There are software applications, such as ArtMoney, that edit the memory of other applications.
Is there a way to detect when some other application is editing the memory of my application?
+3
A:
One method, used by many virus checkers, is to perform a checksum of your executable or memory and save it. When running, occasionally calculate a new checksum and compare with the original. Most programs don't intentionally modify their executables.
Thomas Matthews
2009-12-21 21:55:50
Works fine for immutable memory. But most memory is not immutable
Marco van de Voort
2009-12-22 09:30:29
+5
A:
The basic idea to protect from basic memory modification is to encrypt the parts of memory you care about, and have redundant checks to ensure against modification.
None of which will stop a determined hacker, but it's sufficient to keep the script kiddies out of your address space.
Anon.
2009-12-21 21:57:45
+3
A:
The short answer is no, it's not possible in the general case. Even if you implement some of the suggestions that have been given, there's nothing stopping someone from patching the code that performs the checks.
I don't know the specifics of how ArtMonkey works, but if it functions as a debugger you could try checking regularly to see if DebugHook <> 0, and reacting appropriately if it is. (Just make sure to put that code in a {$IFNDEF DEBUG} block so it doesn't cause trouble for you!)
You might want to ask yourself why you want to prevent people from patchimg your memory, though. Unless there's a genuine security issue, you probably shouldn't even try. Remember that the user's computer, that your program will be running on, is their property, not yours, and if you interfere too much with the user's choices as to what to do with their property, your program is morally indistinguishable from malware.
Mason Wheeler
2009-12-22 02:18:29
+1
A:
I do not know how it works, I think it can be done in 3 ways:
- ReadProcessMemory and WriteProcessMemory Windows API
- using a debugger (check for debughook, but that's almost too easy so it won't use that)
- injects a dll so it can acces all memory (because it is in the same process)
The last one is easier (check for injected dll or something like that). The first one is trickier, but I found some articles about it:
André
2009-12-22 07:28:32
No, `DebugHook` is completely useless to check whether the process is being debugged, it is used by the IDE debugger only. There is `IsDebuggerPresent()` in the Windows API (or direct access to the PEB), but it's fooled extremely easily, see http://www.teamfurry.com/wordpress/2007/02/25/avoiding-debugger-detection.
mghie
2009-12-22 07:40:53
+1
A:
I asked a similar question, and the conclusion was basically that you cannot stop this. How can I increase memory security in Delphi
mj2008
2009-12-22 11:18:57