Detect memory intrusion

Question

There are software applications, such as ArtMoney, that edit the memory of other applications.

Is there a way to detect when some other application is editing the memory of my application?

Answer 1

I asked a similar question, and the conclusion was basically that you cannot stop this. How can I increase memory security in Delphi

Answer 2

I do not know how it works, I think it can be done in 3 ways:

• ReadProcessMemory and WriteProcessMemory Windows API
• using a debugger (check for debughook, but that's almost too easy so it won't use that)
• injects a dll so it can acces all memory (because it is in the same process)

The last one is easier (check for injected dll or something like that). The first one is trickier, but I found some articles about it:

• Memory breakpoints: http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx?fid=1529949&fr=51&df=90&mpp=25&noise=3&sort=Position&view=Quick#BpMem
• Hook "WriteProcessMemory" api: http://www.codeproject.com/KB/system/hooksys.aspx

Answer 3

The short answer is no, it's not possible in the general case. Even if you implement some of the suggestions that have been given, there's nothing stopping someone from patching the code that performs the checks.

I don't know the specifics of how ArtMonkey works, but if it functions as a debugger you could try checking regularly to see if DebugHook <> 0, and reacting appropriately if it is. (Just make sure to put that code in a {$IFNDEF DEBUG} block so it doesn't cause trouble for you!)

You might want to ask yourself why you want to prevent people from patchimg your memory, though. Unless there's a genuine security issue, you probably shouldn't even try. Remember that the user's computer, that your program will be running on, is their property, not yours, and if you interfere too much with the user's choices as to what to do with their property, your program is morally indistinguishable from malware.

Answer 4

The basic idea to protect from basic memory modification is to encrypt the parts of memory you care about, and have redundant checks to ensure against modification.

None of which will stop a determined hacker, but it's sufficient to keep the script kiddies out of your address space.

Answer 5

One method, used by many virus checkers, is to perform a checksum of your executable or memory and save it. When running, occasionally calculate a new checksum and compare with the original. Most programs don't intentionally modify their executables.