robert
Reputation: 3726
Using ptrace to detect debugger
I am trying to detect on Linux if a debugger is attached to my binary. I have found two solutions. One simpler:
#include <stdio.h>
#include <sys/ptrace.h>
int main()
{
if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1)
{
printf("don't trace me !!\n");
return 1;
}
// normal execution
return 0;
}
and another one:
#include <sys/types.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int spc_detect_ptrace(void) {
int status, waitrc;
pid_t child, parent;
parent = getpid();
if (!(child = fork())) {
/* this is the child process */
if (ptrace(PT_ATTACH, parent, 0, 0)) exit(1);
do {
waitrc = waitpid(parent, &status, 0);
} while (waitrc == -1 && errno == EINTR);
ptrace(PT_DETACH, parent, (caddr_t)1, SIGCONT);
exit(0);
}
if (child == -1) return -1;
do {
waitrc = waitpid(child, &status, 0);
} while (waitrc == -1 && errno == EINTR);
return WEXITSTATUS(status);
}
Is the second method better than the first, simpler one? If yes, why?
Upvotes: 6
Views: 4247
Answers (1)
Peeter Joot
Reputation: 8260
As well as the ptrace() method, it's also possible to signal SIGTRAP ( How to detect if the current process is being run by GDB? )
I'd say that your first method is better (and better than SIGTRAP), since forking is terribly inefficient for such a check, and there will be many circumstances (like multithreaded code) that forking is undesirable.
Upvotes: 2
Related Questions
- Bypass ptrace anti-debugging trick
- How to solve "ptrace operation not permitted" when trying to attach GDB to a process?
- debugging with ptrace not always find the process successfully
- Why lldb doesn't use ptrace on linux?
- Writing the simplest assembly debugger
- C ptrace breakpoints
- Detect whether tracee is in a signal handler when using ptrace
- How can I debug a ptrace tracee?
- Can you detect a debugger attached to your process using Div by Zero
- how to detect if process is being debugged