Parsi Coders
anti-debug.c - نسخه قابل چاپ

+- Parsi Coders (http://parsicoders.com)
+-- انجمن: Cracking / Anti Crack (http://parsicoders.com/forumdisplay.php?fid=75)
+--- انجمن: Anti Debug (http://parsicoders.com/forumdisplay.php?fid=76)
+--- موضوع: anti-debug.c (/showthread.php?tid=939)

anti-debug.c - Amin_Mansouri - 09-28-2011

کد:
/*
* Thx Silvio Cesare Doc Anti-debug and special thx zert for other info :)
*/


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <termios.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/syscall.h>
#include <asm/unistd.h>

#include "printf.h"


int
check_gdb_getenv(void) {

    extern char *__progname;

    if (!getenv("_")) {
        eprintf("Not Support for _ in this Shell\n");
        return 0;
    }
    
    if (strstr(getenv("_"), __progname) == 0) {
        eprintf("Detected Posible Debug with %s\n", getenv("_"));
        return 1;
    }

return 0;
}

int
check_gdb_fd(void) {

    if (close(3) == 0) {
        eprintf("GDB Detected!\n");
        return 1;
    }

return 0;
}

int
check_ptrace(pid_t pid) {

#if defined(__Linux__)  
    if (pid) {
        if (ptrace(PTRACE_ATTACH, pid, 0, 0) < 0) {
            eprintf("ptrace(): Detected! -> %s\n",strerror(errno));
            return 1;
        }
    }
    else
        if (ptrace(PTRACE_TRACEME, pid, 0, 0) < 0) {
            eprintf("ptrace(): Detected! -> %s\n",strerror(errno));
            return 1;
        }
#endif
    
return 0;
}

int
check_breakpoint(void *addr, int offset) {

    if ((*(volatile unsigned *)((unsigned)addr + offset) & 0xff) == 0xcc) {
        eprintf("Warning: breakpoint(%p + %d): Breakpoint Detected!\n", addr, offset);
        exit(2);
    }

return 0;
}

unsigned int
func_size(void *addr) {

    unsigned int byte = 1;
    unsigned int _break = 1;

    //     0x55 == push %ebp
    //     0xc3 == ret
    
    do {    
        /*    
        if ((*(volatile unsigned *)((unsigned)addr+byte) & 0xff) == 0xc3) {
            _break=1;
        }
        */
        if ((*(volatile unsigned *)((unsigned)addr+byte) & 0xff) == 0x55) {
            if (_break) {
            break;
            }
        }
    } while (byte++);

return byte;
}

pid_t getsid(pid_t );
pid_t getpgid(pid_t );

int
check_sid(void) {
/*
    printf("getsid: %d\n", getsid(0));
    printf("getppid: %d\n", getppid());
    printf("getpgid: %d\n", getpgid(0));

    if (getsid(0) != getppid()) {
        return 1;
    }
*/
return 0;

}