i w4N7 t0 k0d3 l33T 4nt1-ph33nR1s pr0t3kti0n f0r |\/|Y xpl01tz!!! Seek no more! There are quite a few ways to fool Fenris. You can crash the program executed under Fenris that wouldn't otherwise crash (set a handler for some fictional signal to point somewhere in the middle of a function, call the function), you can make Fenris refuse to trace an application (bogus clone() call anywhere). You can stop Fenris from reporting what the code is doing (relocate to 0x40... segment, simulate multiple RETs). You can make Fenris exit for some other reason, for example, excessive number of calls without ret. You can kill Fenris by using the old ptrace-back trick I described long time ago in the paper about Samhain, as it is using common ptrace() interface. You can detect Fenris running by detecting system semantics changes caused by ptrace. With a bit of invention and some time, you can even hijack Fenris session and manipulate it, as with any other tracer and debugger. Or you can simply fool Fenris, spoofing C constructions and then invoking real code in some obscure manner (such as call-by-ret). At the same time, most of the techniques mentioned here can be easily defeated under Aegir. Fake signal handlers can be avoided by removing signal() call, same about clone() calls, and, generally, all sorts of single point anti-debugging routines. Obscure segments can be traced with -X option, RETs and excessive calls can be ignored with -x. If they become overly popular, I will probably add some automated support for defeating this protection. If you make your anti-debugging code non-localized, for example a bogus call every line, you're making someone else's life more miserable - but at worst, he'd simply resort to using a different, lower level tool (even fenris -G can be an option), maybe something less popular but more interesting :-) So... my general advice would be, unless you have a good reason, don't do that to be distributed to public. There's much more harm than good from distributing tools that are supposed to make reverse engineering more difficult (even burneye is a good example). Why? Simply put, many people don't have excellent reverse engineering skills, but they surely should have the privilege to guess what some code they found on their machine does. By giving the ability to defeat basic tools to script kiddies, you are not helping anyone. Keep it to yourself, protect your code only. Ah - most likely, there are some ways to trash Fenris because of my programming errors. If you are aware of such conditions, let me know. I don't think there are some terrible mistakes that would make a specific type of code completely not traceable, but who knows.