check tracer pid

[w296488320]

Hi there, the great developer.
I found that some programs do anti-debug detection when startup like detecting other exceptions for the current thread. Because the proot needs to start a process (tracer) to track the main thread. The detection method is similar to as follows.

    DIR *pdr = opendir("/proc");
    if (pdr == nullptr) {
        return;
    }
    dirent *read_ptr;

    while ((read_ptr = readdir(pdr)) != nullptr) {
        int procpid = atoi(read_ptr->d_name);
        LOG(INFO) << "find /proc/ child dir  " << procpid;
        if (procpid && procpid != getpid()) {
            
            LOG(ERROR) << ">>>>>  FIND OTHER THREAD SANDBOX " << procpid;
        }
    }
    closedir(pdr);
    LOG(ERROR) << ">>>>> NOT FIND SANDBOX ";

This pid of tracer can be detected. The program is considered to be being debugged. Is there any good way to bypass this ?

[oxr463]

That's an excellent question. What is the behavior of the application when it discovers the tracer?

[w296488320]

When a program is detected to be being debugged, the program may kill-9, and many programs will detect whether the current environment is being ptrace, and thus detect whether the current environment is a security hazard. If the current environment is considered safe, the normal logic will continue.

When this special case of detection, anti-debugging or ptrace, I did not find a good way to counter it.

I don t know how the sandbox based on the seccomp implementation handles this kind of problem. Do you have any good suggestions, a great developer.