lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <DUB111-W837E626278383276EEE01FDD750@phx.gbl>
Date:	Thu, 27 Jun 2013 10:16:59 +0000
From:	Jesper Derehag <jderehag@...mail.com>
To:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Question: Userspace detection of ptraced process?

Hi all,

Is there a way of getting info about any task that is being ptraced (from userspace)?

I know that in more recent kernels you can get an event through a NETLINK_CONNECTOR socket.
But I was hoping that you could get the same information say through the siginfo argument to waitid or something similar?

I have tried different variations on the code below but it seems like there is no dependable way to get the siginfo while child_pid is beeing trapped.
I get rc=-1 when child is traced (and trapped), and therefore siginfo is undefined.

I suspect it might be due to that when you ptrace child, the tracer becomes the parent and that is why I cannot get any accurate siginfo data within the original parent?
The reason for why I do WNOHANG here is that in my application its very important that I do not block. So I was hoping on just doing a "poll" of the pid status here.

rc = waitid(P_PID, child_pid, &info, WNOHANG);
if((rc == 0 || rc == child_pid) && info.si_pid != 0)
    if(info.si_code == CLD_TRAPPED)
        printf("child_pid=%d is being ptraced!", child_pid);

Anyway, any ideas of why waitid(..) doesnt work? And if waitid(..) approach is not possible, is there any additional clever ways to figure out if  a child is ptraced other than the NETLINK_CONNECTOR way? 
EVENT_PTRACE is unfortunatly not available in the kernel I am using at the moment (kernel 3.0) . 
And no, its not really possible to update or patch the kernel at this point.

Thanks.

Regards,
Jesper Derehag 		 	   		  --
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ