in reply to Re: Embed perl problem
in thread Embed perl problem

you rock man, END block now working!

Just one thing about anti debugging , i added this snippet in my code:

https://reverseengineering.stackexchange.com/a/1931

but when i run it i get:

[1]+  Stopped                 ./test

and when i run it with strace its working:

write(1, "don't trace me !!\n", 18don't trace me !!

and can you explain how to use perlvar for anti debugging?

Replies are listed 'Best First'.
Re^3: Embed perl problem
by bliako (Abbot) on Jan 29, 2019 at 11:37 UTC

    A program can only be traced by one process, so if it is being traced (before anyone else) by itself, it will not allow any other tracer to trace it (lots of workarounds here...). Additionally, when a trace is initiated a SIGSTOP is sent. Try installing a handler for SIGSTOP. It worked for me but I don't know why.

    /* bliako modified https://reverseengineering.stackexchange.com/a/1931
   for https://perlmonks.org/?node_id=3333;parent=1229102
   KILL it with SIGKILL (kill -9)
   29/01/2019
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ptrace.h>
#include <unistd.h>
#include <signal.h>

void intHandler(int sig) { printf("got signal %d\n", sig); }

int main(void){
    printf("my pid: %d\n", getpid());

    char *e;
    if( (e=getenv("TRACEME")) != NULL && (strcmp(e,"0")==0) ){
        printf("Will not be traced...\n");
        signal(SIGSTOP, intHandler);
        if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) 
        {
            printf("don't trace me !!\n");
            return 1;
        }
    }
    // normal execution
    for(int i=0;;i++){
        printf("i=%d\n", i);
        sleep(1);
    }
    return 0;
}

    [download]
    gcc tracee.c -o tracee && TRACEME=0 tracee

strace -p <PID-from-traceed>

strace: attach: ptrace(PTRACE_SEIZE, 11091): Operation not permitted

    [download]

    while tracee continues counting on

    or

    TRACEME=1 tracee

strace -p <PID-from-tracee>

    [download]

    bw, bliako

    ps. Please share your findings. Most answers are in the manual and let's keep to Perl less the reaper traces us. brrrrr

[reply]
[d/l]
[select]

      I think i found the problem. when i run this code its ok:

      //test.c
eval_pv("code normal");

      [download]

      but when i use this , program stops:

      //test.c
void decode(char * block, char *key, int len) {
 //decode action goes here
}

char block[] = "encoded perl code like {0xaa,0xb9,0xb5}";
decode(block,"key",len);
eval_pv(block);

      [download]

      also when i print the decoded string for debug purpose its same as original code.

[reply]
[d/l]
[select]

        It smells like a missing string terminator, the NULL at the end of your block. printf() might be a lot less sensitive than eval_pv() when feeding it with a football-field worth of core. The initialiser char block[]="abc"; puts a NULL at the end whereas char block[] = {0xaa,0xbb,0xcc} doesn't... and do not attempt to add one as it's a const. Long story short, add a 0x0 after 0xcc and make sure your decode() keeps it there.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom