[<prev] [next>] [day] [month] [year] [list]
From: andrewg at d2.net.au (Andrew Griffiths)
Subject: detecting if tracing is happening
Hi all,
In the hope of generating more signal on this list, I thought I'd throw
this up for discussion: http://felinemenace.org/~andrewg/stuff/at.c
Basically, programs on the x86 can detect the presence of tracing
programs like gdb, strace, ltrace without using external syscalls or
relying on oddities from the ptrace() interface by checking whether or
not the TRACE flag is set.
This techinque/idea I noticed a while ago (probably several years ago),
when reading some old virus documents (probably something about real
mode. or so *shrug*)
As far appliablity, it seems to get false positives on my AMD 1.4G cpu
and RH 2.4.18-27.7.x kernel, although on some intel boxes, and reports
from other people say they don't get any false positives... Then again,
generally, I get wierdness... *shrug* (gdb reporting that the currently
debugged proccess is running without the traceflag being set and stuff.)
As for other things, I don't claim this to be new/exciting, just
something that might be useful/entertaining for people on this list. (A
lot of people seem to trust strace for
Thanks,
Andrew Griffiths
--
<Kahless> geez, u climb the highest mountain, netstumble the highest
mast, but
you suck one cock........
<Clonefish> No thanks
<Kahless> hey, it wasn't an invitation........
<RokLobsta> or you help luigi build his house, guiseppe to get his business
going and you save the town from a meteor, but you fuck one goat....
<Kahless> that's the one
<Clonefish> Mmmmkay.....
<swarm> um
<swarm> next topic plz
Powered by blists - more mailing lists