0

I am trying to develop an evaluation software mechanism that will limit the use of the program, and then require a purchase.

But when I gave it to my friend, he told me that whatever I do - write to registry, file or even alternate data stream, can be easily detected by even "innocent" utilities like Procmon. So, a potential thief just need to delete the files and registry keys my program has made, and use the software again and again.

This is very frustrating! It nullifies any protection I can think of!

My question is, is there any way to perform activity that will not be detected by the likes of procmon?

Chezi
  • 53
  • 7
  • No. If there was, the next release of Procmon could just bypass it. What you're asking for (perfect hiding from any low-level detection tools run by someone with administrative privileges) is the same as what malware wants to do, and you're not going to be winning that arms race when there's so much more at stake there. Ultimately, if your software is that useful, enough honest people should buy it that the percentage of dishonest people who'll circumvent your protections doesn't matter as much. Sinking extra resources in deterring the dishonest ones hits diminishing returns quickly. – Jeroen Mostert Feb 12 '23 at 09:40
  • You have no defense against an adversary with administrator permissions. You can make things frustratingly difficult to the point where they may give up, but you will ultimately lose to a sufficiently patient and resourceful adversary. (What you can do is migrate part of your program logic online, and have the server detect misuse, say, because the client passed a trial key that has expired. Of course, you now have the problem of the user just creating hundreds of trial keys, each from a different virtual machine.) – Raymond Chen Feb 12 '23 at 16:53
  • Between you two, I have found a very solid solution. I really want to tell it to whom it may concern, but I can't, for obvious reasons... Suffice to say, I have drowned Procmon with thousands events, and did some ambiguous "operation" in between, they have little to no chance to comprehend. I am not worried from a persistent "hacker", I just want it to be hard enough and not outright obvious. – Chezi Feb 12 '23 at 19:48
  • Raymond Chen! I am honored! Huge fan! – Chezi Feb 12 '23 at 20:02

0 Answers0