Din varukorg är för närvarande tom!
Gdbypass -
Authors: [Your Name], [Affiliation] – Corresponding author [Co‑author 1], [Affiliation] [Co‑author 2], [Affiliation] Dynamic binary analysis tools such as the GNU Debugger (GDB) are indispensable for reverse‑engineering, vulnerability research, and malware analysis. However, modern adversaries increasingly employ anti‑debugging mechanisms that detect and thwart the presence of a debugger. In this paper we introduce GDBypass , a lightweight, architecture‑agnostic framework that enables native binaries to evade detection by GDB without sacrificing functional correctness. GDBypass leverages a combination of runtime code morphing , system‑call interposition , and hardware break‑point cloaking to hide the debugger’s presence from the target process. We present a systematic evaluation on Linux‑x86_64 and Linux‑ARM64 platforms, demonstrating that GDBypass defeats a suite of 27 state‑of‑the‑art anti‑debugging checks (including ptrace , procfs , prctl , and timing‑based heuristics) while incurring an average overhead of 3.2 % in wall‑clock time and 1.8 % in memory consumption. Our findings suggest that existing defensive tools must be redesigned to account for the stealth capabilities offered by GDBypass.
# Install privileged helper (set‑uid root) sudo cp src/gdbypass-ctl /usr/local/sbin/ sudo chmod u+s /usr/local/sbin/gdbypass-ctl gdbypass
Keywords: anti‑debugging, GDB, binary instrumentation, runtime code morphing, stealth debugging, malware analysis. 1.1 Motivation Debuggers are the cornerstone of dynamic analysis, yet sophisticated software—particularly malware and DRM‑protected applications—employs anti‑debugging (ADB) techniques to detect, disrupt, or abort the analysis process. The GNU Debugger (GDB) remains the most widely used debugging interface on Linux, and consequently, a substantial body of research has focused on detecting GDB’s presence (e.g., ptrace(PTRACE_TRACEME) , checking /proc/<pid>/status , examining hardware break‑point registers). GDBypass leverages a combination of runtime code morphing
While these methods provide partial coverage, none offers a that simultaneously tackles process, syscall, and hardware‑based ADB checks. 2.3 Gap Analysis | Gap | Why it matters | |-----|----------------| | Cross‑Architecture Support | Modern malware targets ARM64 devices (IoT, smartphones). | | Low Performance Overhead | High‑overhead DBI defeats real‑time debugging scenarios. | | Stealth against Hybrid Checks | Timing‑based heuristics can detect DBI or kernel hooks. | | Ease of Deployment | Analysts often lack root privileges; requiring LKM is impractical. | # Install privileged helper (set‑uid root) sudo cp