[maffydub]

I've seen this used preemptively - have the process ptrace itself on startup (and then do nothing with it) to make it impossible (or at least far-from-trivial) for other interested parties to ptrace it.

[complex_exp]

You can just patch the call then, right? I.e. turn it into NOPs

[ysfr]

Yes. Or if it's using dynamic libraries and not compiled static, you can use LD_PRELOAD and overwrite ptrace() to do nothing. You don't have to patch anything then, which might be easier.

   int ptrace(int request, int pid, void *addr, void *data) {
       return 0;
   }

And compile it:

  gcc -shared myptrace.c -o myptrace.so

Afterwards you can eiher

  LD_PRELOAD=./mytrace.so ./thebinary     # shell
  ltrace -S -l ./mytrace.so ./thebinary   # strace in shell

or for gdb

  set environment LD_PRELOAD=./mytrace.so

[maffydub]

Thanks, both! This was used in a static build that decrypted and checksummed its binary before execution, which ruled out naive implementations of the attacks above. I agree there are ways round these too, but I believe it was just intended to discourage amateurs rather than protect against serious hacking.