Flag: Tornado!
Hurricane!
|
|
Topic created on: February 16, 2010 08:22 CST by tshadowh  .
Hello,
I'm trying to protect my process against ReadProcessMemory(),OpenProcess() for the last 5 days I'm still working on it but no success 'til now..
Have any of you guyz experienced with this kind of protection?
I don't know of any 100% reliable method.
Anyway, you can for example change the access rights to you process to Deny for Everyone access to it. OpenProcess in this case will fail, but heh, the access can be regained easily in the same way it was denied.
As for other methods... try using segments for address obfuscation (http://vxheavens.com/lib/vzo13.html).
You can also setup an exception-driven encrypted-memory accessing layer for sensitive data.
You can also globally try to hook OpenProcess() to deny access for your process on API level.
However, as stated above, any method can be successfully defeated...
|
Hello GynvaelColdwind,
Thanks for the answer, i'm currently trying to change process permissions but it doesn't seems to work including AdjustTokenPrivileges(), SetKernelObjectSecurity() etc..
I do not want to protect it against crackers, then not high level protection needed, could you send me some good reading about hooking and any other kind of known protecion? Perhaps i'm checking out the addrs obfuscation thanks again.
> GynvaelColdwind: I don\'t know of any 100% reliable method.
>
> Anyway, you can for example change the access rights to you process to Deny for Everyone access to it. OpenProcess in this case will fail, but heh, the access can be regained easily in the same way it was denied.
>
> As for other methods... try using segments for address obfuscation (http://vxheavens.com/lib/vzo13.html).
> You can also setup an exception-driven encrypted-memory accessing layer for sensitive data.
>
> You can also globally try to hook OpenProcess() to deny access for your process on API level.
>
> However, as stated above, any method can be successfully defeated...
|
As for the 'Deny for Everyone' I was referring to earlier, I have the following code in my repository (I'm not sure who is the author of the code... I found it on the net or it was sent to me or something...):
#define _WIN32_WINNT 0x600
#include <tchar.h>
#include <windows.h>
#include <sddl.h>
#include <stdio.h>
static bool AdjustSingleTokenPrivilege(HANDLE TokenHandle, LPCTSTR lpName, DWORD dwAttributes)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = dwAttributes;
if (!LookupPrivilegeValue(NULL, lpName, &(tp.Privileges[0].Luid)))
return false;
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &tp, 0, NULL, NULL))
return false;
return true;
}
bool EnableDebugPrivileges(DWORD dwPID)
{
if (!dwPID)
dwPID = GetCurrentProcessId();
HANDLE hProcess = NULL;
if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, dwPID)) == INVALID_HANDLE_VALUE)
return false;
HANDLE hToken = NULL;
if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return false;
if (!AdjustSingleTokenPrivilege(hToken, SE_SECURITY_NAME, SE_PRIVILEGE_ENABLED) ||
!AdjustSingleTokenPrivilege(hToken, SE_DEBUG_NAME, SE_PRIVILEGE_ENABLED))
return false;
CloseHandle(hToken);
CloseHandle(hProcess);
return true;
}
bool DisableDebugPrivileges(DWORD dwPID)
{
if (!dwPID)
dwPID = GetCurrentProcessId();
HANDLE hProcess = NULL;
if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, dwPID)) == INVALID_HANDLE_VALUE)
return false;
HANDLE hToken = NULL;
if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return false;
if (!AdjustSingleTokenPrivilege(hToken, SE_SECURITY_NAME, SE_PRIVILEGE_REMOVED) ||
!AdjustSingleTokenPrivilege(hToken, SE_DEBUG_NAME, SE_PRIVILEGE_REMOVED))
return false;
CloseHandle(hToken);
CloseHandle(hProcess);
return true;
}
BOOL ProtectProcess(HANDLE hProcess)
{
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
// DACL for your application.
TCHAR * szSD = TEXT("D:") // Discretionary ACL
TEXT("(OD;;GAGWGRGX;;;S-1-1-0)") ; // Deny access to
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(szSD, SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL))
return FALSE;
if (!SetKernelObjectSecurity(GetCurrentProcess(), DACL_SECURITY_INFORMATION, sa.lpSecurityDescriptor))
return FALSE;
return TRUE;
}
int _tmain(int argc, _TCHAR* argv[])
{
EnableDebugPrivileges(GetCurrentProcessId());
ProtectProcess(GetCurrentProcess());
while(1)
{
Sleep(1000);
}
return 0;
}
As for the papers about the other things I referred to, I'm afraid I don't have any :( These were just a couple of ideas I recall / thought of. Not sure if there are any publications about them (anyone ?)
|
Hey GynvaelColdwind thank you again, i've been trying something simmilar and i made some changes at the code adding more seprivileges denied and even putting
DisableDebugPrivileges(GetCurrentProcessId());
ProtectProcess(GetCurrentProcess());
into loop and it's still not working, maybe CE(Cheat Engine) is changing privileges, feel free to send me any other reference, any kind of help is welcome..
edited:
the funny and strange thing is processexplorer shows all denied acces for everyone and privilege constants are ALL DISABLED by my code, take a look at the screenshot:
http://img31.imageshack.us/img31/3092/protectu.jpg
There's kinda interesting protection I found a couple of days ago , it's a new vista security feature that allows to protect an app and was bypassed by a sec researcher, it's described here:
http://www.alex-ionescu.com/?p=35
http://www.alex-ionescu.com/?p=34
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}