Bypass ptrace anti-debugging trick

Question

I'm having some trouble bypassing calls to ptrace when debugging a 32-bit Linux executable.
I have this binary: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.26, BuildID[sha1]=b1579d4c55e90110491da76331c9a158b77a5729, stripped

and i have been trying to debug it. So due to it is a stripped binary i located the entry point using gdb.

gef➤  info file
Entry point: 0x804849c
.
.
.
other stuff

Once I got to the entry point, I printed out the next instructions:

   gef➤  x/15i 0x804849c
   0x804849c:   xor    ebp,ebp
   0x804849e:   pop    esi
   0x804849f:   mov    ecx,esp
   0x80484a1:   and    esp,0xfffffff0
   0x80484a4:   push   eax
   0x80484a5:   push   esp
   0x80484a6:   push   edx
   0x80484a7:   push   0x8048580
   0x80484ac:   push   0x8048590
   0x80484b1:   push   ecx
   0x80484b2:   push   esi
   0x80484b3:   push   0x8048480
   0x80484b8:   call   0x8048350 <__libc_start_main@plt>
   0x80484bd:   hlt    
   0x80484be:   nop

I know 0x8048480 is the address of the main function. Now i placed a breakpoint at main (0x8048480) and then ran the program but i can't step into the breakpoint and the program exit with code 01. Therefore i decided to run strace ./binary command and ptrace calls inhibit me from debugging any further:

ptrace(PTRACE_TRACEME) = -1 EPERM (Operation not permitted)

To bypass this, i tried to use the LD_PRELOAD environment variable.
Hence i created a simple .c file:

long ptrace(int request, int pid, void *addr, void *data) {
    return 0;
}  

And compiled it as a shared library with the following command:

gcc -fPIC -shared -m32 ptrace.c -o ptrace.so

Here the output of the command file ptrace.so

ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=a9de523da44299f76ad94373a07c9c5f6f3c76db, not stripped

Next I set the environment variable LD_PRELOAD in the shell using export LD_PRELOAD=./ptrace.so command first, and then within gdb set environment LD_PRELOAD=./ptrace.so

but this is the output:

 ERROR: ld.so: object './ptrace.so' from LD_PRELOAD cannot be preloaded (wrong ELF class: ELFCLASS32): ignored.

How can i bypass the ptrace call??

Thank you.

Answer 1

To bypass this, i tried to use the LD_PRELOAD environment variable.

If the application is employing anti-debugging tricks, it is exceedingly likely that it executes ptrace system call directly, rather than via libc wrapper. LD_PRELOAD will not work in that case.

This command:

gcc -shared ptrace.c -o ptrace.so

builds a 64-bit binary on a 64-bit system. You want:

gcc -fPIC -shared -m32 ptrace.c -o ptrace.so