I just stumbled upon a funny trick to detect gdb in this crackme
(btw, strace lincrack2 and it's done.): using file descriptors.
Normally, a programm has 3 file descriptors :
- 0: stdin
- 1: stdout
- 2: stderr
But, if you are running you binary under gdb, you'll notice that it opens 3 more file descriptors, and never closes them.
Example
#include <stdio.h>
#include <unistd.h>
int main(){
FILE* fd = fopen("/tmp", "r");
if(fileno(fd) > 3){
printf("Gdb detected :(\n");
_exit(1);
}
printf("No gdb detected :)\n");
return 0;
}
Result:
$ gcc detect_gdb.c && a.out
No gdb detected :)
$ gdb a.out
Reading symbols from /home/jvoisin/a.out...(no debugging symbols
found)...done.
(gdb) r
Starting program: /home/jvoisin/a.out
Gdb detected :(
[Inferior 1 (process 19872) exited with code 01]
(gdb)
Bypass
Fortunately, this can easily be bypassed :
- Break before the check, on __libc_start_main for example.
- Closes the file descriptors
- Resume
Result:
$ gdb a.out
Reading symbols from /home/jvoisin/a.out...(no debugging symbols
found)...done.
(gdb) b __libc_start_main
Breakpoint 1 at 0x400500
(gdb) r
Starting program: /home/jvoisin/a.out
Breakpoint 1, __libc_start_main (main=0x400668 , argc=1, ubp_av=0x7fffffffdfd8, init=0x400690 , fini=0x400720 ,
rtld_fini=0x7ffff7de9740 , stack_end=0x7fffffffdfc8)
(gdb) print close(3)
$1 = 0
(gdb) print close(4)
$2 = 0
(gdb) print close(5)
$3 = 0
(gdb) c
Continuing.
No gdb :)
[Inferior 1 (process 19804) exited normally]
(gdb)
You can also execute your check_gdb() function before the main, using attributes for even more fun ;)
edit This bug is now fixed in GDB 7.11