Anti Debugging Techniques
Look up Linux and cross-OS anti-debug checks, how they are detected, and rated bypass options when analyzing or hardening native binaries.
Overview
Anti-debugging-techniques is an agent skill for the Ship phase that supplies a comprehensive OS × detection × bypass matrix for anti-debug methods.
Install
npx skills add https://github.com/yaklang/hack-skills --skill anti-debugging-techniquesWhat is this skill?
- Full cross-reference matrix: technique × OS × detection × bypass × reliability
- Linux coverage including ptrace, /proc TracerPid, maps scans, and timing checks
- Per-row bypass tools (GDB, Frida, LD_PRELOAD) and false-positive notes
- Companion to main SKILL.md for conceptual anti-debug understanding
- Reliability ratings to prioritize which checks to validate first
- Linux anti-debug matrix with per-technique reliability and false-positive columns
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You hit opaque native binaries that detect debuggers and you lack a single table tying each trick to detection signals and practical bypass paths.
Who is it for?
Solo builders doing authorized reverse engineering, CTF work, or security assessments on Linux-heavy native targets.
Skip if: Teams who only ship web apps with no native code, or anyone needing legal clearance and scope before touching anti-debug bypass—this skill does not grant permission to attack third-party systems.
When should I use this skill?
Load when you need the full cross-reference of anti-debugging techniques, OS applicability, detection methods, bypass tools, and reliability ratings after the main SKILL.md concepts are loaded.
What do I get? / Deliverables
You pick a ranked technique row, choose a bypass tool chain, and document false-positive caveats before spending hours on blind trial and error.
- Technique selection with bypass tool and reliability notes
- Documented false-positive risks for chosen checks
Recommended Skills
Journey fit
Anti-debug matrices sit in Ship because they support security review and exploit-analysis workflows before or after release, not greenfield product ideation. Security is the canonical shelf for debugger-evasion technique catalogs used during assessment and reverse-engineering sessions.
How it compares
Use as a structured reference matrix instead of ad-hoc web searches for ptrace and TracerPid bypass snippets.
Common Questions / FAQ
Who is anti-debugging-techniques for?
Indie security researchers, CTF players, and agent-assisted reversers who need fast, reliable mappings from anti-debug checks to bypass options on Linux and related platforms.
When should I use anti-debugging-techniques?
During Ship security work when a binary fails under GDB or Frida, when documenting malware behavior, or when designing detection tests for your own native agent or CLI.
Is anti-debugging-techniques safe to install?
Review the Security Audits panel on this Prism page and treat the skill as offensive-security knowledge—only use on systems you own or are explicitly authorized to test.
SKILL.md
READMESKILL.md - Anti Debugging Techniques
# Anti-Debug Technique × OS × Detection × Bypass — Comprehensive Matrix > **AI LOAD INSTRUCTION**: Load this when you need the full cross-reference of anti-debugging techniques, their OS applicability, detection methods, bypass tools, reliability ratings, and false-positive notes. Assumes the main [SKILL.md](./SKILL.md) is already loaded for conceptual understanding. --- ## 1. LINUX ANTI-DEBUG MATRIX | # | Technique | Detection Method | Reliability | Bypass Method | Bypass Tool | False Positives | |---|---|---|---|---|---|---| | L1 | `ptrace(PTRACE_TRACEME)` | Self-attach; fails if already traced | High | `LD_PRELOAD` shim, NOP patch, GDB `catch syscall` | GDB, gcc | None — definitive | | L2 | `/proc/self/status` TracerPid | Read TracerPid field; non-zero = traced | High | Hook `fopen`/`fread`, FUSE mount, patch string | Frida, LD_PRELOAD | Container environments may show artifacts | | L3 | `/proc/self/maps` scanning | Search for debugger/instrumentation libraries | Medium | Filter maps output via hook, rename agent libs | Frida (rename gadget.so) | Security tools may trigger | | L4 | `rdtsc` timing | Measure cycle count delta between two points | Medium | Fix registers at BP, hook timing source | GDB scripts, Frida | High CPU load can cause false positives | | L5 | `clock_gettime` timing | Similar to rdtsc but via syscall | Medium | Hook `clock_gettime`, return controlled values | Frida, LD_PRELOAD | System load variation | | L6 | `SIGTRAP` handler | Install handler, raise SIGTRAP; debugger swallows it | High | GDB: `handle SIGTRAP nostop pass` | GDB | None | | L7 | `SIGSTOP`/`SIGCONT` self-send | Send SIGSTOP to self, measure if debugger intervenes | Low | Forward signals properly | GDB signal handling | Rare | | L8 | Fork + ptrace watchdog | Child attaches to parent; fails if debugger present | High | Kill child, patch fork, dual-attach | GDB (follow-fork-mode) | None | | L9 | `LD_PRELOAD` env check | `getenv("LD_PRELOAD")` | Low | Unset env var, hook `getenv` | Shell, Frida | Legitimate LD_PRELOAD usage | | L10 | Parent PID check | `getppid()` — expect init/shell, not debugger | Low | Run from shell normally, hook `getppid` | Frida | Terminal multiplexers | | L11 | `/proc/self/exe` readlink | Check if binary path matches expected | Low | Symlink or hook `readlink` | Shell | Custom install paths | | L12 | Breakpoint scanning (0xCC) | Scan `.text` for `INT3` bytes | Medium | Use hardware breakpoints only | x86 HW BP (DR0-DR3) | Legitimate 0xCC in data | | L13 | `prctl(PR_SET_DUMPABLE, 0)` | Prevent ptrace attach after start | Medium | Hook `prctl`, keep dumpable | LD_PRELOAD, Frida | None | | L14 | `personality(ADDR_NO_RANDOMIZE)` | Detect if ASLR disabled (common debugger setting) | Low | Keep ASLR enabled while debugging | GDB (don't disable ASLR) | Manual ASLR disable | --- ## 2. WINDOWS ANTI-DEBUG MATRIX | # | Technique | Detection Method | Reliability | Bypass Method | Bypass Tool | False Positives | |---|---|---|---|---|---|---| | W1 | `IsDebuggerPresent` | Reads `PEB.BeingDebugged` | High | Patch PEB byte, hook API | ScyllaHide, x64dbg | None | | W2 | `CheckRemoteDebuggerPresent` | Calls `NtQueryInformationProcess(DebugPort)` | High | Hook underlying NtQIP | ScyllaHide | None | | W3 | PEB.BeingDebugged | Direct PEB read (no API call) | High | Zero the byte at PEB+0x02 | ScyllaHide, manual patch | None | | W4 | PEB.NtGlobalFlag (0x70) | Check for `FLG_HEAP_ENABLE_*` flags | High | Zero PEB+0xBC | ScyllaHide | None | | W5 | Heap flags | `ProcessHeap.Flags` / `ForceFlags` | High | Patch heap header | ScyllaHide | None | | W6 | `NtQueryInformationProcess` DebugPort | InfoClass 0x07 → non-zero if debugged | High | Hook NtQIP, return 0 | ScyllaHide, Frida | None | | W7 | `NtQueryInformationProcess` DebugObjectHandle | InfoClass 0x1E → valid handle if debugged | High | Hook NtQIP, return error | ScyllaHide | None | | W8 | `NtQueryInformationProcess` DebugFlags | InfoClass 0x1F → 0 if debugged (inverted!) | High | Hook