Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to detect an external program monitoring your process?

Tags:

c#

.net

Is it possible in .net to determine if another program is monitoring your process?

What I mean here is I have an exe running and if someone launches procmon.exe or some other app that tries to read some information about my exe, I want my exe to log this.

like image 351
JD. Avatar asked Oct 10 '14 15:10

JD.


2 Answers

This is a vast and complex topic, and I'm only acquainted with its existence, not an expert. So all I can offer is a search term:

  • anti-debugging

It covers detection of monitoring tools, countermeasures to prevent inspection, and obfuscation to make information gained through monitoring quite useless.

Do be aware that there is an arms race between the reversers, who want to debug any and all code running on their system, and the DRM designers1, who want to protect their secrets from curious minds. Unless you're willing to dedicate your life to becoming an expert, you're probably stuck buying solutions from someone who is. Or just deciding that it isn't worth it.

1 Even if you believe content owners have the moral right2 to ban reverse engineering, please note that no one benefits from protective obscurity quite as much as malware authors.

2 Also, it's quite different to maintain a neutral expression. But I tried.

like image 161
Ben Voigt Avatar answered Nov 14 '22 23:11

Ben Voigt


The monitoring process can either take information about your process directly from the Operating System (e.g. TaskManager, perfmon, etc.). In this case your process does not know anything about it.

In another case, the monitoring process could attach and debug your process. When the debugger attaches to your process the latter stops and the debugger can get information about its execution. So your process cannot "detach the debugger on its own" without some additional security measures.

like image 45
VAndrei Avatar answered Nov 15 '22 00:11

VAndrei