I have written a program that is sort of an unofficial, standalone plugin for an application. It allows customers to get a service that is a lower priced alternative then the vendor-owned one. My program is not illegal, against any kind of TOS, and is certainly not a virus, adware, or anything like that. That being said, the vendor of course is not happy about me taking his competition, and is trying to block my application from running.
He has already tried some tactics to stop people from running my app alongside his. He makes it so if it is detected, his app throws a fake error.
First, he checked to see if my program was running by looking for an open window with the right title. I countered this by randomizing the program title at startup.
Next, he looked for the running process name. I countered this by making the app copy itself when it is started as [random string].exe and then running that.
Anyways, my question is this: what else can he do to detect if my program running? I know that you can read window text (ie status bar, labels). I'm prepared to counter this by replacing the labels with images (ugh, any other way?).
But what else is there? Can you detect what .dlls a program has loaded? If so, could this be solved by randomizing the dll names before loading them?
I know that it's possible to get a program's signature in memory and track it that way (like a virus scanner), but the chances of him doing that probably aren't good because that sounds pretty advanced.
Even though this is kinda crappy of him to be doing, its kind of fun. It's like a nerdy fist fight.
EDIT:
When I said it's a plugin, that is just the (incorrect) term I used. It's a standalone EXE. The "API" between my program and the other is mine is simply entering data into the controls (like textboxes, etc).
I feel a little dirty answering this but it's late and I'm waiting for a drive copy to finish so....
He could use a checksum to identify your executable/dll. This gets around the renaming tricks.
You can get around this by randomly modifying bits in the program on start (e.g., change a resource, play with the embedded version, etc...).
If I were him I'd also start looking for patterns of network traffic; e.g., if you're directing customers to competitors you're looking that information up from somewhere so kill the process and/or unload the library if a plugin accesses a site that's on the blacklist.
If you take the cat and mouse game far enough (e.g., shell hooks to re-create your executable/library if it gets deleted) you'll probably get flagged as a virus by antivirus software.
Not very sporting of your competitor.
Deploy your project as uncompiled encrypted source code. Write a decryption and deployment program that can randomize, renames classes, re-arranges code to avoid any particular signature detection.
Then compile the code on the client machine using CSharpCodeProvider to compile your code. You can generate random assemblies, with totally random function signatures (I suggest using a large dictionary of real, common, words instead of being totally random. You can concatenate them together for more fun. e.g. Live, Virtual, Space, Office, Network, Utility. Space.Live.Network.dll, Utility.Virtual.Live.dll ).
Every version of your program on every client will be different. Make sure to cloak your deployment program. Maybe it should delete itself after it has installed your customized version.
Anyways, my question is this: what else can he do to detect if my program running?
Is your program an EXE or a DLL?
You call it a plugin: what is plugging in to?
How is your program started/launched/run?
What does your program do to "plug in"?
What's the API between your program and the other program?
This is not an answer to your final question but rather to the problem described.
How about fixing the other application.
Find the string it is looking for in the titles and change some letter in it.
Let your customers know where the problem lies by supplying them with a fix to the other application rather than your own.
#ryeguy ... The best defense is a good offense imho. Do what you can to disable his process before it disables yours.
Related
I am writing a c# desktop application that calls IsDebuggerPresent and if it is my app exits. I read in following article that antivirus programs look for this function as an indicator of malware:
https://www.alienvault.com/open-threat-exchange/blog/your-malware-shall-not-fool-us-with-those-anti-analysis-tricks
Will this function get my app flagged by antivirus programs?
It is highly unlikely that your program will be flagged.
The article was talking about the native version of the call and that call was using a extremely non-standard way of calling to try and avoid detection, not the managed version.
However, I doubt you will find any benefit of doing this in your program, it will not stop people at all from analyzing your program at all. People can just put a breakpoint on the call to IsDebuggerPresent and then just skip over the if check. The only thing you are likely to cause by adding this check is more headaches for yourself when you go to try and solve problems in your code.
The only way to know is to test. I know that the enterprise version of Symantec doesn't mind at all for the managed version.
Note that that call does not facilitate virus activity on a system. It merely helps the virus annoy an analyst in an AV lab for up to a day. There is no reason to look for it in the wild as a sign of a virus.
So for work they have me writing a simple program for tracking employee efficiency within their workflow (things like using keyboard shortcuts, window locations, how often they need to look stuff up). Currently we want to track the 'F5' key (brings up next work item), 'Alt+Tab' (changes windows), 'Ctrl+V' (paste), but may be expanded as they find there are more shortcuts or things they want to track.
Note We are on windows 7, and using c# to write the tracking program.
In order to do this I wrote a low-level hooking library to capture the chosen keystrokes, send off the message down the hook chain and then add a note to a db that the key was used. The hooking library works great in All web browsers and most normal programs (except we don't actually care about browsers so we ignore everything done in them).
The issue is that the application that they use for managing their work (the program we actually care about tracking) some how stops our hooks from hooking and I do not know how. The application in question is TA2000 Desktop.
I know that with the way hooks work if an application fails to call callnexthook() within the LowLevelHooksTimeout period that the system kills the hook. So figuring maybe TA2000 was just taking to long or something I bumped up the timeout to 30 seconds (yes I know this is significantly more time than a hook should even need) but this had no effect.
The next thing I tried was implementing a tracking system based on the Raw Input API. And once again the tracking tracks on browsers, Microsoft office, notepad, and all the other programs I opened except it still is unable to track key press in TA2000. This really surprised me because according to MSDN
An application does not have to detect or open the input device.
An application gets the data directly from the device, and processes the data for its needs
An application can distinguish the source of the input even if it is from the same type of device. For example, two mouse devices.
So if I am getting the data directly from the device how is TA2000 preventing me from also getting the key press?
The last thing I could think of trying was using dll injection on TA2000 to inject a hook. However this method seems risky because It is something neither I nor any other developer here has any experience with and the application we want to track is operation critical so messing it up can not happen and injecting code into its memory space seems like a good way to mess things up.
If someone could explain how TA2000 could be stopping me from tracking keystrokes and how to beat it or point me in a good direction I would be very appreciative.
p.s. This felt questionable as an appropriate question for the SO format but it also feels specific enough to be a viable question. So sorry if this is not a good question but I am at my wits end with this.
This financial software package is secured to prevent snooping. Running the key logging software as Administrator appears to fix this specific problem. The security was identified initially using Sysinternals' Process Explorer, which is a great starting point for unexpected problems like this.
I know this question is somewhat subjective, but I think it might be a valid question to ask.
I want to create a program that watches folders on a file server. The program itself runs on the server, so network folders don't have to be monitored.
I want to get an event in case a folder/file gets deleted, moved, created and such. These information will be written to the disk (where the network users can't access it). I would need the name of the file, and the user who caused it, and maybe more info, but that's the minimum requirement for now.
In C# we can use the FileSystemWatcher-Class, which is very
unreliable. (Examples for that can be found around StackOverflow a
lot.)
We also could use the Auditing Feature of Windows 7 Professional
(which I am running on), but this also gives many, many confusing
entries in the system log. I just can't get reliable information
from those.
Third, one could just poll the files and compare. This is kind of
the brute force attack I would like to omit. Also, the other methods
might be almost realtime, this one is not.
So, I could think of combining 1. and 3., and maybe even 2., too, but what is the clean, the good way to do this?
I was wondering if it was possible to disable users copying and pasting an external file while running my C# application?
example user runs application while it is running clipboard cannot be used, when the application is finished it then enables the clipboard again user can copy and paste now.
I found this prevent-cut-paste-copy-delete-re-naming-of-files-folders
Thanks for any help!
Answer to: "The user runs my launcher this runs the game and then connects to server where they download a file, this file is stored in a appdata this is the file i dont want people to copy".
The only option to prevent user from copying file on its own computer is to not send file there in a first place.
If you just want merely discourage people from copying the file (as it would be the case of "disable copy/paste") then opening file as non-sharable, delete-on-close may be enough.
Very difficult, if not impossible, and most likely totally unnecessary - what you have in plan. Clipboard belongs to the OS, and not just to your application. Think about how to solve the root of your problem in another way. If you explain what you're trying to do, maybe somebody will suggest how they would solve that particular problem. Why are you using the clipboard to maintain user/application state? If you accept input that way, then copy that data into your application's memory (or elsewhere), then work with it. Don't expect it to stay in the clipboard until your app is done working with it. However, also note that, it'd be against all usability rules to update/change the content of the clipboard with the result of that calculation - if that's what your mind is going as you're reading this.
That would be plain evil. Whatever the purpose. Remember, whenever you get to a task that need you to do some hacks just to provide a workaround to avoid dealing with some security layer being there with a reason or (as in your case) messing with some low-level operating system functionalities to change their bahavior, ask yourself if it even makes any sense.
You either don't need that feature, or you are searching for a security issue in the system/software which will be fixed within weeks or months.
You may actually implement some ugly non-reliable obstacles preventing the user to do those operations, but the user will always be able to find a different way to do them. Except if you are dealing with some DRM stuff, which I doubt.
And however, preventing the user to copy-paste? That definitely won't be some happy user ...
If you were going to download the file on every execution anyway, then you could download it at the game's "loading screen" and keep it in an in-memory stream. Less evil than having to hook the clipboard, and pulling it out involves debuggers or the ability to extract from the swapfile...
I'm not a fan of this solution (and I suspect you/you client will not be either) due to the bandwidth costs of downloading the core data of the game at every launch...
I would like to be able to do an "inplace" update with my program. Basically, I want to be able to login remotely where the software is deployed, install it while other users are still using it (in a thin client way), and it update their program.
Is this possible without too much of a hassle? I've looked into clickonce technology, but I don't think that's really what I'm looking for.
What about the way firefox does it's updates? Just waits for you to restart the program, and notifies you when it's been updated.
UPDATE: I'm not remoting into the users' PC. This program is ran on a server, and I remote in and update it, the users run it directly off the server through remote access.
ClickOnce won't work because it requires a webserver.
I had some example code that I can't find right now but you can do something similar to Firefox with the System.Deployment.Application namespace.
If you use the ApplicationDeployment class, you should be able to do what you want.
From MSDN, this class...
Supports updates of the current deployment programmatically, and handles on-demand downloading of files.
Consider the MS APIs with BITS, just using bitsadmin.exe in a script or the Windows Update Services.
Some questions:
Are the users running the software locally, but the files are located on a networked share on your server?
Are they remoting into the same server you want to remote into, and execute it there?
If 2. are they executing the files where they are placed on the server, or are they copying them down to a "private folder"?
If you cannot change the location of the files, and everyone is remoting in, and everyone is executing the files in-place, then you have a problem. As long as even 1 user is running the program, the files will be locked. You can only update the files once everyone is out.
If, on the other hand, the users are able to run their own private copy of the files, then I would set up a system where you have a central folder with the latest version of the files, and when a user starts his program, it checks if the central folder has newer versions than the user is about to execute. If it does, copy the new version down first.
Or, if that will take too long, and the user will get impatient (what, huh, users getting impatient?), then having the program check the versions after startup, and remind the user to exit would work instead. In this case, the program would set a flag that upon next startup would do the copying, only now the user is aware of it happening.
The copying part would easily be handled by either having a separate executable that does the actual copying, and executing that instead, or the program could copy itself temporarily to another location and run that copy with parameters that says "update the original files".
While you can design your code to modify itself (maybe not in C#?), this is generally a bad idea. This means that you must restart something to get the update. (In Linux you are able to replace files that are in use, however an update does not happen until the new data is loaded into memory i.e. application restart)
The strategy used by Firefox (never actually looked into it) is storing the updated executable in a different file which is checked for when program starts to load. This allows the program to overwrite the program with the update before the resource is locked by the OS. You can also design you program more modular so that portions of it can be "restarted" without requiring a restart of the entire program.
How you actually do this is probably provided by the links given by others.
Edit:: In light of a response given to Lasse V. Karlsen
You can have your main program looking for the latest version of the program to load (This program wouldn't be able to get updates without everyone out). You then can remove older versions once people are no longer using it. Depending on how frequent people restart their program you may end up with a number of older programs versions.
ClickOnce and Silverlight (Out of browser) both support your scenario, if we talk about upgrades. Remote login to your users machine? Nope. And no, Firefox doesn't do that either as far as I can tell..
Please double-check both methods and add them to your question, explaining why they might not do what you need. Otherwise it's hard to move on and suggest better alternatives.
Edit: This "I just updated, please restart" thing you seem to like is one method call for Silverlight applications running outside of the browser. At this point I'm fairly certain that this might be the way to go for you.
ClickOnce doesn't require a webserver, it will let you publish updates while users are running the software. You can code your app to check for new update every few minutes and prompt the user to restart the app if a new version is found which will then take them through the upgrade process.
Another option is a Silverlight OOB application, but this would be more work if your app is already built as WinForms/WPF client app.
Various deployment/update scenarios (for .NET applications) are discussed with there pros and cons in Microsoft's Smart Client Architecture and Design Guide. Though a little bit old I find that most still holds today, as it is describing rather the basic architectural principles than technical details. There is a PDF version, but you find it online as well:
Deploying and Updating Smart Client Applications
Is this possible without too much of a hassle?
Considering the concurrency issues with thin clients and the complexity of Windows installations, yes hot updates will be a hassel without doing it the way the system demands.