AAB
asked on
Anti-Debug.
Hi all,
I wrote a program and I want to prevent to be debug.
How can I handle this in my program,
and what must I add to my code to prevent to be debug.
Thanx
I wrote a program and I want to prevent to be debug.
How can I handle this in my program,
and what must I add to my code to prevent to be debug.
Thanx
Removing the symbolic information makes it harder for the programmer to undertand what he/she reads when debugging your code. But the programmer can still "follow" the execution of the program and figure out what it is doing. There is nothing that can be done to prevent this, but often you can make it harder. Here are some things that you can do to make this harder.
On many platforms/operating systems (OSs) there is an interrupt that can be used to invoke the debugger. This is often called the debugger interrupt. When a program is executing under a debugger and this interrupt is encountered it acts just like a breakpoint was set at that point. In other words, the program is stopped at this point so the programmer can examine the program state at this point. This is usually a tool used to help someone debug a program, but actually it can be use to make it harder to debug. If your program places a bunch of these debugger interrupts at strategic locations in your program. (Like in central loops and other tight loops), then when someone tries to debug your application, then will find it breaking execution frequently at break points that they didn't set. For example, they might be trying to follow the logic of procedure A, but if procedure A calls procedure B from inside a loop and procedure B has a debugger interrupt in it, then the programmer will have hard time following A because the keep getting "moved to" B and then have to get back to A. Note that on most platforms, when there is no debugger running, the debugger interrupt is just ignored. However it does take a little time to execute, so place them at strategic locations. Like in procedures that are called often, but not too often. Agan how you go abot setting a debugger interrupt depends on the compiler you are using, which you have not stated. But in VC it would be
__asm int 3;
continues
On many platforms/operating systems (OSs) there is an interrupt that can be used to invoke the debugger. This is often called the debugger interrupt. When a program is executing under a debugger and this interrupt is encountered it acts just like a breakpoint was set at that point. In other words, the program is stopped at this point so the programmer can examine the program state at this point. This is usually a tool used to help someone debug a program, but actually it can be use to make it harder to debug. If your program places a bunch of these debugger interrupts at strategic locations in your program. (Like in central loops and other tight loops), then when someone tries to debug your application, then will find it breaking execution frequently at break points that they didn't set. For example, they might be trying to follow the logic of procedure A, but if procedure A calls procedure B from inside a loop and procedure B has a debugger interrupt in it, then the programmer will have hard time following A because the keep getting "moved to" B and then have to get back to A. Note that on most platforms, when there is no debugger running, the debugger interrupt is just ignored. However it does take a little time to execute, so place them at strategic locations. Like in procedures that are called often, but not too often. Agan how you go abot setting a debugger interrupt depends on the compiler you are using, which you have not stated. But in VC it would be
__asm int 3;
continues
Another thing you can do to make it harder to follow the execution of the code is to use lots of inline procedures. Declare almost all procedures to be inline. This might make your program larger, but also might make it execute faster. This makes it harder to understand the program in the debugger. When a function is not inline, the programmer debugging the program only needs to figure out what that function does one time. Then each time the function is called, he/she does not need to reanzalize the function. But if the function is inlined, the programmer debugging the code will probably need to figure out the logic of the function every single time it is encountered. This is more work for them and it is harder work because they won't see the way you "organized" the code to. i.e. they don't see that one section of the code is performing a step that is seperate from the surrounding code.
contiues
contiues
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I use MS Visual C++ compiler..
so if u can do for more Help ...
and examples..
Thanx for all ..
so if u can do for more Help ...
and examples..
Thanx for all ..
Is your OS Windows?
In this case you can use DebugBreak API for test:
if apps debugged. Example of using:
void LockDebug ()
{
__try // setup SEH frame - this frame will 'see' (handle)
// the EXCEPTION_BREAKPOINT if no debugger is present
{
// issue an 'EXCEPTION_BREAKPOINT' - when no debugger is
// present, our SEH handler will be executed...
DebugBreak ();
// if we reach this point, a debugger is attached to
// this application (and someone decided not to give up ;-)
OutputDebugString ( "Don't debug me!!!\n");
#ifndef __HARD_AND_MEAN_EXIT
ExitProcess ( 0);
#else
TerminateProcess ( GetCurrentProcess (),
0xffffffff
);
#endif
}
__except ( EXCEPTION_BREAKPOINT == GetExceptionCode ()
? EXCEPTION_EXECUTE_HANDLER
: EXCEPTION_CONTINUE_SEARCH
) // just to make sure we're not handling sth. else...
{
// Fine! This was our 'DebugBreak()', all's well, do nothing
}
}
In this case you can use DebugBreak API for test:
if apps debugged. Example of using:
void LockDebug ()
{
__try // setup SEH frame - this frame will 'see' (handle)
// the EXCEPTION_BREAKPOINT if no debugger is present
{
// issue an 'EXCEPTION_BREAKPOINT' - when no debugger is
// present, our SEH handler will be executed...
DebugBreak ();
// if we reach this point, a debugger is attached to
// this application (and someone decided not to give up ;-)
OutputDebugString ( "Don't debug me!!!\n");
#ifndef __HARD_AND_MEAN_EXIT
ExitProcess ( 0);
#else
TerminateProcess ( GetCurrentProcess (),
0xffffffff
);
#endif
}
__except ( EXCEPTION_BREAKPOINT == GetExceptionCode ()
? EXCEPTION_EXECUTE_HANDLER
: EXCEPTION_CONTINUE_SEARCH
) // just to make sure we're not handling sth. else...
{
// Fine! This was our 'DebugBreak()', all's well, do nothing
}
}
ASKER
Thanx, for all
I Think nietod have explianed what I need, and really thanx for all.
and Alex give me a good API, for me I wanna give nietod 200 point and Alex 100 points, but this not allowed.
so the points for first one who responds to me..
Thanx for all
I Think nietod have explianed what I need, and really thanx for all.
and Alex give me a good API, for me I wanna give nietod 200 point and Alex 100 points, but this not allowed.
so the points for first one who responds to me..
Thanx for all
ASKER
but please , if anyone have more explain in details can you send me e-mail at aab75@msn.com
Thanx.
Thanx.
ASKER
Please if you can give me more help, I'm thanx for you ...
>> I wanna give nietod 200 point and
>> Alex 100 points, but this not
>> allowed.
For extreme cases you can hoave customer servbice split the points to a question. You can post a comment in the customer service topic area asking them to do this. But only do this for cases where you relaly think it is necessary, as it does require the efforts of the CS staff.
Since this is for VC, you definitely can use a release mode application to help make this hard on the debugger. You can use
__asm int 3;
to place debugger breaks througout your code. You can use inline functions to make this harder to understand. You can use the __fascall keyword when you declare some of your functions to make them use the registers instead of the stack, like
int __fastcall Increment(int i)
{
return i + 1;
}
You can use the technique that Alex suggested to try to detect the debugger. However that is only of limited help--well that is true of everything I suggested too. The programmer trying to debug the application will be able to get around it. But evberythign you do to make it harder on them helps. Hopefully they will just give up...
>> Alex 100 points, but this not
>> allowed.
For extreme cases you can hoave customer servbice split the points to a question. You can post a comment in the customer service topic area asking them to do this. But only do this for cases where you relaly think it is necessary, as it does require the efforts of the CS staff.
Since this is for VC, you definitely can use a release mode application to help make this hard on the debugger. You can use
__asm int 3;
to place debugger breaks througout your code. You can use inline functions to make this harder to understand. You can use the __fascall keyword when you declare some of your functions to make them use the registers instead of the stack, like
int __fastcall Increment(int i)
{
return i + 1;
}
You can use the technique that Alex suggested to try to detect the debugger. However that is only of limited help--well that is true of everything I suggested too. The programmer trying to debug the application will be able to get around it. But evberythign you do to make it harder on them helps. Hopefully they will just give up...
>>You can use the technique that Alex suggested to try to
>>detect the debugger
I just want to add that this is _my_ code :o)
>>detect the debugger
I just want to add that this is _my_ code :o)
well, jkr, it is your code, but all is common...
And I hope, that our discussion helps to AAB.
And I hope, that our discussion helps to AAB.
>>well, jkr, it is your code, but all is common...
Didn't mean to critizice you for using ist, I'd just have appreciated to be mentioned :o)
Didn't mean to critizice you for using ist, I'd just have appreciated to be mentioned :o)
ok, next time..
BTW, to the asker of this Q - at least for Win32, there IS a way to definitely prevent an application from being debuggged (or at least increase the complexity of this task to an intolerable level)
What is it?
>>What is it?
Debugging it yourself :o)
Debugging it yourself :o)
What if the other debugger is already debugging your process? It could prevent your program from ever trying to debug itself.
>>What if the other debugger is already debugging your
>>process? It could prevent your program from ever
>>trying to debug itself.
Well, that can be taken care of by making sure that your app will only run with that very debugger...
>>process? It could prevent your program from ever
>>trying to debug itself.
Well, that can be taken care of by making sure that your app will only run with that very debugger...
I don't get it.
>>I don't get it.
Consider e.g a certain sequence of code that is inserted into the app's address space at runtime - can be easily done by a debugger that *knows* what to insert (I have to stop now, giving away all my dirty tricks :o)
Consider e.g a certain sequence of code that is inserted into the app's address space at runtime - can be easily done by a debugger that *knows* what to insert (I have to stop now, giving away all my dirty tricks :o)
Well if its a good enough answer and you are willing to part with it, It probably should have been the answer. If you want to part with I'll "pay" you the 300*4 pts.) (I'm still skeptical at this point, although I also doubt that you'd be wrong.)
I'll consider that...
I'm not trying to pressure you if this is something from your private arsenal. I just thought AAB deserves the best answer possible and the best answer should be awarded.
ASKER
Thanx nietod,
I think we have to give clear answers, we need for all help, and I think this discussion will usefull, if we have clear explaining ..
Thanx.
I think we have to give clear answers, we need for all help, and I think this discussion will usefull, if we have clear explaining ..
Thanx.
There is nothing you can do to prevent it. Any program that can be run, can be debugged. There is nothing you can do about that.
but you can do things to make debugging less useful for the person trying to debug the program.
First of all, most compilers produce both debug and release versiosn of the software. The debug version is easy to debug, but the release version can still be debugged, but it is harder for the person debugging to make sense of. the reason for this is that the debug version often includes symbolic information, that is, it contains information that records the varaible names, data types, procedure names, and other elements of code that you wrote. This information can often be shown in the debugger and make it easier for the programmer debugging your program to see what he/she is looking at. But the release version doesn't usually contain this information. The programmer can still debug the program, but without the names of varaibles, functions, data types, code statements etc, they have to look at the assembly version of your program which is much much harder to understand.
so the first thing you can do is to create a release version of your porogram and distribute that. Don't distribute a debug version.
I can't say how you go about creating a release version of your program. That depends on the compiler you are using and you have not stated this.
continues