Forum > Windows

WinAPI - examples - post 3

<< < (3/3)

Peter H:

--- Quote from: 440bx on January 22, 2021, 06:23:15 am ---The goal isn't to outsmart a good reverse engineer, the goal is to try his/her patience.  The tricks don't have to be elaborate, what's needed is to force the individual to manually inspect every place where there is int 3 and other simple tricks to determine what should be done in each specific case.

--- End quote ---

I am not a hacker, but have debugged software and patched for very legal and honest purposes.
I think a good protection would be, if a program uses the IsDebuggerPresent API and introduces bugs, when running in the debugger, for examples releasing some memory and intentionally creating dangling pointers or out of bounds errors.
The program will then crash in the debugger some time later and not at the location where the "bug" was made, and this is very hard to debug.

Martin_fr:
Interesting to see how this topic took off.... (feigning an innocent look myself...)


--- Quote from: Peter H on January 22, 2021, 04:39:36 pm ---I think a good protection would be, if a program uses the IsDebuggerPresent API and introduces bugs, when running in the debugger,

--- End quote ---
Of course a debugger could be tweaked to intercept those calls and fake the return values.


--- Quote from: Peter H on January 22, 2021, 04:39:36 pm ---for examples releasing some memory and intentionally creating dangling pointers or out of bounds errors.
The program will then crash in the debugger some time later and not at the location where the "bug" was made, and this is very hard to debug.

--- End quote ---
If you get mem access errors in your own app, I highly recommend to use "valgrind --tool memcheck" on it.  In fact I recommend that even if you do not get any errors.

For all else, the hacker always wins.
But, I guess a nice game to play would be to include your own "debugger" in your app. This could tweak values at strategic points and look for other debuggers. I do not know if Windows will allow it, but if you could have two processes that debug each other (circular), then they could each check for side-effects of other debuggers.
Of course the hacker could just debug with a system debugger.

Navigation

[0] Message Index

[*] Previous page

Go to full version