Jump to content
  • Advertisement
Sign in to follow this  
Telamon

Peaking into a Program's Memory Space

This topic is 4883 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

If I am writing a program and I don't want people snooping into my process's memory at runtime, is there any way to stop this from happening? I'ven't played around with it too much, but it seems like you can attach a debugger to just about anything and look inside it's memory space. Are there protection flags I can set? Does attaching a debugger use system hooks? Can I detect when these are set? What kind of access privileges does my program need to do this? This would be on WinXP, btw. I don't really know much about this stuff, but I'm trying to come up with good resource encryption and copy protection routines for my game and would like to make it hard on teh hackers if I can.

Share this post


Link to post
Share on other sites
Advertisement
Quote:
Original post by Telamon
If I am writing a program and I don't want people snooping into my process's memory at runtime, is there any way to stop this from happening?


There are measures that can be taken but they won't block every potential snooper.

Quote:
Original post by Telamon
I'ven't played around with it too much, but it seems like you can attach a debugger to just about anything and look inside it's memory space.


More or less.

Quote:
Original post by Telamon
Are there protection flags I can set?


Protection flags? There are a lot of them and they can be set but I don't think there is a single flag that will do what you want.

Quote:
Original post by Telamon
Does attaching a debugger use system hooks? Can I detect when these are set? What kind of access privileges does my program need to do this?


I suppose a debugger could use system hooks. The Debugging API probably uses them underneath. With some work these could be detected. The program would probably need admin privileges.

Share this post


Link to post
Share on other sites
Hmmm. Well I'm willing to go through the effort of learning more about this. If I were going to do a google search, what keywords would I be looking for?

It seems like in a well-designed application only the OS could read the client program's memory. Shouldn't a program's memory be a black box that one can't see inside of? If there were a capability to trap Debugger-type system calls to the process, that should be that.

You'd have to have the OS source to pry into the sucka. Or an emulator, I suppose.

Share this post


Link to post
Share on other sites
Quote:
Original post by Telamon
Hmmm. Well I'm willing to go through the effort of learning more about this. If I were going to do a google search, what keywords would I be looking for?

It seems like in a well-designed application only the OS could read the client program's memory. Shouldn't a program's memory be a black box that one can't see inside of? If there were a capability to trap Debugger-type system calls to the process, that should be that.

You'd have to have the OS source to pry into the sucka. Or an emulator, I suppose.


Unless the physical memory is encrpyted and decrypted by each process as it's accessed, there will always be a way to see what's there.

All you have to do is get the victim process to call a function of yours from inside its own process and it's all over. See SetWindowsHookEx. CreateProcess and various other Win32 functions take a SECURITY_ATTRIBUTES parameter, IIRC, but I'm not sure to what extent that is useful.

Share this post


Link to post
Share on other sites
Even if only the OS can deal with an app, it's still largely trivial in any modern OS to act as the OS. Or to run your app in something like VMware as you say.

This is the reason shrinkwrap licenses and content copyrights exist. It's technologically impossible to prevent, so the legal 'stick' is beefed up to ensure that such intrusion has [at least the threat of] consiquences.

Share this post


Link to post
Share on other sites
Quote:
Original post by Telamon
Hmmm. Well I'm willing to go through the effort of learning more about this. If I were going to do a google search, what keywords would I be looking for?


Keywords? off the top of my head: process memory hacking windows virtual memory interprocess communication interupt handling paging faults ...

You might want to check out Mark Russinovich's book, Inside Windows 2000. And maybe also
Undocumented Windows 2000 Secrets. And Jeff Richter's Windows Programming book is recommended as well. Windows XP is built on 2000.

Quote:
Original post by Telamon
It seems like in a well-designed application only the OS could read the client program's memory. Shouldn't a program's memory be a black box that one can't see inside of? If there were a capability to trap Debugger-type system calls to the process, that should be that.


It's not the application but the OS. Windows is designed to allow for interprocess communication - which requires reading memory from another process - but the capacity follows from the design for multitasking and virtual memory.

I should have wrote that the Debugging API's might use system hooks, not that they probably do.


Quote:
Original post by Telamon
You'd have to have the OS source to pry into the sucka. Or an emulator, I suppose.


Both of those would help.

Quote:
Original post by JoshM
All you have to do is get the victim process to call a function of yours from inside its own process and it's all over. See SetWindowsHookEx. CreateProcess and various other Win32 functions take a SECURITY_ATTRIBUTES parameter, IIRC, but I'm not sure to what extent that is useful.


It could be easier than that: ReadProcessMemory.

Share this post


Link to post
Share on other sites
There is a very simple trick for doing this. I dont know if it will work in windows but in linux you just ptrace into your binary. See, debuggers are just a big wrapper around ptrace. Only 1 program can ptrace a binary at a time. So if you call ptrace on your application right when it starts it, this prevents other applications from ptracing into it your binary. The same principle could work windows.

In windows ptrace is equivilent to NtOpenProcess.

Share this post


Link to post
Share on other sites
Quote:
Original post by JoshM
...CreateProcess and various other Win32 functions take a SECURITY_ATTRIBUTES parameter, IIRC, but I'm not sure to what extent that is useful.


The SECURITY_ATTRIBUTES parameter has no effect under win 95/98/ME.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!