[userbinator]

I've seen this done on Windows using CreateProcess, although I believe it wasn't specifically for anti-debugging purposes but instead a process that wanted to reinitialise itself from the beginning.

A far more effective actual anti-debugging technique is to have the parent become the debugger of the child, preventing any other debugger from attaching to it.

[cryptonector]

But then you can attach to the parent and cause it to stop debugging the child so you can. I think you want a process to be its own debugger; idk if ptrace(2) allows that. Then there's things like DTrace and eBPF -- I don't think you can prevent them from the target.

[tonygo]

> A far more effective actual anti-debugging technique is to have the parent become the debugger of the child,

Do you have example of that? I am really curious, thanks for sharing tho :)

[sim7c00]

this is how ptrace works in essence, so if you look in the man pages for that ptrace there's an example. you just ptrace_attach from the parent to the child pid. it couldn't be more straighforward usage of ptrace. https://man7.org/linux/man-pages/man2/ptrace.2.html

long ptrace(enum __ptrace_request op, pid_t pid, void addr, void data);

. to debug oneself you can try https://gist.github.com/x64-elf-sh42/83393e319ad8280b8704fbe...

it prints -1 due to some fail, but it cannot attach GDB to it :P

edit 9001: it notes the bash is attached to it which spawned the exe, not sure if that's correct or just buggy btw

[tonygo]

Thanks a lot :)

I think that I should dig more on ptrace! Maybe a next post?