Skip to content

Instantly share code, notes, and snippets.

@poxyran

poxyran/Easy bypass for ptrace(PTRACE_TRACEME, 0, 0) in GDB)

Last active October 29, 2024 22:40
Show Gist options
  • Save poxyran/71a993d292eee10e95b4ff87066ea8f2 to your computer and use it in GitHub Desktop.
Save poxyran/71a993d292eee10e95b4ff87066ea8f2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Easy bypass for ptrace(PTRACE_TRACEME, 0, 0) in GDB)
Start GDB and execute the following commands:
catch syscall ptrace
commands 1
set ($eax) = 0
continue
end
Then, run the app and voilá! you can debug your program :)
Example:
{{{
zulma@palermo:~$ gdb ./Downloads/zwiebel
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
warning: ~/.gdbinit.local: No such file or directory
Reading symbols from ./Downloads/zwiebel...(no debugging symbols found)...done.
gdb$ b main
Breakpoint 1 at 0x400800
gdb$ r
Starting program: /home/zulma/Downloads/zwiebel
:(
[Inferior 1 (process 10646) exited with code 0377]
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX:Error while running hook_stop:
No registers.
gdb$
}}}
The program executed normally and didn't stop in the breakpoint at main.
Now, the glory commands:
{{{
zulma@palermo:~$ gdb ./Downloads/zwiebel
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
warning: ~/.gdbinit.local: No such file or directory
Reading symbols from ./Downloads/zwiebel...(no debugging symbols found)...done.
gdb$ catch syscall ptrace
Catchpoint 1 (syscall 'ptrace' [101])
gdb$ commands 1
Type commands for breakpoint(s) 1, one per line.
End with a line saying just "end".
>set ($rax) = 0
>continue
>end
gdb$ b main
Breakpoint 2 at 0x400800
gdb$ r
Starting program: /home/zulma/Downloads/zwiebel
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0xFFFFFFFFFFFFFFDA RBX: 0x0000000000000001 RBP: 0x0000000000000002 RSP: 0x00007FFFFFFFDD78 o d I t S z a p c
RDI: 0x0000000000000000 RSI: 0x0000000000000000 RDX: 0x0000000000000000 RCX: 0xFFFFFFFFFFFFFFFF RIP: 0x00007FFFF7B073EE
R8 : 0x00000000FFFFFFFF R9 : 0x00007FFFF7DEA530 R10: 0x0000000000000000 R11: 0x0000000000000282 R12: 0x0000000000601000
R13: 0x00007FFFFFFFDEB8 R14: 0x00007FFFFFFFDEA8 R15: 0x0000000000000001
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff7b073ee <ptrace+78>: cmp rax,0xfffffffffffff000
0x7ffff7b073f4 <ptrace+84>: ja 0x7ffff7b07416 <ptrace+118>
0x7ffff7b073f6 <ptrace+86>: test rax,rax
0x7ffff7b073f9 <ptrace+89>: js 0x7ffff7b07414 <ptrace+116>
0x7ffff7b073fb <ptrace+91>: cmp r8d,0x2
0x7ffff7b073ff <ptrace+95>: ja 0x7ffff7b07414 <ptrace+116>
0x7ffff7b07401 <ptrace+97>: mov rax,QWORD PTR [rip+0x2cba60] # 0x7ffff7dd2e68
0x7ffff7b07408 <ptrace+104>: mov DWORD PTR fs:[rax],0x0
-----------------------------------------------------------------------------------------------------------------------------
Catchpoint 1 (call to syscall ptrace), 0x00007ffff7b073ee in ptrace (request=PTRACE_TRACEME) at ../sysdeps/unix/sysv/linux/ptrace.c:45
45 ../sysdeps/unix/sysv/linux/ptrace.c: No such file or directory.
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0xFFFFFFFFFFFFFFFF RBX: 0x0000000000000001 RBP: 0x0000000000000002 RSP: 0x00007FFFFFFFDD78 o d I t S z a p c
RDI: 0x0000000000000000 RSI: 0x0000000000000000 RDX: 0x0000000000000000 RCX: 0xFFFFFFFFFFFFFFFF RIP: 0x00007FFFF7B073EE
R8 : 0x00000000FFFFFFFF R9 : 0x00007FFFF7DEA530 R10: 0x0000000000000000 R11: 0x0000000000000282 R12: 0x0000000000601000
R13: 0x00007FFFFFFFDEB8 R14: 0x00007FFFFFFFDEA8 R15: 0x0000000000000001
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff7b073ee <ptrace+78>: cmp rax,0xfffffffffffff000
0x7ffff7b073f4 <ptrace+84>: ja 0x7ffff7b07416 <ptrace+118>
0x7ffff7b073f6 <ptrace+86>: test rax,rax
0x7ffff7b073f9 <ptrace+89>: js 0x7ffff7b07414 <ptrace+116>
0x7ffff7b073fb <ptrace+91>: cmp r8d,0x2
0x7ffff7b073ff <ptrace+95>: ja 0x7ffff7b07414 <ptrace+116>
0x7ffff7b07401 <ptrace+97>: mov rax,QWORD PTR [rip+0x2cba60] # 0x7ffff7dd2e68
0x7ffff7b07408 <ptrace+104>: mov DWORD PTR fs:[rax],0x0
-----------------------------------------------------------------------------------------------------------------------------
Catchpoint 1 (returned from syscall ptrace), 0x00007ffff7b073ee in ptrace (request=PTRACE_TRACEME) at ../sysdeps/unix/sysv/linux/ptrace.c:45
45 in ../sysdeps/unix/sysv/linux/ptrace.c
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000400800 RBX: 0x0000000000000000 RBP: 0x0000000000000000 RSP: 0x00007FFFFFFFDDC8 o d I t s Z a P c
RDI: 0x0000000000000001 RSI: 0x00007FFFFFFFDEA8 RDX: 0x00007FFFFFFFDEB8 RCX: 0xFFFFFFFFFFFFFFFF RIP: 0x0000000000400800
R8 : 0x00000000FFFFFFFF R9 : 0x00007FFFF7DEA530 R10: 0x0000000000000000 R11: 0x0000000000000282 R12: 0x00000000004006D0
R13: 0x00007FFFFFFFDEA0 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x400800 <main>: push r15
0x400802 <main+2>: push r14
0x400804 <main+4>: push rbx
0x400805 <main+5>: mov edi,0x400907
0x40080a <main+10>: xor eax,eax
0x40080c <main+12>: call 0x400660 <printf@plt>
0x400811 <main+17>: mov rdi,QWORD PTR [rip+0x225788] # 0x625fa0 <stdout@@GLIBC_2.2.5>
0x400818 <main+24>: call 0x4006a0 <fflush@plt>
-----------------------------------------------------------------------------------------------------------------------------
Breakpoint 2, 0x0000000000400800 in main ()
gdb$
}}}
Now, the program stopped at main :) and we can continue with our debugging session.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment