ptrace and exec: can child process respond to ptrace BEFORE SIGTRAP?

Question

I've recently run into this code:

if ((pid = fork()) == 0) {
ptrace(PT_TRACE_ME, 0, 0, 0); // trace
execl([originPath UTF8String], "", (char *) 0); // import binary memory into executable space

exit(2); // exit with err code 2 in case we could not import (this should not happen

You probably know this as it is some pretty basic code. The problem I have with the OS is that the child process is now "hostage" not being able to react in any way to it being "traced" as the execl() sends a SIGTRAP signal blocking the child. Can I prevent in any way an attacker from reading my process memory and dumping it to disk in this situation?

score 0 · Answer 1 · answered Oct 25 '15 at 16:11

0

iOS and OS X now have a ptrace request: PT_DENY_ATTACH which is used by the traced process to prevent debuggers from controlling a child process.

answered Oct 25 '15 at 16:11

Sam

128
9

ptrace and exec: can child process respond to ptrace BEFORE SIGTRAP?

1 Answers1