Hi All,
Is there any way to find if system is running in debug mode? I want to know
how products stop people from reverse engineering their product.
Thanks in advance,
Regards,
Kedar.
Kedar wrote:
Is there any way to find if system is running in debug mode? I want to know
how products stop people from reverse engineering their product.
Checking for an attached debugger is most certainly NOT the way to stop
reverse engineering.
I was one of those bitten by the smug engineers at Nero, who embedded a
debugger check and process suicide into one of their audio encoder
filters. When a DirectShow graph gets built, the graph builder tries
every possible filter when trying to mate two pins. When you are trying
to debug your kernel capture driver, it is seriously annoying to have
Nero’s encoder terminate the graphedt process, especially when it isn’t
even going to participate in the final graph.
You can’t stop reverse engineering. The disassembly tools are just too
good, and there are countries where it is not illegal. You can add a
little object code obfuscation to make it inconvenient, but all you are
doing is keeping the honest man honest, and a prohibition against
reverse engineering in your license agreement is just as effective.
If your concept is that great, patent it. Then, even if you are copied,
your lawyers can have a good time handling it.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hi Tim Roberts,
I was looking how to programatically find out if debugger is connected or
not.
Thanks
Kedar.
“Tim Roberts” wrote in message news:…
> Kedar wrote:
>
> >Is there any way to find if system is running in debug mode? I want to
> >know
> >how products stop people from reverse engineering their product.
> >
> >
>
> Checking for an attached debugger is most certainly NOT the way to stop
> reverse engineering.
>
> I was one of those bitten by the smug engineers at Nero, who embedded a
> debugger check and process suicide into one of their audio encoder
> filters. When a DirectShow graph gets built, the graph builder tries
> every possible filter when trying to mate two pins. When you are trying
> to debug your kernel capture driver, it is seriously annoying to have
> Nero’s encoder terminate the graphedt process, especially when it isn’t
> even going to participate in the final graph.
>
> You can’t stop reverse engineering. The disassembly tools are just too
> good, and there are countries where it is not illegal. You can add a
> little object code obfuscation to make it inconvenient, but all you are
> doing is keeping the honest man honest, and a prohibition against
> reverse engineering in your license agreement is just as effective.
>
> If your concept is that great, patent it. Then, even if you are copied,
> your lawyers can have a good time handling it.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
And as Tim pointed out if you do this and try to use this to stop your
software you will be cursed by the developer community as a whole. One of
the things I am proudest of is convincing a large firm I know to dump a
stupid Anti-Virus product that did what you are attempting, it was only a
100,000 licenses but it was a start.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“lists.osr.com” wrote in message news:xxxxx@windbg…
> Hi Tim Roberts,
>
> I was looking how to programatically find out if debugger is connected or
> not.
>
> Thanks
>
> Kedar.
>
> “Tim Roberts” wrote in message news:…
>
>> Kedar wrote:
>
>>
>
>> >Is there any way to find if system is running in debug mode? I want to
>> >know
>
>> >how products stop people from reverse engineering their product.
>
>> >
>
>> >
>
>>
>
>> Checking for an attached debugger is most certainly NOT the way to stop
>
>> reverse engineering.
>
>>
>
>> I was one of those bitten by the smug engineers at Nero, who embedded a
>
>> debugger check and process suicide into one of their audio encoder
>
>> filters. When a DirectShow graph gets built, the graph builder tries
>
>> every possible filter when trying to mate two pins. When you are trying
>
>> to debug your kernel capture driver, it is seriously annoying to have
>
>> Nero’s encoder terminate the graphedt process, especially when it isn’t
>
>> even going to participate in the final graph.
>
>>
>
>> You can’t stop reverse engineering. The disassembly tools are just too
>
>> good, and there are countries where it is not illegal. You can add a
>
>> little object code obfuscation to make it inconvenient, but all you are
>
>> doing is keeping the honest man honest, and a prohibition against
>
>> reverse engineering in your license agreement is just as effective.
>
>>
>
>> If your concept is that great, patent it. Then, even if you are copied,
>
>> your lawyers can have a good time handling it.
>
>>
>
>> –
>
>> Tim Roberts, xxxxx@probo.com
>
>> Providenza & Boekelheide, Inc.
>
>>
>
>>
>
>>
>
>
>
Whether it is a good idea (or not) the mechanism is rather
straight-forward (I do it so that if a debugger is attached in “bad
things are happening” scenarios I can stop.) I’ve run into products
that won’t run (in a VM for example) because they are so afraid of
reverse engineering - but IDA Pro will do the job most of the time - and
I can load static binaries into WinDBG (and have done so).
The symbolic constant KD_DEBUGGER_NOT_PRESENT evaluates to the “right
thing” to determine whether or not a debugger is present. The symbolic
constant KD_DEBUGGER_ENABED evaluates to the “right thing” to determine
if debugging was enabled.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.