C++

Forum

 
Anti debug (detect strace PTRACE_TRACEME) for a simple c++ program

sxxxe83 (2)
Hi!

I am having some troubles with PTRACE_TRACEME.

1
2
3
4
5
6
7
 
#include <sys/ptrace.h>
#include <sys/types.h>

if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
    printf("being ptraced\n");
    return 1;
}


With that in place. I cannot strace. I get this error:
1
2
3
4
5
6
 
ptrace(PTRACE_TRACEME, 0, 0, 0)         = -1 EPERM (Operation not permitted)
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 5), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9b5ec18000
write(1, "being ptraced\n", 14being ptraced
)         = 14
exit_group(1)


And that is correct :) But my program just stops, halfway through. In my ubuntu i just get this STOPPED error:
[1]+ Stopped

If I comment out the ptrace bit, my program is running just fine.
Is this somehing ptrace would do?

It is not very complicated. Just some simple if file exists, if some strings in file == WORD. Then run a shell command, and another.

With the ptrace code in place just the first shell command is executed, and the Stopped error comes after it completes.

I can comment out the second shell command, and I still get the Stopped error.
I have tried with several ways to run shell commands but both give me the same result.

Any ideas? Push me in the right direction.
(I have tried to build and run on both ubuntu and Red Hat, v5 and 6, same results).

--Torgeir
Last edited on
sxxxe83 (2)
I can "strip" down the code to somehing like this. And comment "in/out" the ptrace() check.
With ptrace, I get an Stopped error. Without it, its all good.

The executable "sshpass" is from here: http://sourceforge.net/projects/sshpass/

I have my reasons for using sshpass and password in cleartext in code. This code is just for testing.
My "other" project uses char arrays for all strings, and simple "hide/unhide" in runtime. So you can not "strings" the file for text. The password is fetched from a file, which is encrypted. And decrypted at runtime, which is visible with the strace command. I just want to stop that.

This is not for an big important project, just some simple stuff that we want to secure a bit more, thats all.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
#include <algorithm>
#include <string>
#include <sys/ptrace.h>
#include <sys/types.h>

using namespace std;

// get commandline arguments
char* getCmdOption(char ** begin, char ** end, const std::string & option)
{
    char ** itr = std::find(begin, end, option);
    if (itr != end && ++itr != end)
    {
        return *itr;
    }
    return 0;
}

int main(int argc, char* argv[])
{

  string what_str;

  if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
    //std::cout << "being ptraced" << std::endl;
    return 1;
  }

  char *what = getCmdOption(argv, argv + argc, "-what"); // get commandline arguments after -get

  if (what) {what_str = what;}

    if (what_str == "send" ) {
    
      const char *ssh_mkdir_command = "sshpass -p somepass ssh -o StrictHostKeyChecking=no someuser@127.0.0.1 'mkdir -p /home/someuser/folder/'";
      system(ssh_mkdir_command);

      const char *scp_copy_command = "sshpass -p somepass scp -o StrictHostKeyChecking=no /tmp/dummy_file someuser@127.0.0.1:/home/someuser/folder/";
      system(scp_copy_command);
    } 

    // if we have flag get, try to scp remote file to local /tmp path
    if (what_str == "get" ) {
      const char *get_command = "sshpass -p somepass scp -o StrictHostKeyChecking=no someuser@127.0.0.1:/home/someuser/folder/dummy_file /tmp/";
      system(get_command);
    }

  return 0;
}
Last edited on
Topic archived. No new replies allowed.