search

proot-me / proot

chroot, mount --bind, and binfmt_misc without privilege/setup for Linux
https://proot-me.github.io
GNU General Public License v2.0
1.96k stars 369 forks source link

check tracer pid #335

Open w296488320 opened 1 year ago

w296488320 commented 1 year ago

Hi there, the great developer. I found that some programs do anti-debug detection when startup like detecting other exceptions for the current thread. Because the proot needs to start a process (tracer) to track the main thread. The detection method is similar to as follows.

    DIR *pdr = opendir("/proc");
    if (pdr == nullptr) {
        return;
    }
    dirent *read_ptr;

    while ((read_ptr = readdir(pdr)) != nullptr) {
        int procpid = atoi(read_ptr->d_name);
        LOG(INFO) << "find /proc/ child dir  " << procpid;
        if (procpid && procpid != getpid()) {

            LOG(ERROR) << ">>>>>  FIND OTHER THREAD SANDBOX " << procpid;
        }
    }
    closedir(pdr);
    LOG(ERROR) << ">>>>> NOT FIND SANDBOX ";

This pid of tracer can be detected. The program is considered to be being debugged. Is there any good way to bypass this ?

oxr463 commented 1 year ago

That's an excellent question. What is the behavior of the application when it discovers the tracer?

w296488320 commented 1 year ago

When a program is detected to be being debugged, the program may kill-9, and many programs will detect whether the current environment is being ptrace, and thus detect whether the current environment is a security hazard. If the current environment is considered safe, the normal logic will continue.

When this special case of detection, anti-debugging or ptrace, I did not find a good way to counter it.

I don t know how the sandbox based on the seccomp implementation handles this kind of problem. Do you have any good suggestions, a great developer.