Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Anti debugging - Preventing memory dumps

Tags:

memory

debugging

dump

I am trying to implement some basic anti debugging functionality in my application. One area that I wanted to focus on in particular, is attempting to prevent people from easily taking a usable memory dump from my application. I read the article at: http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx

and that gave me a lot of tips for how to detect if a debugger is present, as well as some information on how I might prevent memory dumps. But the author notes that one should be careful about using these techniques, such as removing the executable header in memory. He mentions that there might be times when the OS or other programs may want to use this information, but I cannot see for what purpose.

Has anyone got some other tips as to how I could stop reverse engineers from dumping my program?

I am on Windows.

Kind regards,

Philip Bennefall

like image 598
Philip Bennefall Avatar asked Jun 06 '11 12:06

Philip Bennefall

People also ask

How do I stop memory dumps?

Disable automatic deletion of memory dumps on low disk spaceOpen System Properties > Advanced tab > Startup and Recovery settings. Under System failure, select Disable automatic deletion of memory dumps when disk space is low option, click OK and exit.

What is memory dump in debugging?

A memory dump is the process of taking all information content in RAM and writing it to a storage drive. Developers commonly use memory dumps to gather diagnostic information at the time of a crash to help them troubleshoot issues and learn more about the event.

What is anti-debugging?

Debuggers are useful in the development process, but they can also be used for malicious purposes. They can provide hackers access to the app's code and its logic. Anti-debugging is a method of preventing debuggers from attaching to the application.

What do memory dumps do?

A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may contain data from processes that were running when the memory dump was collected.

1 Answers

There is no reasonable way to prevent someone from capturing a memory dump of your process. For example, I could attach a kernel debugger to the system, break all execution, and extract your process' dump from the debugger. Therefore, I would focus on making analysis more difficult.

Here are some ideas:

  • Obfuscate and encrypt your executable code. Decrypt in-memory only, and do not keep decrypted code around for longer than you need it.

  • Do not store sensitive information in memory for longer than necessary. Use RtlZeroMemory or a similar API to clear out buffers that you are no longer using. This also applies to the stack (local variables and parameters).

like image 180
Sasha Goldshtein Avatar answered Sep 27 '22 21:09

Sasha Goldshtein
Sign in to Comment

Related questions

ARM Data Abort error exception debugging
Waiting with a crash for a debugger?
Debugging C# Threads
How can I display Unicode strings while debugging on linux?
Lightweight debugging on embedded Linux
How to start a process and then pause it immediately?
How to detect when a UIView has changed size?
Setting a breakpoint on a member function called on a specific object
What tool is my best bet for threaded Haskell debugging today?
What does it mean in Visual Studio debugger value "{ }"?
Improving Lua error messages
Can I debug an Exe
GDB: how to see what memory addresses are accessible?
Debug a self signed android app? (Need it for facebook integration)
Terminate debug on device
How to enable Flash debugger?
Debug Partial Mock in JMockit
How to debug http calls on Android devices?
Verbose display of a git add
How to break the program being debugged now while it running in Eclipse?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!