I've seen this done on Windows using CreateProcess, although I believe it wasn't specifically for anti-debugging purposes but instead a process that wanted to reinitialise itself from the beginning.
A far more effective actual anti-debugging technique is to have the parent become the debugger of the child, preventing any other debugger from attaching to it.
But then you can attach to the parent and cause it to stop debugging the child so you can. I think you want a process to be its own debugger; idk if ptrace(2) allows that. Then there's things like DTrace and eBPF -- I don't think you can prevent them from the target.
> A far more effective actual anti-debugging technique is to have the parent become the debugger of the child,
Do you have example of that? I am really curious, thanks for sharing tho :)
Does follow-fork-mode in lldb not also defeat this?
I tried with LLDB using `settings set target.process.follow-fork-mode child` but for some reasons I feel like it still exit from the parent process.
I also tried with a long living process: https://github.com/tony-go/antidebug-examples/tree/main/swif...
And I got this:
``` (lldb) run Process 14345 launched: '/anti-debug/swift/build/anti_debug' (arm64) start pid = 14345 exit parent process for child pid = 14348 continue as child process pid = 14348 Process 14345 exited with status = 0 (0x00000000) ```
The UI did not even appeared as it should.
Maybe I miss something in my LLDB config...
Also it could come from a messy thing in the code.
Yes.
The more you hate, the more you love.