Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-

anti-gdb trick

Name: Anonymous 2015-12-08 1:24

#include <elf.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>

// killgdb.c - prevent an elf from being loaded by gdb.
// Jeffrey Crowell <crowell [at] bu [dot] edu>
//
// $ objcopy --only-keep-debug program program.debug
// $ strip program
// $ objcopy --add-gnu-debuglink=program.debug program
// $ ./killgdb program
// $ gdb -q ./program
// Reading symbols from ./program...[1]
// 44513 segmentation fault (core dumped) gdb -q ./program

int filesize(int fd) { return (lseek(fd, 0, SEEK_END)); }

void print_section(Elf64_Shdr *shdr, char *strTab, int shNum,
uint8_t *data) {
int i;
for (i = 0; i < shNum; i++) {
size_t k;
if (!strcmp(".gnu_debuglink", &strTab[shdr[i].sh_name])) {
printf("%02d: %s Offset %lx\n", i, &strTab[shdr[i].sh_name],
shdr[i].sh_offset);
printf("Setting size to zero.\n");
shdr[i].sh_size = 0;
}
}
}

int main(int ac, char **av) {
void *data;
Elf64_Ehdr *elf;
Elf64_Shdr *shdr;
int fd;
char *strtab;

fd = open(av[1], O_RDWR);
data = mmap(NULL, filesize(fd), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
elf = (Elf64_Ehdr *)data;
shdr = (Elf64_Shdr *)(data + elf->e_shoff);
strtab = (char *)(data + shdr[elf->e_shstrndx].sh_offset);
print_section(shdr, strtab, elf->e_shnum, (uint8_t*)data);
close(fd);
return 0;
}

Name: Anonymous 2015-12-08 1:32

but why

Name: Anonymous 2015-12-08 9:54

As neeat as this is, I don't see the practical purpose of this. Is that the point, is this nothing more than a neat hack?

Name: Cudder !cXCudderUE 2015-12-08 10:05

>>2,3
To show how absolutely retarded gdb is?

A lot of packers do this trick with the section headers too, in PE files, but I've never seen this do anything than make dumping them take one little extra step.

Name: Fudder 2015-12-08 12:24

FUD = Fear, Uncertainty and Doubt

http://www.reddit.com/r/InternetAMA

Name: Anonymous 2015-12-08 13:30

>>5
Why are you posting that shit here?

Name: Anonymous 2015-12-08 16:59

Is this "Reddit" thing a joke or are there really people here that lurk it?

Name: Anonymous 2015-12-09 8:40

>>7
Lurk it? I have over 50000 karma, pass le dank memes man. Also upboat me on hackerkikes, star me on githeb, and match me on Tinder for hot backdoor action.
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode + RSS -