| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: andrewg at d2.net.au (Andrew Griffiths) Subject: detecting if tracing is happening Hi all, In the hope of generating more signal on this list, I thought I'd throw this up for discussion: http://felinemenace.org/~andrewg/stuff/at.c Basically, programs on the x86 can detect the presence of tracing programs like gdb, strace, ltrace without using external syscalls or relying on oddities from the ptrace() interface by checking whether or not the TRACE flag is set. This techinque/idea I noticed a while ago (probably several years ago), when reading some old virus documents (probably something about real mode. or so *shrug*) As far appliablity, it seems to get false positives on my AMD 1.4G cpu and RH 2.4.18-27.7.x kernel, although on some intel boxes, and reports from other people say they don't get any false positives... Then again, generally, I get wierdness... *shrug* (gdb reporting that the currently debugged proccess is running without the traceflag being set and stuff.) As for other things, I don't claim this to be new/exciting, just something that might be useful/entertaining for people on this list. (A lot of people seem to trust strace for Thanks, Andrew Griffiths -- <Kahless> geez, u climb the highest mountain, netstumble the highest mast, but you suck one cock........ <Clonefish> No thanks <Kahless> hey, it wasn't an invitation........ <RokLobsta> or you help luigi build his house, guiseppe to get his business going and you save the town from a meteor, but you fuck one goat.... <Kahless> that's the one <Clonefish> Mmmmkay..... <swarm> um <swarm> next topic plz
Powered by blists - more mailing lists