Solved

Anti-Debug.

Posted on 2001-08-04
25
377 Views
Last Modified: 2008-01-16
Hi all,
I wrote a program and I want to prevent to be debug.
How can I handle this in my program,
and what must I add to my code to prevent to be debug.

Thanx
0
Comment
Question by:AAB
  • 10
  • 7
  • 5
  • +1
25 Comments
 
LVL 22

Expert Comment

by:nietod
ID: 6351286
>> what must I add to my code to prevent to be debug.
There is nothing you can do to prevent it.  Any program that can be run, can be debugged.  There is nothing you can do about that.

but you can do things to make debugging less useful for the person trying to debug the program.

First of all, most compilers produce both debug and release versiosn of the software.  The debug version is easy to debug, but the release version can still be debugged, but it is harder for the person debugging to make sense of.  the reason for this is that the debug version often includes symbolic information, that is, it contains information that records the varaible names, data types, procedure names, and other elements of code that you wrote.  This information can often be shown in the debugger and make it easier for the programmer debugging your program to see what he/she is looking at.   But the release version doesn't usually contain this information.  The programmer can still debug the program, but without the names of varaibles, functions, data types, code statements etc, they have to look at the assembly version of your program which is much much harder to understand.  

so the first thing you can do is to create a release version of your porogram and distribute that.  Don't distribute a debug version.

I can't say how you go about creating a release version of your program.  That depends on the compiler you are using and you have not stated this.

continues
0
 
LVL 22

Expert Comment

by:nietod
ID: 6351292
Removing the symbolic information makes it harder for the programmer to undertand what he/she reads when debugging your code.  But the programmer can still "follow" the execution of the program and figure out what it is doing.  There is nothing that can be done to prevent this, but often you can make it harder.  Here are some things that you can do to make this harder.

On many platforms/operating systems (OSs) there is an interrupt that can be used to invoke the debugger.  This is often called the debugger interrupt.  When a program is executing under a debugger and this interrupt is encountered it acts just like a breakpoint was set at that point.  In other words, the program is stopped at this point so the programmer can examine the program state at this point.  This is usually a tool used to help someone debug a program, but actually it can be use to make it harder to debug.  If your program places a bunch of these debugger interrupts at strategic locations in your program.  (Like in central loops and other tight loops), then when someone tries to debug your application, then will find it breaking execution frequently at break points that they didn't set.  For example, they might be trying to follow the logic of procedure A, but if procedure A calls procedure B from inside a loop and procedure B has a debugger interrupt in it, then the programmer will have hard time following A because the keep getting "moved to" B and then have to get back to A.   Note that on most platforms, when there is no debugger running, the debugger interrupt is just ignored.  However it does take a little time to execute, so place them at strategic locations.  Like in procedures that are called often, but not too often.   Agan how you go abot setting a debugger interrupt depends on the compiler you are using, which you have not stated.  But in VC it would be

   __asm int 3;

continues
0
 
LVL 22

Expert Comment

by:nietod
ID: 6351306
Another thing you can do to make it harder to follow the execution of the code is to use lots of inline procedures.  Declare almost all procedures to be inline.  This might make your program larger, but also might make it execute faster. This makes it harder to understand the program in the debugger.  When a function is not inline, the programmer debugging the program only needs to figure out what that function does one time.  Then each time the function is called, he/she does not need to reanzalize the function.   But if the function is inlined, the programmer debugging the code will probably need to figure out the logic of the function every single time it is encountered. This is more work for them and it is harder work because they won't see the way you "organized" the code to.  i.e. they don't see that one section of the code is performing a step that is seperate from the surrounding code.

contiues
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 22

Accepted Solution

by:
nietod earned 300 total points
ID: 6351311
another thing you can do is to try to use techniques that will hinder the logic the debugger uses to figure stuff out.  for example, most procedures pass parameters on the stack.  But some compilers have options to passs parameters in registers.  This can make it much harder for te debugger to figure out what the parameters are.  So if declare some of your procedures (not all, what makes this work is that it is unexpected)  to used register calling conventions it makes them harder to understand.  Again, how you do this will depend on the compiler you are using--and not all will support it.  

Well, that should get you started.
0
 

Author Comment

by:AAB
ID: 6351370
I use MS Visual C++ compiler..
so if u can do for more Help ...
and examples..
Thanx for all ..
0
 
LVL 14

Expert Comment

by:AlexVirochovsky
ID: 6351373
Is your OS Windows?
In this case you can use DebugBreak API for test:
if apps debugged. Example of using:

void    LockDebug   ()
{
    __try   //  setup SEH frame - this frame will 'see' (handle)
            //  the EXCEPTION_BREAKPOINT if no debugger is present
    {
        //  issue an 'EXCEPTION_BREAKPOINT' - when  no debugger is
        //  present, our SEH handler will be executed...

        DebugBreak  ();

        //  if we reach this point, a debugger is attached to
        //  this application (and someone decided not to give up ;-)

        OutputDebugString   (   "Don't debug me!!!\n");

#ifndef __HARD_AND_MEAN_EXIT
        ExitProcess (   0);
#else
        TerminateProcess    (   GetCurrentProcess   (),
                                0xffffffff
                            );
#endif
    }
    __except    (       EXCEPTION_BREAKPOINT    ==  GetExceptionCode    ()
                    ?   EXCEPTION_EXECUTE_HANDLER
                    :   EXCEPTION_CONTINUE_SEARCH
                )   //  just to make sure we're not handling sth. else...
    {
        //  Fine! This was our 'DebugBreak()', all's well, do nothing
    }
}
0
 

Author Comment

by:AAB
ID: 6351407
Thanx, for all
I Think nietod have explianed what I need, and really thanx for all.
and Alex give me a good API, for me I wanna give nietod 200 point and Alex 100 points, but this not allowed.
so the points for first one who responds to me..

Thanx for all
0
 

Author Comment

by:AAB
ID: 6351410
but please , if anyone have more explain in details can you send me e-mail at aab75@msn.com

Thanx.

0
 

Author Comment

by:AAB
ID: 6351411
Please if you can give me more help, I'm thanx for you ...

0
 
LVL 22

Expert Comment

by:nietod
ID: 6351531
>> I wanna give nietod 200 point and
>> Alex 100 points, but this not
>> allowed.
For extreme cases you can hoave customer servbice split the points to a question.  You can post a comment in the customer service topic area asking them to do this.  But only do this for cases where you relaly think it is necessary, as it does require the efforts of the CS staff.

Since this is for VC, you definitely can use a release mode application to help make this hard on the debugger.  You can use

__asm int 3;

to place debugger breaks througout your code.  You can use inline functions to make this harder to understand. You can  use the __fascall keyword when you declare some of your functions to make them use the registers instead of the stack, like

int __fastcall Increment(int i)
{
   return i + 1;
}

You can use the technique that Alex suggested to try to detect the debugger.  However that is only of limited help--well that is true of everything I suggested too.  The programmer trying to debug the application will be able to get around it.  But evberythign you do to make it harder on them helps.  Hopefully they will just give up...
0
 
LVL 86

Expert Comment

by:jkr
ID: 6352321
>>You can use the technique that Alex suggested to try to
>>detect the debugger

I just want to add that this is _my_ code :o)
0
 
LVL 14

Expert Comment

by:AlexVirochovsky
ID: 6352675
well, jkr, it is your code, but all is common...
And I hope, that our discussion helps to AAB.  
0
 
LVL 86

Expert Comment

by:jkr
ID: 6353636
>>well, jkr, it is your code, but all is common...

Didn't mean to critizice you for using ist, I'd just have appreciated to be mentioned :o)
0
 
LVL 14

Expert Comment

by:AlexVirochovsky
ID: 6355579
ok, next time..
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355614
BTW, to the asker of this Q - at least for Win32, there IS a way to definitely prevent an application from being debuggged (or at least increase the complexity of this task to an intolerable level)
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355656
What is it?
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355701
>>What is it?

Debugging it yourself :o)
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355734
What if the other debugger is already debugging your process?  It could prevent your program from ever trying to debug itself.
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355753
>>What if the other debugger is already debugging your
>>process?  It could prevent your program from ever
>>trying to debug itself.

Well, that can be taken care of by making sure that your app will only run with that very debugger...
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355820
I don't get it.
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355862
>>I don't get it.

Consider e.g a certain sequence of code that is inserted into the app's address space at runtime - can be easily done by a debugger that *knows* what to insert (I have to stop now, giving away all my dirty tricks :o)
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355895
Well if its a good enough answer and you are willing to part with it, It probably should have been the answer.   If you want to part with I'll "pay" you the 300*4 pts.)  (I'm still skeptical at this point, although I also doubt that you'd be wrong.)
0
 
LVL 86

Expert Comment

by:jkr
ID: 6355912
I'll consider that...
0
 
LVL 22

Expert Comment

by:nietod
ID: 6355978
I'm not trying to pressure you if this is something from your private arsenal.  I just thought AAB deserves the best  answer possible and the best answer should be awarded.
0
 

Author Comment

by:AAB
ID: 6356034
Thanx nietod,

I think we have to give clear answers, we need for all help, and I think this discussion will usefull, if we have clear explaining ..

Thanx.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When writing generic code, using template meta-programming techniques, it is sometimes useful to know if a type is convertible to another type. A good example of when this might be is if you are writing diagnostic instrumentation for code to generat…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question