Reputation: 3726
Hiding system calls from debugger
In Eldad Eilam's book titled Reversing, in Chapter 11: Breaking Protections, there is a crackme called Defender. It is written for Windows, and at the beginning of execution user-mode OS components are copied to a random memory address by searching through ntdll.dll. After that OS is accessed through this copied code, using kernel mode switch. This way, when debugging, breakpoints placed on any user-mode API would never be hit.
I am wondering whether this can be done on Linux. I have a simple Hello World assembly code:
section .data
msg db "hello, world!"
section .text
global _start
_start:
mov rax, 1
mov rdi, 1
mov rsi, msg
mov rdx, 13
syscall
mov rax, 60
mov rdi, 0
syscall
If I load the corresponding executable in gdb, issue catch syscall write and run the program, the write syscall will be detected. Is it possible to hide the write operation from gdb in a similar way what is used on Windows?
Upvotes: 0
Views: 129
Answers (1)
Reputation: 22549
No, it's not possible. The code to implement ptrace catching of system calls is in the kernel, not in user space, so there's no way to avoid it.
Upvotes: 2
Related Questions
- How to do a GDB backtrace showing only function names and nothing else?
- Is there a way to completely disable gdb output?
- GDB function call tracing
- Suspend program execution if syscall with specific parameters called (GDB / strace)
- Tracing program/function execution on source line level
- backtrace - hide standard library and boost calls
- "Hiding" a system call from ltrace and strace
- GDB Debugging protections
- how to disassemble a system call?
- GDB - disable source view in backtrace