[Lazarus] Detecting when decompiler is running

Mark Morgan Lloyd markMLl.lazarus at telemetry.co.uk
Fri Dec 4 15:20:49 CET 2015


Marc Santhoff wrote:
> On Fr, 2015-12-04 at 08:29 +0000, Richard Mace wrote:
>> Hi All,
>> I was wondering if there was a way where an application, written in
>> Lazarus, could detect when a compiler is running, perhaps by it's mutex?
>> My idea was, in my application, I could periodically check to see if a
>> decompiler was running and then my app could perform an operation, such as
>> maybe closing.
> 
> As others said, decompilers and disassemblers are not detectable. But
> for protection there are other counter measures.
> 
> 1. Protect your program using checksums. Refuse to run if tampered.

The ld linker for ELF can embed a fingerprint, that can be read back 
fairly easily but I've not attempted to verify an entire binary against 
it. What I don't know is what part of a binary contribute to this, and 
whether- as a specific example- stripping symbols changes it.

The real problem however is the ease with which an attacker can 
substitute a hostile library, e.g. using (something like) 
LD_LIBRARY_PATH on unix.

> 2. Use varying protection schemes randomly. I did sth. like that by
> including protection code that is switched from the make process between
> multiple versions. If some hacker really solves the riddle for one
> executable, her hack will fail on most others. Same scheme as compiling
> in a serial number, that is changed for each compilation.
> 
> 3. Check integrity of the program often, from many placces in the
> program. If really paranoid, you can combine with randomly selected
> checking routines. Using a code scanner/parser and injection code for
> checks is relaitvely simple, e.g. at the start of a procedure insert a
> check and exit code (or leave out, depending on the moons phase or so).

Making random choices can be unwise, because sooner or later you hit a 
weak combination.

Also as a general point I once had a colleague who spent his lunchtimes 
methodically single stepping through AutoCAD with a view to finding out 
how the security dongle worked, and he was broadly successful despite 
professing to know no x86 assembler.

So you can obfuscate things as much as you want, but that's no 
protection against somebody with patience.

> If you have enough checks, enough randomness between varying mechanisms,
> hackers will give up for sure. You are in trouble if those programm
> sould be distributed on DVD from one master, though.

Yes, big trouble. And I assume that you've seen yesterday's news about 
Raspbian being insecure because all copies start with the same (or no) 
"entropy", so SSH is seeded the same.

There is no substitute for a piece of hardware or software being 
uniquely serialised, and the user's contract (or license, or whatever 
you want to call it) being tied to that.

> I'd like to hear from others about their anti hacking tools ... ;)
> 
> Marc
> 
> Btw., the licence of the library code permits making closed source
> programs. Only Lazarus itself and the compiler code are open source. One
> point I like FPC/Lazarus for and use it.

-- 
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]




More information about the Lazarus mailing list