Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-05-2005, 02:00
abitofboth
 
Posts: n/a
Beating a two session max!

I got this application.

It will let me run two instances of this app at the same time, no more!

Having two installations doesnt solve the problem.
Renaming the exe doesnt solve the problem.
Renaming the top window handle doesnt solve the problem.

It could be a registry value, ill check that with a monitor now, but i HIGHLY doubt that is it! Just two many possible error factors involved.

Could it really be that this app iterates through all running processes trying a ReadProcessMemory for identification ? This sounds far fetched as well, but its the nect logical conclusion I can come up with!
Key words : I can come up with
Well.. Im a noob! Dont kill me plz ?
I just wanted some input, what do YOU think is the most likely explanation for this behavior!
(also, the app doesnt host a serversocket, its not a port comm thing!)

Actually..

while reviewing network activity in different versions of netstat (with gui's and all) yields nothing interresting, using SysInternals TDImon yielded an interresting result !!

To quote the help !

"TDImon gets its name from the fact that it monitors activity at the Transport Driver Interface (TDI) level of networking operations in the operating system kernel."

And what is kinda interresting is that only THREE processes show activity here
explorer.exe
myfirewall.exe
theappthatannoysme.exe

So maybe it DO have some loopback activity going on ?

It shows up as TDI_SEND TCP:10.0.0.2 (my ip) SUCCESS-562 length:32


Allrighty then !!!!!!
Both sessions show this behavior!! (using different destination ports!)


First thing : Is this the monkey im chasing ?
Second thing : How do I bean it ? (firewall blocking doesnt seem like an option!)

[Edit JMI: DO NOT answer your own post. Use the EDIT Button. That's what it's for.]
Reply With Quote
  #2  
Old 04-05-2005, 04:17
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 816
Rept. Given: 47
Rept. Rcvd 391 Times in 86 Posts
Thanks Given: 23
Thanks Rcvd at 103 Times in 52 Posts
Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399 Shub-Nigurrath Reputation: 300-399
everything is possible, and there are of course no limits to ways you can do to check the presence of another istance of the same program, the concept is that the two istances must share an information, even a single bit, but among the simplest method there's also the check of the main window's class name. try to have a look at it.
The best way is to check where the program decides to go on or to terminate, so try tracing exitprocess (or any exiting way) and then go backward to where it was called from..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
  #3  
Old 04-05-2005, 13:05
Eskimobob
 
Posts: n/a
I have a couple programs that use the loopback funtion on defined ports to check to see if there's a copy of the program running. I suspect if they really wanted to do it this way the program could have to statically defined ports (bad Idea in general) and it could check them both to see if there's a copy. If a message is sent it replies.

Concerning:
"(firewall blocking doesnt seem like an option!)" -- Are we speaking of every firewall or the external only firewalls.

Have you tried to block the process from sending out a message? I mean some programs such as ZoneAlarm and other internal firewalls can control the ability for a program to send any messages across any ports.
You could also try to block the port that it's sending information through after it's open.
Reply With Quote
  #4  
Old 04-06-2005, 22:35
visu
 
Posts: n/a
There are various possibilities of detecting multiple instances, some also includes kernel objects. Using network is not really a smart solution and unlikely to be used.

Also have a look here

hxxp://www.codeproject.com/cpp/avoidmultinstance.asp
hxxp://www.flounder.com/nomultiples.htm

By the way, which application is that ?

Visu
Reply With Quote
  #5  
Old 04-09-2005, 02:56
just4urim
 
Posts: n/a
As "Visu" said , there're various possibilities of detecting multiple instances . One of these coul be a semaphor declaration . To avoid runing of another instances , you can declar a semaphor with special name and at the bigining just create your named semaphor and if the API return by ALLREADY_EXIST error , it shows that another instance has been run later .
Reply With Quote
  #6  
Old 04-11-2005, 10:01
kubik kubik is offline
Friend
 
Join Date: Oct 2004
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
kubik Reputation: 0
maybe there is used mutex

Code:
  invoke CreateMutex,0,0,addr dlgname
  invoke GetLastError
  xor al, 0B7h
  jz _exit
try to set breakpoint on CreateMutex. (bp CreateMutex)
Reply With Quote
  #7  
Old 04-14-2005, 09:07
firstrose
 
Posts: n/a
Well,you can patch it as kubik said.

but is there any other mutex,especially data?Then it will fail!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting a debugging session with Flexlm lmgrd and a vendor specific daemon zaratustra General Discussion 14 12-30-2005 19:55
beating IsDebuggerPresent for my unpacker 0x539 General Discussion 14 03-02-2005 05:01


All times are GMT +8. The time now is 09:38.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )