A stealth-aware native debugger for Linux x86-64, with experimental Windows & macOS support. Anti-detect at the userland and kernel level. Decompilation via RetDec. Scripting via Lua & Python.
From low-level ptrace control to high-level decompilation — all in one tool.
8 userland + 8 kernel-level techniques to hide from anti-debug checks.
Mask TracerPid, hide 0xCC bytes, spoof parent names,
intercept PTRACE_TRACEME, and more.
Decompile functions in live processes or static binaries via Avast RetDec (native dlopen) or angr. Decompile at current RIP with one command.
RetDec + angrAutomate debugging with full ndbg API in both Lua and Python.
JSON-RPC subprocess bridge — no library dependencies, full isolation.
Interpret raw memory as language-specific types: C strings,
std::string (SSO-aware), Rust String,
Go string, CPython str, and structs.
Full-featured CLI REPL (the only interface; GUI was removed in v1.1.4) 30+ commands, batch mode, interactive TUI memory editor.
CLI-onlyPatch ELF/PE/Mach-O binaries in-place: NOP, JMP always/never, CALL→NOP, force-return-true, ASCII replace. Undo any patch. Save without overwriting source.
7 patch kindsDebug Linux ELF (native ptrace), Windows PE (via Wine + gdbstub), and macOS Mach-O (via QEMU). Auto-detects target platform from magic bytes.
Linux + Win + MacConditional + temporary breakpoints, hardware watchpoints (DR0-DR3), step-over, step-out, syscall stepping, backtrace with symbol resolution.
Full feature setFull source code available. Free for personal, academic, and commercial use. Fork it, modify it, contribute back. No restrictions.
NEW v1.1.4Hide from every common anti-debug check — at both userland and kernel level.
| # | Technique | Defeats | Layer |
|---|---|---|---|
| 1 | Hardware Breakpoints (DR0-DR3) | INT3 byte scans of .text | Userland |
| 2 | process_vm_readv/writev | ptrace-event observation | Userland |
| 3 | Mask /proc/self/status | TracerPid: field read | Userland |
| 4 | Hide NinjaDBG mmaps | Address-space enumeration | Userland |
| 5 | Timing normalization | RDTSC / clock_gettime checks | Userland |
| 6 | Parent name masquerade | /proc/ppid/comm inspection | Userland |
| 7 | Hide from ps | readdir(/proc) enumeration | Userland |
| 8 | INT3 scan bypass | Self-.text scanning for 0xCC | Userland |
| 9 | Hide PID from /proc | Kernel proc_readdir() hook | Kernel (LKM) |
| 10 | Mask /proc/self/wchan | wchan returning ptrace_stop | Kernel (LKM) |
| 11 | Mask /proc/self/syscall | Syscall field showing stopped nr | Kernel (LKM) |
| 12 | Mask /proc/<pid>/comm | comm field reading ninjadb | Kernel (LKM) |
| 13 | Suppress tracer SIGCHLD | Timing via extra SIGCHLD | Kernel (LKM) |
| 14 | Force PR_SET_DUMPABLE=1 | prctl(PR_GET_DUMPABLE) returning 0 | Kernel (LKM) |
| 15 | Intercept PTRACE_TRACEME | Target's self-TRACEME succeeding | Kernel (LKM) |
| 16 | Hide our mmap regions | Target enumerating /proc/<pid>/maps | Kernel (LKM) |
Wrap RetDec natively or use angr — decompile live processes or static binaries.
Verified working — angr func.normalize() fix applied in v1.1.4
Interpret raw memory as language-native types — no more hex dumps.
What you get with NinjaDBG vs. traditional debuggers.
Download the prebuilt binary or build from source.
Star the repo, download v1.1.4, and start debugging like a ninja.