All geek questions in one place

How to detect an external program that controls your process?

Is it possible in .net to determine if another program controls your process?

I mean, I have exe running, and if someone runs procmon.exe or some other application that is trying to read some information about my exe, I want my exe to log this.

+6
source share
2 answers

This is a vast and complex topic, and I am only familiar with its existence, and not with an expert. So, all I can offer is a search query:

  • anti debugging

It covers the detection of monitoring tools, countermeasures to prevent verification and obfuscation, to make monitoring information completely useless.

Keep in mind that between the reversers there is an arms race that wants to debug any code running on their system, and DRM 1 designers who want to protect their secrets from prying minds. If you are not ready to devote your life to becoming an expert, you are probably stuck in buying solutions from someone who is. Or simply deciding that it is not worth it.

1 Even if you believe that content owners have a moral right 2 to prohibit reverse engineering, note that no one uses protective obscurity, as well as malware authors.

2 In addition, it is completely different to maintain a neutral expression. But I tried.

+3
source

The monitoring process can either receive information about your process directly from the operating system (for example, TaskManager, perfmon, etc.). In this case, your process knows nothing about it.

In another case, the monitoring process could attach and debug your process. When the debugger joins your process, the last one stops and the debugger can get information about its execution. Thus, your process cannot “ detach the debugger by itself ” without any additional security measures.

+1
source

Source: https://habr.com/ru/post/976571/

More articles:


All Articles