I have my emulator running reasonably successfully on upx now. It’s actually an auto unpacker, and identifies when the program is unpacked by monitoring execution on previously written memory. In the process of emulating file io I came across a particular bug in gdb.
The file descriptor returned from an open call inside the debuggee, was 6. I was expecting 3.
gdb must be using file descriptors 3,4,5, and forgot to close them before calling execve.
I’m not sure what the descriptors are used for. Anyone care to take a look?
In the best case scenario, this bug can be used for another test to see if a debugger is present, and in the worst case if these file descriptors were used for control, *gasp* control gdb? Probably they arent used for anything important, but I havent looked any furthur..