Linux antidebug 4

Content: Here is one more method how to check if your application is debugged. Need to set signal handler with handles interrupt number 3 with is used for step by step debugging

Compile:

gcc main.c -o main
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>

#define FALSE 0
#define TRUE  1

void sig_handler( int );

int debuging;

int main()
{
    debuging = FALSE;
    signal(SIGTRAP, sig_handler);
    __asm__("int3");
    if (debuging == FALSE)
    {
        printf("Nothing special\n");
    } else
    {
        printf("Playing seek and hide\n");
    }
    exit(1);
}

void sig_handler( int sig)
{
    debuging = TRUE;
}

Run:

./main

Example with asm

Compile:

fasm ad4.asm ad4.o

gcc ad4.o -o ad4
format ELF

include 'ccall.inc'

SYS_EXIT    equ     1
SIGTRAP     equ     5
TRUE        equ     1
FALSE       equ     0
section '.text' executable

public main

extrn printf
extrn exit
extrn signal

main:
    ccall   signal, SIGTRAP, sig_handler
    int     3h

    cmp     [debug],FALSE
    jne     no_dbg
    ccall   printf,str1
    jmp exit

no_dbg:
    ccall   printf,str2

to_exit:
    mov     eax, SYS_EXIT
    mov     ebx, 0
    int     80h

sig_handler:
    param1 equ dword [ebp+8]    
    mov     [debug], TRUE
    ret

section '.data' writable

debug   db  FALSE
str1    db "Under debug",0xA,0
str2    db "No debug",0xA,0

Tested and works for gdb and ald.

Links

http://blog.binarycell.org/2011/04/simple-antidebugging-methods-part-2.html

Downloads

http://archive.main.lv/files/writeup/linux_antidebug_4/antidebug4.zip