i am using some cryptography inside my software , i understand that the keys needs to be zero out from the memory in order to prevent hackers to catch the key
but i feel this isn't enough , using ollydebug can also break the rule before memory getting cleared by stepping into the code
before the zeromemory called
is there any suggested way to harden some code function from being stepped by debuggers
i have tried to check if the application is running in debug environment using IsDebuggerPresent but this easly can be bybassed by ollydebug plugins
is there something extra can be done ?
(09-25-2018, 07:38 AM)Madammar Wrote: [ -> ]is there any suggested way to harden some code function from being stepped by debuggers
Not really. If a debugger is able to gain access to your process, it is pretty much game over. There is nothing you can do, except obscure your code logic to make it harder for
casual debuggers to follow. But as far as memory is concerned, if a
devoted debugger really wants to figure out exactly where in your code you are using a key, then they can just wait for your obscure logic to populate the key in memory, and then put a breakpoint at the spot in the code where you use the key, and grab it.
Then there are issues related to memory paging to swap files, memory dumps (such as during error reports), etc. They can also reveal keys in memory if you are not careful. Best you can do is reduce the window of opportunity when a key is available in memory, but you can't eliminate it completely.
There are packages that can encrypt and hide your EXE etc. They however often create a lot of issues with antivirus packages and are not fool proof either.
As Remy said, all you can do is make it difficult. If someone really wants in, they can always run it in Bochs which is like VMWare but is an emulator instead of a virtualizer and end users can completely see everything at the machine code level.
Its been probably 15 years since I used this, but ASProtect has been around for a long time and provides decent protection.
http://www.aspack.com/
(09-25-2018, 06:02 PM)kudzu Wrote: [ -> ]There are packages that can encrypt and hide your EXE etc.
All they can really do is protect the EXE on disk, but they still have to unpack/unprotect the EXE in memory so the OS can actually run it normally. And that wouldn't prevent a debugger from accessing the process's memory once it is running.
Yes, exactly as I qualified it. It only makes it more difficult, not impossible.
Some have some debugger detection as well, not sure if ASProtect does or not. But one can always get at it using Bochs or other.
thats seems is the famous killing applications nightmare
@kudzu note aspack and all other packers are breakable
Everything is breakable. Just like locking your house. You can only make it difficult, not impossible.
Agreed, the more hype your app gets - the more people are looking on it with a hacking thoughts.