tags:

views:

177

answers:

5
+1  Q: 

How can a program be detected as running?

I have written a program that is sort of an unofficial, standalone plugin for an application. It allows customers to get a service that is a lower priced alternative then the vendor-owned one. My program is not illegal, against any kind of TOS, and is certainly not a virus, adware, or anything like that. That being said, the vendor of course is not happy about me taking his competition, and is trying to block my application from running.

He has already tried some tactics to stop people from running my app alongside his. He makes it so if it is detected, his app throws a fake error.

First, he checked to see if my program was running by looking for an open window with the right title. I countered this by randomizing the program title at startup.

Next, he looked for the running process name. I countered this by making the app copy itself when it is started as [random string].exe and then running that.

Anyways, my question is this: what else can he do to detect if my program running? I know that you can read window text (ie status bar, labels). I'm prepared to counter this by replacing the labels with images (ugh, any other way?).

But what else is there? Can you detect what .dlls a program has loaded? If so, could this be solved by randomizing the dll names before loading them?

I know that it's possible to get a program's signature in memory and track it that way (like a virus scanner), but the chances of him doing that probably aren't good because that sounds pretty advanced.

Even though this is kinda crappy of him to be doing, its kind of fun. It's like a nerdy fist fight.

EDIT: When I said it's a plugin, that is just the (incorrect) term I used. It's a standalone EXE. The "API" between my program and the other is mine is simply entering data into the controls (like textboxes, etc).

+2  A: 

I feel a little dirty answering this but it's late and I'm waiting for a drive copy to finish so....

He could use a checksum to identify your executable/dll. This gets around the renaming tricks.

You can get around this by randomly modifying bits in the program on start (e.g., change a resource, play with the embedded version, etc...).

If I were him I'd also start looking for patterns of network traffic; e.g., if you're directing customers to competitors you're looking that information up from somewhere so kill the process and/or unload the library if a plugin accesses a site that's on the blacklist.

If you take the cat and mouse game far enough (e.g., shell hooks to re-create your executable/library if it gets deleted) you'll probably get flagged as a virus by antivirus software.

Arnshea  2009-06-19 02:09:28
A: 

Anyways, my question is this: what else can he do to detect if my program running?

  • Is your program an EXE or a DLL?
  • You call it a plugin: what is plugging in to?
  • How is your program started/launched/run?
  • What does your program do to "plug in"?
  • What's the API between your program and the other program?
ChrisW  2009-06-19 02:20:27
I updated my original post with answers.
ryeguy  2009-06-19 14:20:22
A: 

@ryeguy ... The best defense is a good offense imho. Do what you can to disable his process before it disables yours.

Nippysaurus  2009-06-19 02:29:12
Then the user will just remove the plugin - I don't know if any user likes a 'plugin' that crashes the main program every time he searches for something ..
futureelite7  2009-06-19 02:32:30
+2  A: 

Not very sporting of your competitor.

Deploy your project as uncompiled encrypted source code. Write a decryption and deployment program that can randomize, renames classes, re-arranges code to avoid any particular signature detection.

Then compile the code on the client machine using CSharpCodeProvider to compile your code. You can generate random assemblies, with totally random function signatures (I suggest using a large dictionary of real, common, words instead of being totally random. You can concatenate them together for more fun. e.g. Live, Virtual, Space, Office, Network, Utility. Space.Live.Network.dll, Utility.Virtual.Live.dll ).

Every version of your program on every client will be different. Make sure to cloak your deployment program. Maybe it should delete itself after it has installed your customized version.

GrendleM  2009-06-19 02:34:35
A: 

This is not an answer to your final question but rather to the problem described.

How about fixing the other application. Find the string it is looking for in the titles and change some letter in it.

Let your customers know where the problem lies by supplying them with a fix to the other application rather than your own.

phq  2010-04-09 22:08:28

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?