The #1 Online Volkswagen Community
# Install privileged helper (set‑uid root) sudo cp src/gdbypass-ctl /usr/local/sbin/ sudo chmod u+s /usr/local/sbin/gdbypass-ctl
# Run a target with bypass LD_PRELOAD=$(pwd)/src/gdbypass.so gdb -q ./protected_binary The repository (https://github.com/yourorg/gdbypass) contains Dockerfiles for reproducible builds on both x86_64 and ARM64. 6.1 Test Bed | Platform | Kernel | CPU | GCC | Glibc | |----------|--------|-----|-----|-------| | Ubuntu 22.04 (x86_64) | 5.15.0‑76‑generic | Intel i7‑10700K (8 C/16 T) | 12.2 | 2.35 | | Ubuntu 22.04 (ARM64) | 5.15.0‑76‑generic | Cortex‑A76 (2 C) | 12.2 | 2.35 |
Title GDBypass: A Novel Technique for Transparent Debugger Evasion in Native Executables
Keywords: anti‑debugging, GDB, binary instrumentation, runtime code morphing, stealth debugging, malware analysis. 1.1 Motivation Debuggers are the cornerstone of dynamic analysis, yet sophisticated software—particularly malware and DRM‑protected applications—employs anti‑debugging (ADB) techniques to detect, disrupt, or abort the analysis process. The GNU Debugger (GDB) remains the most widely used debugging interface on Linux, and consequently, a substantial body of research has focused on detecting GDB’s presence (e.g., ptrace(PTRACE_TRACEME) , checking /proc/<pid>/status , examining hardware break‑point registers).
# Build shared library make -C src gdbypass.so
| Category | Representative Techniques | |----------|----------------------------| | | ptrace checks, prctl(PR_SET_DUMPABLE) , /proc inspection | | System‑Call Based | syscall return‑value tampering, seccomp filters, ptrace ‑based syscall interposition | | Hardware‑Based | Manipulation of debug registers (DR0‑DR7), MSR checks ( IA32_DEBUGCTL ), CPU performance counters | | Hybrid / Timing | rdtsc / clock_gettime comparisons before/after suspicious calls, instruction‑level timing differences |
# Install privileged helper (set‑uid root) sudo cp src/gdbypass-ctl /usr/local/sbin/ sudo chmod u+s /usr/local/sbin/gdbypass-ctl
# Run a target with bypass LD_PRELOAD=$(pwd)/src/gdbypass.so gdb -q ./protected_binary The repository (https://github.com/yourorg/gdbypass) contains Dockerfiles for reproducible builds on both x86_64 and ARM64. 6.1 Test Bed | Platform | Kernel | CPU | GCC | Glibc | |----------|--------|-----|-----|-------| | Ubuntu 22.04 (x86_64) | 5.15.0‑76‑generic | Intel i7‑10700K (8 C/16 T) | 12.2 | 2.35 | | Ubuntu 22.04 (ARM64) | 5.15.0‑76‑generic | Cortex‑A76 (2 C) | 12.2 | 2.35 | gdbypass
Title GDBypass: A Novel Technique for Transparent Debugger Evasion in Native Executables # Install privileged helper (set‑uid root) sudo cp
Keywords: anti‑debugging, GDB, binary instrumentation, runtime code morphing, stealth debugging, malware analysis. 1.1 Motivation Debuggers are the cornerstone of dynamic analysis, yet sophisticated software—particularly malware and DRM‑protected applications—employs anti‑debugging (ADB) techniques to detect, disrupt, or abort the analysis process. The GNU Debugger (GDB) remains the most widely used debugging interface on Linux, and consequently, a substantial body of research has focused on detecting GDB’s presence (e.g., ptrace(PTRACE_TRACEME) , checking /proc/<pid>/status , examining hardware break‑point registers). The GNU Debugger (GDB) remains the most widely
# Build shared library make -C src gdbypass.so
| Category | Representative Techniques | |----------|----------------------------| | | ptrace checks, prctl(PR_SET_DUMPABLE) , /proc inspection | | System‑Call Based | syscall return‑value tampering, seccomp filters, ptrace ‑based syscall interposition | | Hardware‑Based | Manipulation of debug registers (DR0‑DR7), MSR checks ( IA32_DEBUGCTL ), CPU performance counters | | Hybrid / Timing | rdtsc / clock_gettime comparisons before/after suspicious calls, instruction‑level timing differences |