
Ptrace Linux anti debugging - seblau
https://seblau.github.io/posts/linux-anti-debugging
======
wazari972
I'm not convinced that the double ptrace is really stronger than the first
one, a simple GDB.py script let you bypass it:

    
    
        first = True
        class ptraceBPT(gdb.Breakpoint):
            def stop(self):
                global first
                gdb.execute("return (long int) {}".format("0" if first else "-1"))
                first = False
    
        ptraceBPT("ptrace")
    

what would be interesting is an actual use of ptrace, something like:

    
    
        int i = 10;
        int read = ptrace(PTRACE_USER_PEEK, &i, sizeof(i));
        if (read != i) printf("ptrace error");
    

although it still would be hard to write a GDB breakpoint that mimics it:
everything ptrace can do, GDB can do it as well :)

