# Run a target with bypass LD_PRELOAD=$(pwd)/src/gdbypass.so gdb -q ./protected_binary The repository (https://github.com/yourorg/gdbypass) contains Dockerfiles for reproducible builds on both x86_64 and ARM64. 6.1 Test Bed | Platform | Kernel | CPU | GCC | Glibc | |----------|--------|-----|-----|-------| | Ubuntu 22.04 (x86_64) | 5.15.0‑76‑generic | Intel i7‑10700K (8 C/16 T) | 12.2 | 2.35 | | Ubuntu 22.04 (ARM64) | 5.15.0‑76‑generic | Cortex‑A76 (2 C) | 12.2 | 2.35 |
While these methods provide partial coverage, none offers a that simultaneously tackles process, syscall, and hardware‑based ADB checks. 2.3 Gap Analysis | Gap | Why it matters | |-----|----------------| | Cross‑Architecture Support | Modern malware targets ARM64 devices (IoT, smartphones). | | Low Performance Overhead | High‑overhead DBI defeats real‑time debugging scenarios. | | Stealth against Hybrid Checks | Timing‑based heuristics can detect DBI or kernel hooks. | | Ease of Deployment | Analysts often lack root privileges; requiring LKM is impractical. |
Title GDBypass: A Novel Technique for Transparent Debugger Evasion in Native Executables gdbypass
Keywords: anti‑debugging, GDB, binary instrumentation, runtime code morphing, stealth debugging, malware analysis. 1.1 Motivation Debuggers are the cornerstone of dynamic analysis, yet sophisticated software—particularly malware and DRM‑protected applications—employs anti‑debugging (ADB) techniques to detect, disrupt, or abort the analysis process. The GNU Debugger (GDB) remains the most widely used debugging interface on Linux, and consequently, a substantial body of research has focused on detecting GDB’s presence (e.g., ptrace(PTRACE_TRACEME) , checking /proc/<pid>/status , examining hardware break‑point registers).
Key surveys: Kern & Lee 2019 , Almeida et al. 2021 , Zhou & Liu 2022 . | Approach | Strengths | Limitations | |----------|-----------|--------------| | Patch‑based Bypass (e.g., gdb-patch , peda ) | Simple binary patching of known ADB checks | Requires source‑level knowledge; fragile to code changes | | Dynamic Binary Instrumentation (DBI) (e.g., DynamoRIO, PIN) | Transparent instrumentation, can rewrite ADB checks at runtime | High overhead; often detectable via DBI‑specific side‑effects | | Kernel‑Level Interposition (e.g., kdump , LKM hooks) | Can hide ptrace and procfs entries globally | Requires root privileges; kernel signatures can be detected | | Hardware Break‑point Cloaking (e.g., HyperDbg ) | Hides hardware debug registers from the target | Limited number of breakpoints; platform‑specific | | Virtual Machine Introspection (e.g., VMware , QEMU debug APIs) | Complete isolation from target OS | Detectable via hypervisor artifacts; heavy resource usage | # Run a target with bypass LD_PRELOAD=$(pwd)/src/gdbypass
| Category | Representative Techniques | |----------|----------------------------| | | ptrace checks, prctl(PR_SET_DUMPABLE) , /proc inspection | | System‑Call Based | syscall return‑value tampering, seccomp filters, ptrace ‑based syscall interposition | | Hardware‑Based | Manipulation of debug registers (DR0‑DR7), MSR checks ( IA32_DEBUGCTL ), CPU performance counters | | Hybrid / Timing | rdtsc / clock_gettime comparisons before/after suspicious calls, instruction‑level timing differences |
# Install privileged helper (set‑uid root) sudo cp src/gdbypass-ctl /usr/local/sbin/ sudo chmod u+s /usr/local/sbin/gdbypass-ctl | | Low Performance Overhead | High‑overhead DBI
# Build shared library make -C src gdbypass.so