Linux antidebug 4

Content: Here is one more method how to check if your application is debugged. Need to set signal handler with handles interrupt number 3 with is used for step by step debugging

Compile:

gcc main.c -o main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
 
#define FALSE 0
#define TRUE  1
 
void sig_handler( int );
 
int debuging;
 
int main()
{
    debuging = FALSE;
    signal(SIGTRAP, sig_handler);
    __asm__("int3");
    if (debuging == FALSE)
    {
        printf("Nothing special\n");
    } else
    {
        printf("Playing seek and hide\n");
    }
    exit(1);
}
 
void sig_handler( int sig)
{
    debuging = TRUE;
}

Run:

1
./main

Example with asm

Compile:

1
2
3
fasm ad4.asm ad4.o

gcc ad4.o -o ad4
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
format ELF
 
include 'ccall.inc'
 
SYS_EXIT    equ     1
SIGTRAP     equ     5
TRUE        equ     1
FALSE       equ     0
section '.text' executable
 
public main
 
extrn printf
extrn exit
extrn signal
 
main:
    ccall   signal, SIGTRAP, sig_handler
    int     3h
     
    cmp     [debug],FALSE
    jne     no_dbg
    ccall   printf,str1
    jmp exit
     
no_dbg:
    ccall   printf,str2
 
to_exit:
    mov     eax, SYS_EXIT
    mov     ebx, 0
    int     80h
 
sig_handler:
    param1 equ dword [ebp+8]    
    mov     [debug], TRUE
    ret
 
section '.data' writable
 
debug   db  FALSE
str1    db "Under debug",0xA,0
str2    db "No debug",0xA,0

Tested and works for gdb and ald.

Links

http://blog.binarycell.org/2011/04/simple-antidebugging-methods-part-2.html

Downloads

http://archive.main.lv/files/writeup/linux_antidebug_4/antidebug4.zip