In code, I'd use
在代码中,我会使用
#include <sys/types.h>
#include
#include <sys/ptrace.h>
#include
ptrace(PT_DENY_ATTACH, 0, 0, 0);
ptrace(PT_DENY_ATTACH,0,0,0);
to deny attaching to the process. I was wondering if there was a way to rename "ptrace()" to something less obvious. I tried copying ptrace.h into my own header file and changing int ptrace to something else, but that just failed with an undefined symbol error. And I can't find any other references to the function :\
拒绝附加到过程。我想知道是否有办法将“ptrace()”重命名为不太明显的东西。我尝试将ptrace.h复制到我自己的头文件中并将int ptrace更改为其他内容,但是因为未定义的符号错误而失败了。而且我找不到任何其他功能参考:
Thank you in advance for anything on this.
提前感谢您的任何事情。
2 个解决方案
#1
3
ptrace is a system call. Even if you renamed that function in your C code, the actual ptrace call would still have to be made, so it would be visible in for example strace output (with all the parameters).
ptrace是一个系统调用。即使您在C代码中重命名了该函数,仍然必须进行实际的ptrace调用,因此它将在例如strace输出(包含所有参数)中可见。
Using a macro trick will only make it very slightly less obvious (you'd need two greps instead of one to find it in your codebase). So I don't really see the point. (A macro trick would not change anything to the compiled code.)
使用宏技巧只会使它变得非常不明显(你需要两个greps而不是一个在代码库中找到它)。所以我真的没有看到这一点。 (宏技巧不会改变编译代码的任何内容。)
You could try running the actual syscall yourself with syscall, but that's a lot of work and still wouldn't hide anything to strace up to that point. It would make it just a tiny bit harder to break there in gdb.
您可以尝试使用系统调用自己运行实际的系统调用,但这是很多工作,但仍然不会隐藏任何东西来直截了当。这会让它在gdb中更难打破。
So IMO: what you're trying to do is not worth the effort.
所以IMO:你想做的事情是不值得的。
#2
-1
Use #define in your header to create a new macro:
在标题中使用#define来创建新宏:
#define MyTrace(a,b,c,d) ptrace(a,b,c,d)
#define MyTrace(a,b,c,d)ptrace(a,b,c,d)
#1
3
ptrace is a system call. Even if you renamed that function in your C code, the actual ptrace call would still have to be made, so it would be visible in for example strace output (with all the parameters).
ptrace是一个系统调用。即使您在C代码中重命名了该函数,仍然必须进行实际的ptrace调用,因此它将在例如strace输出(包含所有参数)中可见。
Using a macro trick will only make it very slightly less obvious (you'd need two greps instead of one to find it in your codebase). So I don't really see the point. (A macro trick would not change anything to the compiled code.)
使用宏技巧只会使它变得非常不明显(你需要两个greps而不是一个在代码库中找到它)。所以我真的没有看到这一点。 (宏技巧不会改变编译代码的任何内容。)
You could try running the actual syscall yourself with syscall, but that's a lot of work and still wouldn't hide anything to strace up to that point. It would make it just a tiny bit harder to break there in gdb.
您可以尝试使用系统调用自己运行实际的系统调用,但这是很多工作,但仍然不会隐藏任何东西来直截了当。这会让它在gdb中更难打破。
So IMO: what you're trying to do is not worth the effort.
所以IMO:你想做的事情是不值得的。
#2
-1
Use #define in your header to create a new macro:
在标题中使用#define来创建新宏:
#define MyTrace(a,b,c,d) ptrace(a,b,c,d)
#define MyTrace(a,b,c,d)ptrace(a,b,c,d)