[therein]

> a) the program has to actively run its check while being ptraced to notice. If you attach to the program (which pauses it), inject your code, run your code, and then detach, the program's own code will not notice it's being ptraced, no?

Depends on if all threads were put into a paused state. Also, the program that's being debugged might have spawned some additional processes that will be checking if the parent is being ptraced.

Replace "self" with the PID you want to check if it is being traced:

  $ cat /proc/self/status  | grep Tracer                                                                                                                                                                                                                                                                                                                                                                       
  TracerPid: 0

[geofft]

Ahhh, yes, it's probably hard to track down a random subprocess somewhere that's checking and then passing that info back to the original process. (I think the subprocess could even just try to PTRACE_ATTACH the original process and see if it works.)