Fix: Ptrace call is detached after a ptrace call with traceme argumen…

…t from child process Signed-off-by: GLVS Kiriti <[email protected]>
falcosecurity · Apr 11, 2024 · 9f8440c · 9f8440c
1 parent 26f0715
commit 9f8440c
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/events/syscall/ptrace_anti_debug_attempt.go b/events/syscall/ptrace_anti_debug_attempt.go
@@ -15,6 +15,7 @@ limitations under the License.
 package syscall
 
 import (
+	"os/exec"
 	"syscall"
 
 	"github.com/falcosecurity/event-generator/events"
@@ -23,12 +24,19 @@ import (
 var _ = events.Register(PtraceAntiDebugAttempt)
 
 func PtraceAntiDebugAttempt(h events.Helper) error {
-	// Attempt to call ptrace with PTRACE_TRACEME argument
-	_, _, err := syscall.Syscall(syscall.SYS_PTRACE, syscall.PTRACE_TRACEME, 0, 0)
-	if err != 0 {
-		h.Log().WithError(err).Error("Failed to call ptrace with PTRACE_TRACEME argument")
+	// Start a dummy process which sleeps for 1hr
+	cmd := exec.Command("sleep", "3600")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Ptrace: true, // This is equivalent to calling PTRACE_TRACEME in the child
+	}
+	if err := cmd.Start(); err != nil {
+		h.Log().WithError(err).Error("Failed to start dummy process")
 		return err
 	}
+	pid := cmd.Process.Pid
+
+	defer syscall.PtraceDetach(pid) // Detach the dummy process at end
+	defer cmd.Process.Kill()        // Kill the dummy process at end
 
 	h.Log().Infof("Successfully called ptrace with PTRACE_TRACEME argument")
 	return nil