Skip to main content

Hi folks!

Eventually, after some brainstorming conversations with Kostas we decided to create this blog in order to post our work.

As you may guess my name is Anastasios. My interests are comprised of computer security, linux, operating systems and many more low level programming concepts :P.

Finally and before my first post, I would like to thank Kostas for taking care of because i wasn't involved in the creation process. May the source be with you Kostas :) .

So regarding my first post, last days i encountered a very interesting way to execute ptrace. What is ptrace system call ?

ptrace is a system call found in several Unix and Unix-like operating systems. By using ptrace (the name is an abbreviation of "process trace") one process can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debuggers and other code-analysis tools, mostly as aids to software development. (

As you can see it is used mainly on debuggers during development process. But debuggers are also used during advanced dynamic malware analysis. It is true that malwares in order to avoid being traced by debuggers, use ptrace system call.

The ptrace's prototype is the following:

long ptrace(enum __ptrace_request request, pid_t pid,
                   void *addr, void *data);

By properly executing ptrace malwares can detect the "tracer" process (e.g. debuggers, ltrace, strace).

In terms of my static analysis using IDA PRO, i discovered this way to call ptrace:

The first three lines is the prologue of the certain assembly subroutine, nothing interesting. The ptrace system call takes place in the last four lines. At first, eax and ebx registers are wiped out and then the value 1A(hex)=26(dec) are passed to al (which is the lower 8 bits of eax register). After that an interrupt is made in order to transfer execution from user to kernel mode .

But what's the purpose of moving the value 1A(hex) to al?

Digging the linux system call table, i realized that in order to execute ptrace the value 26(dec) should be present on eax! Bing! This explains why "mov al, 1Ah" was executed.

Regarding calling conventions, i also noticed that this piece of assembly code is not the appropriate way that gcc compiler translates C code to assembly. The gcc usually uses stack in order to pass arguments and call functions. So this piece of code is a inline assembly addition often used in C.

Assembly code can be added in C code using a function. In this case named insert_assembly().

__attribute__((always_inline)) void inline insert_assembly()
   __asm__ __volatile__(".byte 0xb3, 0x00, 0xb1, 0x00, 0xb2, 0x00, 0xb0, 0x1a, 0xcd, 0x80" );

This hex code will execute the ptrace system call with the following arguments:

ptrace(PTRACE_TRACEME, 0, 0, 0)

If ptrace's return value is -1 then the process will be traced by a "tracer". In that way, the malware can detect its tracer and follow a different code path.

So tweaking with this concept i wrote the following assembly code (file ass_ptrace.s):


     .global _start


     movb $0, %ebx
     movb $0, %ecx
     movb $0, %edx
     movb $0x1A, %al
     int $0x80
     cmp $0xFFFFFFFF, %eax
     jz exit

     xor %eax, %eax
     movb $1, %al
     xor %ebx, %ebx
     int $0x80

     movl $len, %edx
     movl $msg, %ecx
     xor %ebx, %ebx
     movb $1, %bl
     xor %eax, %eax
     movb $4, %al
     int $0x80

     xor %eax, %eax
     movb $1, %al
     xor %ebx, %ebx
     int $0x80


     .ascii "Tracer detected!\n"
     len = . - msg

Briefly, this assembly code executes ptrace(PTRACE_TRACEME, 0, 0, 0) and according to the result it exits or it prints a message and then exits. It prints the message every time it detects a tracer.

Assembled and linked the assembly file,

as --32 ass_ptrace.s -o ass_ptrace.o
ld -m elf_i386 ass_ptrace.o -o ass_ptrace

and then executed it.

As you can see when ass_ptrace is executed without a tracer it does nothing and exits. But when i try to trace it using strace system command, it detects strace, prints "Debugger detected!\n" and exits with the same exit code (0).

The result of "objdump -d ass_ptrace" follows:

The interesting thing despite of the detection of ptrace system call using strace is that ptrace doesn't exist on symbols' table even if i never stripped ass_ptrace (strip removes unnecessary symbols from an ELF, in this case "strip ass_ptrace").

Combining this technique (calling ptrace in this way using assembly and importing it to C code) with some kind of obfuscation can make things nasty. Obfuscation techniques will be discussed in another post.

It is not my intent to train new bad guys, but to make people (particularly security guys) aware of techniques used by them.

Feel free to post your comment. Have a nice day!


Popular posts from this blog

Barbara vs Zombies

A few years back I made a game, Barbara vs Zombies, for my then-girlfriend Barbara. She used to like an old light-gun game, House of the Dead , so I depicted her dodging and shooting zombies in this one. Included a backstory with silly romanticism, cats, and inside jokes. It's been nearly a year since we broke up, and this game has been sitting forgotten in my hard disk. I eventually decided it shouldn't go to waste. It is, after all, a game meant to remind us of happy times. Download and play the game on Gamejolt  or . I had made an Android version too, maybe I'll get around to publishing it someday. Hang in there, 2020 was a tough year, but you've made it this far already, so congrats. 💖 -Kostas

Stick Veterans online: Good news & Bad news

After loads of work, online multiplayer for Stick Veterans seems to be progressing very well. In fact, it is nearly complete, as showing in recent tests. Today I ran the first playtest with 3 people; we connected over Hamachi , a free VPN solution, and it pretty much went smoothly (except for some non-critical bugs). Bad news is that LAN connections might be the only thing supported , with little hope for worldwide online games. I already mentioned that in the game's web pages ( post / Gamejolt post ) but I shall lay down the whole story here. In commercial games, online multiplayer is achieved by putting up dedicated 24/7 servers (preferably in various locations throughout the world) to which the players connect. In non-commercial games  (like Stick Veterans), we have to make do without servers, as they cost money (non-trivial amounts of it). As such, we simply allow any player to act as a server themselves, and other players connect to them. This is called

Stick Veterans 1.1 (Grenades, Body Armor)

Found the time and courage to push out another update for Stick Veterans . Version 1.1 brings hand grenades  and body armor  into the game, among other additions. Body armor is just a way to endure more damage (RPGs will no longer frag you in one shot). Grenades are quite a game changer, as it means you will have more strategic ways to fight your opponents, but you'll also have one more hazard to look out for. :) Finally, a feature called Game Rules  has been added. This allows customization of score limit, grenade acquisition rules, respawn delay, and a few more rules. More might be added in the future. To be honest, there were more features that I wanted to include in this update. Seeing how I lacked the time to finish them in a reasonable timeframe, and knowing that there were some pending bugfixes, I decided to push this update as it is. This doesn't make the update any less important, though. I can't promise when a new update will come again, and certainl