tags:

views:

177

answers:

5

I have written a program that is sort of an unofficial, standalone plugin for an application. It allows customers to get a service that is a lower priced alternative then the vendor-owned one. My program is not illegal, against any kind of TOS, and is certainly not a virus, adware, or anything like that. That being said, the vendor of course is not happy about me taking his competition, and is trying to block my application from running.

He has already tried some tactics to stop people from running my app alongside his. He makes it so if it is detected, his app throws a fake error.

First, he checked to see if my program was running by looking for an open window with the right title. I countered this by randomizing the program title at startup.

Next, he looked for the running process name. I countered this by making the app copy itself when it is started as [random string].exe and then running that.

Anyways, my question is this: what else can he do to detect if my program running? I know that you can read window text (ie status bar, labels). I'm prepared to counter this by replacing the labels with images (ugh, any other way?).

But what else is there? Can you detect what .dlls a program has loaded? If so, could this be solved by randomizing the dll names before loading them?

I know that it's possible to get a program's signature in memory and track it that way (like a virus scanner), but the chances of him doing that probably aren't good because that sounds pretty advanced.

Even though this is kinda crappy of him to be doing, its kind of fun. It's like a nerdy fist fight.

EDIT: When I said it's a plugin, that is just the (incorrect) term I used. It's a standalone EXE. The "API" between my program and the other is mine is simply entering data into the controls (like textboxes, etc).

+2  A: 

I feel a little dirty answering this but it's late and I'm waiting for a drive copy to finish so....

He could use a checksum to identify your executable/dll. This gets around the renaming tricks.

You can get around this by randomly modifying bits in the program on start (e.g., change a resource, play with the embedded version, etc...).

If I were him I'd also start looking for patterns of network traffic; e.g., if you're directing customers to competitors you're looking that information up from somewhere so kill the process and/or unload the library if a plugin accesses a site that's on the blacklist.

If you take the cat and mouse game far enough (e.g., shell hooks to re-create your executable/library if it gets deleted) you'll probably get flagged as a virus by antivirus software.

Arnshea
A: 

Anyways, my question is this: what else can he do to detect if my program running?

  • Is your program an EXE or a DLL?
  • You call it a plugin: what is plugging in to?
  • How is your program started/launched/run?
  • What does your program do to "plug in"?
  • What's the API between your program and the other program?
ChrisW
I updated my original post with answers.
ryeguy
A: 

@ryeguy ... The best defense is a good offense imho. Do what you can to disable his process before it disables yours.

Nippysaurus
Then the user will just remove the plugin - I don't know if any user likes a 'plugin' that crashes the main program every time he searches for something ..
futureelite7
+2  A: 

Not very sporting of your competitor.

Deploy your project as uncompiled encrypted source code. Write a decryption and deployment program that can randomize, renames classes, re-arranges code to avoid any particular signature detection.

Then compile the code on the client machine using CSharpCodeProvider to compile your code. You can generate random assemblies, with totally random function signatures (I suggest using a large dictionary of real, common, words instead of being totally random. You can concatenate them together for more fun. e.g. Live, Virtual, Space, Office, Network, Utility. Space.Live.Network.dll, Utility.Virtual.Live.dll ).

Every version of your program on every client will be different. Make sure to cloak your deployment program. Maybe it should delete itself after it has installed your customized version.

GrendleM
A: 

This is not an answer to your final question but rather to the problem described.

How about fixing the other application. Find the string it is looking for in the titles and change some letter in it.

Let your customers know where the problem lies by supplying them with a fix to the other application rather than your own.

phq