Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Anti debugging - Preventing memory dumps

I am trying to implement some basic anti debugging functionality in my application. One area that I wanted to focus on in particular, is attempting to prevent people from easily taking a usable memory dump from my application. I read the article at: http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx

and that gave me a lot of tips for how to detect if a debugger is present, as well as some information on how I might prevent memory dumps. But the author notes that one should be careful about using these techniques, such as removing the executable header in memory. He mentions that there might be times when the OS or other programs may want to use this information, but I cannot see for what purpose.

Has anyone got some other tips as to how I could stop reverse engineers from dumping my program?

I am on Windows.

Kind regards,

Philip Bennefall

like image 598
Philip Bennefall Avatar asked Jun 06 '11 12:06

Philip Bennefall


People also ask

How do I stop memory dumps?

Disable automatic deletion of memory dumps on low disk spaceOpen System Properties > Advanced tab > Startup and Recovery settings. Under System failure, select Disable automatic deletion of memory dumps when disk space is low option, click OK and exit.

What is memory dump in debugging?

A memory dump is the process of taking all information content in RAM and writing it to a storage drive. Developers commonly use memory dumps to gather diagnostic information at the time of a crash to help them troubleshoot issues and learn more about the event.

What is anti-debugging?

Debuggers are useful in the development process, but they can also be used for malicious purposes. They can provide hackers access to the app's code and its logic. Anti-debugging is a method of preventing debuggers from attaching to the application.

What do memory dumps do?

A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may contain data from processes that were running when the memory dump was collected.


1 Answers

There is no reasonable way to prevent someone from capturing a memory dump of your process. For example, I could attach a kernel debugger to the system, break all execution, and extract your process' dump from the debugger. Therefore, I would focus on making analysis more difficult.

Here are some ideas:

  • Obfuscate and encrypt your executable code. Decrypt in-memory only, and do not keep decrypted code around for longer than you need it.

  • Do not store sensitive information in memory for longer than necessary. Use RtlZeroMemory or a similar API to clear out buffers that you are no longer using. This also applies to the stack (local variables and parameters).

like image 180
Sasha Goldshtein Avatar answered Sep 27 '22 21:09

Sasha Goldshtein