有任何疑问,请联系我们:china@enigmaprotector.com

帮助

使用教程

Protecting files against file/registry monitors, debuggers, screen capturing tools with Enigma Protector


Enigma Protector has a wide range of features that can add protection to an application. This article shows how you can increase and customize protection, using your own protection styles. The protection features described below are based on checking known processes that crackers target: executed processes' file names, processes' windows, classes names and loaded drivers' file names.

Protecting against debuggers
Protecting against file and registry monitors
Protecting against screen capturing tools

Protecting against debuggers

Let me explain what a debugger does. A debugger is a special tool that allows reversing of sources code in executable files (disassemble, view, modify, affect execution, dump etc.). A debugger is a common tool used by crackers to remove protection, reset a trial, get registration keys, in short, eliminate the limitations in unregistered versions. To prevent this, we should stop file execution if a debugger is found in the system. Enigma protector has a wide range of features to prevent reversing of sources, but more care can always be taken to further improve protection. This is always a wise decision! In addition with methods below, Enigma has a strong anti-debuggers feature, see "CHECK-UP-Anti-debugger" panel.

SoftIce
Some time ago the most widely used debugger was SoftIce. It would be useful to briefly show how to prevent execution of a protected file if SoftIce is in the system. The first steps always are: open Enigma, choose input and output files, then go to "CHECK-UP-Loaded Drivers" panel. Click on the Add button and enter SoftIce driver name there: NTICE. Protect the application and try to run it. If SoftIce is loaded or just installed on the PC, then the file will fail to run. Common names for SoftIce drivers are shown in the table below:

Driver Name Description
SICE SoftIce driver name for Windows 9x
SIWVID Additional SoftIce driver name for Windows 9x
NTICE SoftIce driver name for Windows NT
ICEEXT IceExt is a widely known plugin for SoftIce. It is helpful to use a checkup for its driver

TRW
This is another early debugger that is based on drivers technology. It works only on Windows 9x systems, so if your application does not work on Windows 9x then do not use this checkup. All our steps are the same as described above for SoftIce. The only difference is in the driver name:

Driver Name Description
TRW TRW driver name

OllyDbg
OllyDbg is the most widely used, user-mode debugger. Most reverse engeneers are using this for researching software. To check if OllyDbg is running on the system, we will use a chekup of executed processes. It is not a secret that all processes run in the system have their own unique (or non-unique) identifiers. Process's file name, main windows texts and classes are "common." So, a good way to to detect OnlyDbg is to use these identifiers. Let's start, open Enigma, choose input and output files, go to "CHECK-UP-Executed processes" panel, click ok "Add process" button and add any process to the list. We should edit added process, for OllyDbg (click on the item in the list to activate editor):

File Name Window Text Window Class
Ollydbg.exe TOllyDbg - [CPU] OLLYDBG
Now protect the file. Run the file and try to run OllyDbg: the protected file terminates immediately!

Protecting against file and registry monitors

How to prevent execution of protected files, if the file or registry monitores are running, is described below. The most well-known monitors are RegMon (registry access monitor) and FileMon (file access monitor). For this checkup we can use loaded drivers checkup (because these monitors are built on drivers technology) and executed processes checkup (because they have a GUI). Our steps are the same as described above for SoftIce and OllyDbg. Necessary settings are in the tables below:
Driver names for "CHECK-UP-Loaded Drivers":

Driver Name Description
REGVXG RegMon driver name for Windows 9x
REGSYS RegMon driver name for Windows NT
REGMON701 RegMon 7.01 driver name for Windows NT
FILEVXG FileMon driver name for Windows 9x
FILEM FileMon driver name for Windows NT
FILEMON701 FIleMon 7.01 driver name for Windows NT

File names, window texts, class names for "CHECK-UP-Executed Processes":

File Name Window Text Window Class
Regmon.exe Registry Monitor - Sysinternals: www.sysinternals.com 18467-41
Filemon.exe File Monitor - Sysinternals: www.sysinternals.com 18467-41

Protecting against screen capturing tools

Here are the params to check if the SnagIt (famous screen capturing tool) is running on the PC. This checkup uses the "CHECK-UP-Executed Processes" panel:

File Name Window Text Window Class
SnagIt32.exe SnagIt SnagIt5UI
SnagIt32.exe SnagIt Capture Preview SnagIt5Preview

Here are screenshots of Enigma panels where the lists of all checkups described above are:

CHECK-UP-Executed Processes

CHECK-UP-Loaded Drivers

If you have any suggestions regarding this article or additional information about other tools that should be included in the list, just let me know support@enigmaprotector.com
This article is written for educational purposes only. The author does not carry any warranties/liability for using this information.
Author: Vladimir Sukhov
Date: 7 August 2008