Rule: PTRACE anti-debug attempt #2227
Conversation
|
/milestone 0.34.0 |
Signed-off-by: Alessandro Brucato <[email protected]>
leogr
force-pushed
the
ptrace_antidebug
branch
from
46e477e to
296350b
Compare
|
My opinion on this is that this anti-debugging technique is the most simple one and most people know about it, and I think it is rarely used because it can be easily bypassed by simply patching calls to this syscall. I believe malware writers have many other options for anti-debugging, which are more meaningful to me, like timing analysis (if the process is being debugged, execution times will differ from normal execution flow) or just checking if parent process is a known debugger binary, which is also easy to implement like this one. Furthermore, as you pointed out, legitimate processes may use this. So what I think is that this rule triggering wouldn't be so much relevant for spotting malware, although it can be useful in some cases, I don't know if we want it to be in the default Falco ruleset. |
|
/milestone 0.35.0 |
|
This needs to be ported to https://github.com/falcosecurity/rules |
|
There was a problem hiding this comment.
Please, this PR needs to be ported to https://github.com/falcosecurity/rules
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Brucedh The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Due to what happened here https://github.com/falcosecurity/rules/pull/37/files I would revaluate this rule once the PR is merged and tested. @Brucedh feel free to start closing this here and open a new one in the new repo falcosecurity/rules. |
|
Alright, I close this PR after having ported it to falcosecurity/rules#40 |
Signed-off-by: Alessandro Brucato [email protected]
What type of PR is this?
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
The ptrace system call is used by debuggers, such as GDB, to examine a target process. Malicious programs will often try to prevent this by using the ptrace system call first, preventing other programs from using it on them. This rule detects that behavior. Legitimate processes may also do this for DRM or diagnostic purposes.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: