Gdbypass -
| Detection Technique | Typical Code Pattern | gdbypass Countermeasure | |---------------------|----------------------|--------------------------| | | if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) == -1) exit(1); | Wrapper returns -1 with errno = EPERM , making the check fail (as if a debugger is already attached). | | prctl(PR_SET_DUMPABLE, 0) | prctl(PR_SET_DUMPABLE, 0); (disables core dumps) | Wrapper simply ignores the call, preserving the default dumpable state so GDB can still attach. | | Reading /proc/self/status | fopen("/proc/self/status") → parse “TracerPid” | Wrapper intercepts open / fopen for that path and returns a virtual file descriptor that yields a string with TracerPid: 0 . | | /proc/<pid>/maps checks for “gdb” | Scans memory maps for a line containing “gdb” | Intercepts open for the maps file and filters out any lines mentioning gdb . | | raise(SIGTRAP) (self‑generated breakpoints) | raise(SIGTRAP); | Wrapper for raise silently discards SIGTRAP when the signal originates from the debugger itself. | | syscall(SYS_getpid) vs. getppid mismatch | Compare parent PID to a known value | No direct bypass needed; the wrapper only masks the “tracer PID” field in /proc . | | Timing‑based checks (e.g., clock_gettime before/after ptrace ) | Detect debugger latency | Not covered automatically; developers can add custom delay‑mask callbacks. |
Keywords: anti‑debugging, GDB, binary instrumentation, runtime code morphing, stealth debugging, malware analysis.
– Modern software (especially DRM, anti‑cheat, and some malware) often contains checks such as ptrace(PTRACE_TRACEME) , prctl(PR_SET_DUMPABLE) , or direct reads of /proc/self/status . When these checks succeed, the binary aborts, displays a fake error, or triggers evasive behavior. gdbypass neutralises many of those checks, allowing analysts to step through the code, inspect memory, and capture runtime data without triggering the anti‑debug logic. gdbypass
GDBypass consists of three primary components:
This work makes the following contributions: | Detection Technique | Typical Code Pattern |
Have you ever clicked a Google Drive link only to see the dreaded message: ? This usually happens when a file is popular and has been downloaded too many times in a short window. While Google does this to prevent abuse, it’s frustrating when you just need a single file.
You don't need to sign in to multiple accounts or use complex command-line tools. How to Use It | | /proc/<pid>/maps checks for “gdb” | Scans
Dynamic binary analysis tools such as the GNU Debugger (GDB) are indispensable for reverse‑engineering, vulnerability research, and malware analysis. However, modern adversaries increasingly employ anti‑debugging mechanisms that detect and thwart the presence of a debugger. In this paper we introduce , a lightweight, architecture‑agnostic framework that enables native binaries to evade detection by GDB without sacrificing functional correctness. GDBypass leverages a combination of runtime code morphing , system‑call interposition , and hardware break‑point cloaking to hide the debugger’s presence from the target process. We present a systematic evaluation on Linux‑x86_64 and Linux‑ARM64 platforms, demonstrating that GDBypass defeats a suite of 27 state‑of‑the‑art anti‑debugging checks (including ptrace , procfs , prctl , and timing‑based heuristics) while incurring an average overhead of 3.2 % in wall‑clock time and 1.8 % in memory consumption. Our findings suggest that existing defensive tools must be redesigned to account for the stealth capabilities offered by GDBypass.
| Section | Content | |---------|----------| | 2 | Background & Related Work | | 3 | Threat Model & Assumptions | | 4 | Design of GDBypass | | 5 | Implementation Details | | 6 | Experimental Evaluation | | 7 | Discussion & Counter‑measure Recommendations | | 8 | Conclusion & Future Work | | A | Full Source‑Code Repository & Reproducibility Package |