Solved

Anti-Debug.

Posted on 2001-08-04
25
369 Views
Last Modified: 2008-01-16
Hi all,
I wrote a program and I want to prevent to be debug.
How can I handle this in my program,
and what must I add to my code to prevent to be debug.

Thanx
0
Comment
Question by:AAB
  • 10
  • 7
  • 5
  • +1
25 Comments
 
LVL 22

Expert Comment

by:nietod
ID: 6351286
>> what must I add to my code to prevent to be debug.
There is nothing you can do to prevent it.  Any program that can be run, can be debugged.  There is nothing you can do about that.

but you can do things to make debugging less useful for the person trying to debug the program.

First of all, most compilers produce both debug and release versiosn of the software.  The debug version is easy to debug, but the release version can still be debugged, but it is harder for the person debugging to make sense of.  the reason for this is that the debug version often includes symbolic information, that is, it contains information that records the varaible names, data types, procedure names, and other elements of code that you wrote.  This information can often be shown in the debugger and make it easier for the programmer debugging your program to see what he/she is looking at.   But the release version doesn't usually contain this information.  The programmer can still debug the program, but without the names of varaibles, functions, data types, code statements etc, they have to look at the assembly version of your program which is much much harder to understand.  

so the first thing you can do is to create a release version of your porogram and distribute that.  Don't distribute a debug version.

I can't say how you go about creating a release version of your program.  That depends on the compiler you are using and you have not stated this.

continues
0
 
LVL 22

Expert Comment

by:nietod
ID: 6351292
Removing the symbolic information makes it harder for the programmer to undertand what he/she reads when debugging your code.  But the programmer can still "follow" the execution of the program and figure out what it is doing.  There is nothing that can be done to prevent this, but often you can make it harder.  Here are some things that you can do to make this harder.

On many platforms/operating systems (OSs) there is an interrupt that can be used to invoke the debugger.  This is often called the debugger interrupt.  When a program is executing under a debugger and this interrupt is encountered it acts just like a breakpoint was set at that point.  In other words, the program is stopped at this point so the programmer can examine the program state at this point.  This is usually a tool used to help someone debug a program, but actually it can be use to make it harder to debug.  If your program places a bunch of these debugger interrupts at strategic locations in your program.  (Like in central loops and other tight loops), then when someone tries to debug your application, then will find it breaking execution frequently at break points that they didn't set.  For example, they might be trying to follow the logic of procedure A, but if procedure A calls procedure B from inside a loop and procedure B has a debugger interrupt in it, then the programmer will have hard time following A because the keep getting "moved to" B and then have to get back to A.   Note that on most platforms, when there is no debugger running, the debugger interrupt is just ignored.  However it does take a little time to execute, so place them at strategic locations.  Like in procedures that are called often, but not too often.   Agan how you go abot setting a debugger interrupt depends on the compiler you are using, which you have not stated.  But in VC it would be

   __asm int 3;

continues
0
 
LVL 22

Expert Comment

by:nietod
ID: 6351306
Another thing you can do to make it harder to follow the execution of the code is to use lots of inline procedures.  Declare almost all procedures to be inline.  This might make your program larger, but also might make it execute faster. This makes it harder to understand the program in the debugger.  When a function is not inline, the programmer debugging the program only needs to figure out what that function does one time.  Then each time the function is called, he/she does not need to reanzalize the function.   But if the function is inlined, the programmer debugging the code will probably need to figure out the logic of the function every single time it is encountered. This is more work for them and it is harder work because they won't see the way you "organized" the code to.  i.e. they don't see that one section of the code is performing a step that is seperate from the surrounding code.

contiues
0
 
LVL 22

Accepted Solution

by:
nietod earned 300 total points
ID: 6351311
another thing you can do is to try to use techniques that will hinder the logic the debugger uses to figure stuff out.  for example, most procedures pass parameters on the stack.  But some compilers have options to passs parameters in registers.  This can make it much harder for te debugger to figure out what the parameters are.  So if declare some of your procedures (not all, what makes this work is that it is unexpected)  to used register calling conventions it makes them harder to understand.  Again, how you do this will depend on the compiler you are using--and not all will support it.  

Well, that should get you started.
0
 

Author Comment

by:AAB
ID: 6351370
I use MS Visual C++ compiler..
so if u can do for more Help ...
and examples..
Thanx for all ..
0
 
LVL 14

Expert Comment

by:AlexVirochovsky
ID: 6351373
Is your OS Windows?
In this case you can use DebugBreak API for test:
if apps debugged. Example of using:

void    LockDebug   ()
{
    __try   //  setup SEH frame - this frame will 'see' (handle)
            //  the EXCEPTION_BREAKPOINT if no debugger is present
    {
        //  issue an 'EXCEPTION_BREAKPOINT' - when  no debugger is
        //  present, our SEH handler will be executed...

        DebugBreak  ();

        //  if we reach this point, a debugger is attached to
        //  this application (and someone decided not to give up ;-)

        OutputDebugString   (   "Don't debug me!!!\n");

#ifndef __HARD_AND_MEAN_EXIT
        ExitProcess (   0);
#else
        TerminateProcess    (   GetCurrentProcess   (),
                                0xffffffff
                            );
#endif
    }
    __except    (       EXCEPTION_BREAKPOINT    ==  GetExceptionCode    ()
                    ?   EXCEPTION_EXECUTE_HANDLER
                    :   EXCEPTION_CONTINUE_SEARCH
                )   //  just to make sure we're not handling sth. else...
    {
        //  Fine! This was our 'DebugBreak()', all's well, do nothing
    }
}
0
 

Author Comment

by:AAB
ID: 6351407
Thanx, for all
I Think nietod have explianed what I need, and really thanx for all.
and Alex give me a good API, for me I wanna give nietod 200 point and Alex 100 points, but this not allowed.
so the points for first one who responds to me..

Thanx for all
0
 

Author Comment

by:AAB
ID: 6351410
but please , if anyone have more explain in details can you send me e-mail at aab75@msn.com

Thanx.

0
 

Author Comment

by:AAB
ID: 6351411
Please if you can give me more help, I'm thanx for you ...

0
 
LVL 22

Expert Comment

by:nietod
ID: 6351531
>> I wanna give nietod 200 point and
>> Alex 100 points, but this not
>> allowed.
For extreme cases you can hoave customer servbice split the points to a question.  You can post a comment in the customer service topic area asking them to do this.  But only do this for cases where you relaly think it is necessary, as it does require the efforts of the CS staff.

Since this is for VC, you definitely can use a release mode application to help make this hard on the debugger.  You can use

__asm int 3;

to place debugger breaks througout your code.  You can use inline functions to make this harder to understand. You can  use the __fascall keyword when you declare some of your functions to make them use the registers instead of the stack, like

int __fastcall Increment(int i)
{
   return i + 1;
}

You can use the technique that Alex suggested to try to detect the debugger.  However that is only of limited help--well that is true of everything I suggested too.  The programmer trying to debug the application will be able to get around it.  But evberythign you do to make it harder on them helps.  Hopefully they will just give up...
0
 
LVL 86

Expert Comment

by:jkr
ID: 6352321
>>You can use the technique that Alex suggested to try to
>>detect the debugger

I just want to add that this is _my_ code :o)
0
 
LVL 14

Expert Comment

by:AlexVirochovsky
ID: 6352675
well, jkr, it is your code, but all is common...
And I hope, that our discussion helps to AAB.  
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 86

Expert Comment

by:jkr
ID: 6353636
>>well, jkr, it is your code, but all is common...

Didn't mean to critizice you for using ist, I'd just have appreciated to be mentioned :o)
0
 
LVL 14

Expert Comment

by:AlexVirochovsky
ID: 6355579
ok, next time..
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355614
BTW, to the asker of this Q - at least for Win32, there IS a way to definitely prevent an application from being debuggged (or at least increase the complexity of this task to an intolerable level)
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355656
What is it?
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355701
>>What is it?

Debugging it yourself :o)
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355734
What if the other debugger is already debugging your process?  It could prevent your program from ever trying to debug itself.
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355753
>>What if the other debugger is already debugging your
>>process?  It could prevent your program from ever
>>trying to debug itself.

Well, that can be taken care of by making sure that your app will only run with that very debugger...
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355820
I don't get it.
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355862
>>I don't get it.

Consider e.g a certain sequence of code that is inserted into the app's address space at runtime - can be easily done by a debugger that *knows* what to insert (I have to stop now, giving away all my dirty tricks :o)
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355895
Well if its a good enough answer and you are willing to part with it, It probably should have been the answer.   If you want to part with I'll "pay" you the 300*4 pts.)  (I'm still skeptical at this point, although I also doubt that you'd be wrong.)
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355912
I'll consider that...
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355978
I'm not trying to pressure you if this is something from your private arsenal.  I just thought AAB deserves the best  answer possible and the best answer should be awarded.
0
 

Author Comment

by:AAB
ID: 6356034
Thanx nietod,

I think we have to give clear answers, we need for all help, and I think this discussion will usefull, if we have clear explaining ..

Thanx.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
Written by John Humphreys C++ Threading and the POSIX Library This article will cover the basic information that you need to know in order to make use of the POSIX threading library available for C and C++ on UNIX and most Linux systems.   [s…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now