Static News

Implementing and Detecting Anti-Debugging with Fork() (tonygo.netlify.app)

tonygo | 10 comments

userbinator|next|[-][3 more]

I've seen this done on Windows using CreateProcess, although I believe it wasn't specifically for anti-debugging purposes but instead a process that wanted to reinitialise itself from the beginning.

A far more effective actual anti-debugging technique is to have the parent become the debugger of the child, preventing any other debugger from attaching to it.

cryptonector|parent|next|[-][2 more]

But then you can attach to the parent and cause it to stop debugging the child so you can. I think you want a process to be its own debugger; idk if ptrace(2) allows that. Then there's things like DTrace and eBPF -- I don't think you can prevent them from the target.

tonygo|root|parent|next|[-][1 more]

> A far more effective actual anti-debugging technique is to have the parent become the debugger of the child,

Do you have example of that? I am really curious, thanks for sharing tho :)

a_t48|prev|next|[-][4 more]

Does follow-fork-mode in lldb not also defeat this?

tonygo|parent|next|[-][2 more]

I tried with LLDB using `settings set target.process.follow-fork-mode child` but for some reasons I feel like it still exit from the parent process.

I also tried with a long living process: https://github.com/tony-go/antidebug-examples/tree/main/swif...

And I got this:

``` (lldb) run Process 14345 launched: '/anti-debug/swift/build/anti_debug' (arm64) start pid = 14345 exit parent process for child pid = 14348 continue as child process pid = 14348 Process 14345 exited with status = 0 (0x00000000) ```

The UI did not even appeared as it should.

Maybe I miss something in my LLDB config...

tonygo|root|parent|next|[-][1 more]

Also it could come from a messy thing in the code.

cryptonector|parent|prev|next|[-][1 more]

Yes.

pterorex|prev|next|[-][1 more]

The more you hate, the more you love.