-1

In code, I'd use

#include <sys/types.h>

#include <sys/ptrace.h>

ptrace(PT_DENY_ATTACH, 0, 0, 0);

to deny attaching to the process. I was wondering if there was a way to rename "ptrace()" to something less obvious. I tried copying ptrace.h into my own header file and changing int ptrace to something else, but that just failed with an undefined symbol error. And I can't find any other references to the function :\

Thank you in advance for anything on this.

JamesT
  • 23
  • 3
  • why do you want to rename it? – Mat Apr 14 '11 at 10:14
  • because if I use this as part of preventing binary cracks, its easy to just patch it out, or set a breakpoint to ptrace in gdb. If its not called ptrace or anything obvious, its harder to find. – JamesT Apr 14 '11 at 10:17
  • correction, not preventing, just making it as difficult as possible. :) – JamesT Apr 14 '11 at 10:18
  • Note that any macro-magic you do in your C files doesn't change the fact that the method in memory during runtime is still referenced by the `ptrace` symbol, so that wouldn't in any way foil attacks that inject code at runtime. – Joachim Sauer Apr 14 '11 at 10:30
  • `ptrace(PT_DENY_ATTACH, ...)` won’t help you anyway, because there is a Kernel Extension that is widely used by software pirates to bypass it. – al45tair Apr 14 '11 at 16:01

2 Answers2

3

ptrace is a system call. Even if you renamed that function in your C code, the actual ptrace call would still have to be made, so it would be visible in for example strace output (with all the parameters).

Using a macro trick will only make it very slightly less obvious (you'd need two greps instead of one to find it in your codebase). So I don't really see the point. (A macro trick would not change anything to the compiled code.)

You could try running the actual syscall yourself with syscall, but that's a lot of work and still wouldn't hide anything to strace up to that point. It would make it just a tiny bit harder to break there in gdb.

So IMO: what you're trying to do is not worth the effort.

Mat
  • 202,337
  • 40
  • 393
  • 406
  • There’s no such thing as `strace` on Mac OS X, though you could use `dtrace` to do something similar I expect. – al45tair Apr 14 '11 at 16:00
-1

Use #define in your header to create a new macro:

#define MyTrace(a,b,c,d) ptrace(a,b,c,d)

Amey
  • 198
  • 1
  • 9
  • thank you for the answer. Will doing "break ptrace" in gdb still work after doing the above? – JamesT Apr 14 '11 at 10:24
  • Yes it will. #define is a preprocessor directive, so the preprocessor will replace all calls to MyTrace with calls to ptrace before compiling the binary. Like everyone said before me, the symbol will still be present as ptrace. – Amey Apr 14 '11 at 10:56
  • is there a way to make setting a breakpoint at ptrace() hit a dummy function and not the actual one? for example putting another ptrace call before the pt_deny_attach ptrace call? – JamesT Apr 14 '11 at 11:10