Detecting Daemon Tools

Hi,

a lot of games blacklisting daemon tools and i always wondered how
they actually do this. Well after some reversing i found a very simple
way of detecting by simply try to load the daemon.dll file located
in the windows directory and call the deactivate function for RMPS
emulation and mounting.
But i saw some other programs which deactivate dtools in a different way and i couldn't figure it out how they do that...It seems that
you can gather information about dtools by looking into the registry
but changing names and values didn't work.

Does anyone has some information on different ways how to do that?
I plan to write a small patcher for 100% hiding dtools if this is possible.

thx

[Crudd[RET]]

There are alot of ways to detect if a program is running. Im not sure about daemon tools, but alot of the times programs are checked by window name or class name (using FindWindow), or by checking all of the running processes, looking for a certain one. hxxp://pe-lib.sourceforge.net/pumqara/html/code_protection/Detecting%20OllyDbg/DetectOllyDbg+Pum.htm
will be of some help. Its ollydbg related, but the same tricks apply to most .exes
Crudd [RET]

[dyn!o]

I would suggest to leave the idea of window/class names.

In my humble opinion the best way is to detect Daemon Tools by its MINI-PORT driver and BUS driver. If you will use window/class names then it takes fer seconds to change them and you will fail. If you will use generic like methods (drivers scanning) then you always are able to detect it. Of course do not try to detect them (drivers) by name but properties.

Look at StarForce, it detects fake CD/DVD mediums by scanning low level system drive types (SCSI, etc.). Professional developers (Alcohol, CloneCD, Daemon Tools) have serious problems with this kind of check and cannot defeat it without cosmic tricks like unplugging IDE cables (what a silly idea).

Learn from the best (not me (hehe) but them).

Good luck.

Quote:

Originally Posted by dyn!o

In my humble opinion the best way is to detect Daemon Tools by its MINI-PORT driver and BUS driver. If you will use window/class names then it takes fer seconds to change them and you will fail. If you will use generic like methods (drivers scanning) then you always are able to detect it. Of course do not try to detect them (drivers) by name but properties.

Correct but then you have only detected dtools not disabled the
emulation, it would be better to scan the system to find the position
of the dtools dll or exe file and disable all usefull stuff...
the question what else can you do to search for those files if changing
the registry entries failed?

[dyn!o]

A complete miss. Listen to my words, not only read

Obtaining location of exe/dll gives you nothing. Read my previous post once again. You should understand what role a driver plays in the system - notice it operates on kernel level.... You can kill/disable DaemonTools in a proper (professional) way.

"what else can you do to search for those files if changing the registry entries failed?"
Forget this idea - it is too simple and not effective.

Scanning files/directories/registry is not the way. What if I will change file name? What if I will change registry key location? What if I will change registry data?

Think about it.

Good luck.