this side effect. We have to release it, but we can't do it from here. So we have to do it somewhere else :-)
I've poked around with fork-and-traceme, but it's cumbersome. But I found an elegant solution on
stackoverflow (where else): Just check
/proc/self/status if TracerPid is zero or not. Genius.
Caveats:
ps also reads /proc/* for status info so it must be pretty standard.
So our check looks like the following:
#include <stdio.h>
#include <stdlib.h> //atoi
#include <signal.h> // raise, SIG*
#include <string.h> // strstr, strerror
#include <fcntl.h> // open
#include <unistd.h> // read, close
int has_dbg()
{
char buf[2048], *tracer_pid;
int debugger_present = 0; // We say "no" if not found or error, as we are cowards.
static const char TracerPid[] = "TracerPid:";
ssize_t num_read;
int status_fd = open("/proc/self/status", O_RDONLY);
if (status_fd == -1)
return 0;
num_read = read(status_fd, buf, sizeof(buf));
close(status_fd);
if (num_read > 0)
{
buf[num_read] = 0;
tracer_pid = strstr(buf, TracerPid); // Look for "TracerPid"
if (tracer_pid)
debugger_present = !!atoi(tracer_pid + sizeof(TracerPid) - 1); // parse an int, and bool-ify it.
}
return debugger_present;
}
int main(int argc, char **argv)
{
if(has_dbg()) {
printf("can has\n");
} else {
printf("no no\n");
}
return 0;
}
And the best part is, we can call this function at
any time we want.
Now, we can do things like:
#define HALP do{if(has_dbg()){__asm__("int $3");}}while(0)
// ...
printf("foo\n");
if (3.14 >= 3.14)
{
printf("bar\n");
HALP;
printf("baz\n");
}
printf("quux\n");
Isn't it fancy?
Note:
If you love to cut on characters you have to type, I suggest the raise version in the long run:
- raise variant uses
20 + n*14 chars. (headers, you know)
- asm variant uses
n*17 chars.
Okay, just kidding.
