荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: jjk (UNIX+C+XML+?? 傻了?), 信区: Linux
标 题: Anti debugger(转寄)[转载]
发信站: 荔园晨风BBS站 (Wed Apr 24 18:09:49 2002), 转信
【 以下文字转载自 jjk 的信箱 】
【 原文由 jjk.bbs@apue.dhs.org 所发表 】
发信人: lgx (lgx), 信区: CompSci
标 题: Anti debugger
发信站: UNIX编程 (2002年04月11日21:27:07 星期四), 站内信件
trojan 中的反跟踪代码:
//如果自己被跟踪,返回 1;否则 0
//NOTE: 应该关闭打开的pipe
int is_debugging(void)
{
int p[2];
unsigned char is_traced,no = 0xff,yes = 0xfe;
signal(SIGCHLD,SIG_IGN);
if (pipe(p) < 0) {
return 0;
}
if (!fork()) {
close(p[0]);
if (ptrace(PTRACE_ATTACH,getppid(),NULL,NULL) < 0) {
write(p[1],&yes,1);
}
else {
write(p[1],&no,1);
ptrace(PTRACE_DETACH,getppid(),NULL,NULL);
kill(getppid(),SIGCONT);
}
_exit(0);
}
if (read(p[0],&is_traced,1) != 1)
return 0;
}
return (is_traced == yes);
}
0x804a5cc: push %ebp
0x804a5cd: mov %esp,%ebp
0x804a5cf: sub $0xc,%esp
0x804a5d2: push %esi
0x804a5d3: push %ebx
0x804a5d4: movb $0xfe,0xfffffff7(%ebp)
0x804a5d8: movb $0xff,0xfffffff6(%ebp)
0x804a5dc: push $0x1
0x804a5de: push $0x11
0x804a5e0: push $0x30
0x804a5e2: call 0x8049624 ; signal(SIGCHLD,SIG_IGN);
0x804a5e7: push $0x14
0x804a5e9: call 0x8049604 ; getpid()
0x804a5ee: mov %eax,%esi
0x804a5f0: lea 0xfffffff8(%ebp),%ebx
0x804a5f3: push %ebx
0x804a5f4: push $0x2a
0x804a5f6: call 0x8049610 ; pipe
0x804a5fb: add $0x18,%esp
0x804a5fe: test %eax,%eax
0x804a600: jl 0x804a69d
0x804a606: push $0x2
0x804a608: call 0x8049604 ; fork
0x804a60d: add $0x4,%esp
0x804a610: test %eax,%eax
0x804a612: jne 0x804a680 ; 夫进程则跳转
0x804a614: pushl 0xfffffff8(%ebp)
0x804a617: push $0x6
0x804a619: call 0x8049610 ; close(pipe[0]);
0x804a61e: push $0x0
0x804a620: push $0x0
0x804a622: push %esi
0x804a623: push $0x10
0x804a625: call 0x804a5a8 ;
ptrace(PTRACE_ATTACH,ppid,0,0)
0x804a62a: add $0x18,%esp
0x804a62d: test %eax,%eax
0x804a62f: jge 0x804a648
0x804a631: push $0x1
0x804a633: lea 0xfffffff7(%ebp),%eax
0x804a636: push %eax
0x804a637: pushl 0x4(%ebx)
0x804a63a: push $0x4
0x804a63c: call 0x804963c ; write(pipe[1],'\xfe',1);
0x804a641: add $0x10,%esp
0x804a644: jmp 0x804a674
0x804a646: mov %esi,%esi
0x804a648: push $0x1
0x804a64a: lea 0xfffffff6(%ebp),%eax
0x804a64d: push %eax
0x804a64e: pushl 0x4(%ebx)
0x804a651: push $0x4
0x804a653: call 0x804963c ; write(pipe[1],'\xff',1)
0x804a658: push $0x0
0x804a65a: push $0x0
0x804a65c: push %esi
0x804a65d: push $0x11
0x804a65f: call 0x804a5a8 ; ptrace(PTRACE_DETACH,ppid,0,0)
0x804a664: add $0x20,%esp
0x804a667: push $0x12
0x804a669: push %esi
0x804a66a: push $0x25
0x804a66c: call 0x8049624 ; kill(ppid,SIGCONT);
0x804a671: add $0xc,%esp
0x804a674: push $0x0
0x804a676: push $0x1
0x804a678: call 0x8049610 ; exit(0); 子进程退出
0x804a67d: add $0x8,%esp
0x804a680: push $0x1 ; 夫进程
0x804a682: lea 0xfffffff5(%ebp),%eax
0x804a685: push %eax
0x804a686: pushl 0xfffffff8(%ebp)
0x804a689: push $0x3
0x804a68b: call 0x804963c ; read(pipe[0],,1);
0x804a690: cmp $0x1,%eax
0x804a693: jne 0x804a69d
0x804a695: mov 0xfffffff6(%ebp),%al
0x804a698: cmp %al,0xfffffff5(%ebp)
0x804a69b: jne 0x804a6a4
0x804a69d: xor %eax,%eax
0x804a69f: jmp 0x804a6a9
0x804a6a1: lea 0x0(%esi),%esi
0x804a6a4: mov $0x1,%eax
0x804a6a9: lea 0xffffffec(%ebp),%esp
0x804a6ac: pop %ebx
0x804a6ad: pop %esi
0x804a6ae: leave
0x804a6af: ret
--
※ 来源:·UNIX编程 apue.dhs.org·[FROM: 202.108.135.6] --
※ 转寄:·UNIX编程 apue.dhs.org·[FROM: 210.39.3.50]
--
※ 转载:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.0.146]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店