Bypassing ptrace calls with LD_PRELOAD on Linux

Hello, Here’s a quick article on how to bypass calls to ptrace when debugging a Linux executable. By calling ptrace with the PTRACE_TRACEME option, a process can detect if it’s being debugged and execute different instructions. This an effective anti-debugging technique. For example, take the following C program: 1 2 3 4 5 6 7 8 int main() { if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { printf("I'm being debugged!n"); } else { printf("Normal flown"); } return 0; } If we execute the program from above we get Normal flow on our screen but if we debug it with gdb we get Err: I'm being debugged! ...

January 2, 2020 · 2 min · Denis Nuțiu