Y
Hacker News
new
|
ask
|
show
|
jobs
by
adtac
1024 days ago
The malware will then rely on actual ptrace behaviour as a check. You could instead use seccomp_unotif and let the target ptrace itself as much as it wants:
https://man.archlinux.org/man/seccomp_unotify.2.en
1 comments
harryfyx
1024 days ago
I don't know reverse engineering. But, I guess the ultimate solution would be running a custom OS to fake ptrace results in the kernel level?
link
scandinavian
1023 days ago
You can just use LD_PRELOAD to load your own version of ptrace. Not as stealthy though.
link
pizzapim
1023 days ago
Another way is to load a eBPF program or kernel module for this purpose.
link