Detect serial port sniffer

delphi package - easy access to kernel objects etc.

Detect serial port sniffer

Postby Kresimir M » Sun Aug 05, 2012 2:41 pm

Have a problem with concurent company use serial port snifer to analyze our communication (over serial port). Need to find a way to detect any other application gained access to serial port before our application got started. If so our application should refuse to run. The idea was to detect if anyone else is having a handle to SerialPort (i.e. Com1). Can it be done that way?

Best regards,
Kresimir M
 
Posts: 3
Joined: Sun Aug 05, 2012 2:19 pm

Re: Detect serial port sniffer

Postby madshi » Sun Aug 05, 2012 2:57 pm

I don't know enough about ports to answer this. I don't know if the sniffer uses a driver to hook into the serial port, of whether it's hooking APIs, or whether it's connecting to the port via win32 APIs, or whether there's an official way to install a sniffer callback. You first need to find out how that sniffer works. Only then you know what to do to detect/defeat it. Of course you could simply enumerate all running processes and look for a process with a specific name. But that would be a rather too simple solution. Just renaming the sniffer exe file would work around such a detection...
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Detect serial port sniffer

Postby Kresimir M » Sun Aug 05, 2012 3:24 pm

Most of serial port sniffers use drivers which put itself into serial port device stack (i.e. Free serial port monitor from HHD Software). If I understood correctly most of them "opens" a designated serial port, get a copy of "file handle" and then close handle (that is why they all require to be run before traget application - since once, serial port gets opened by i.e. my application they can not sinff it). From what I unerstood, somewhere in the windows there is a list of all who requested to get access to a certain file (serial port is treated as a file) ... the idea is - if I can get a list of all processes who are 'enlisted' as user of some handle then I can:

1. if my application is the only one in the list - everything is OK
2. If more applications are on the list - stop working.

Do you think it's a correct way of seeing things?
Kresimir M
 
Posts: 3
Joined: Sun Aug 05, 2012 2:19 pm

Re: Detect serial port sniffer

Postby madshi » Sun Aug 05, 2012 4:24 pm

You can check the list of open file and port handles of a process by using the SysInternal Process Explorer software. If the port is not listed there, you're probably out of luck. Closed handles are not stored/remembered anywhere.
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Detect serial port sniffer

Postby Kresimir M » Sun Aug 05, 2012 5:18 pm

I've tried. It's not listed. Thanx anyway.
Kresimir M
 
Posts: 3
Joined: Sun Aug 05, 2012 2:19 pm


Return to madKernel

Who is online

Users browsing this forum: No registered users and 2 guests

cron