0

I am developing a simple application using C and would like to know if there is any way I can detect when the application has been tampered. Based on my knowledge Hash is one way to ensure the integrity of data but I don't know how to hard-code the hash of the process inside my code when I am compiling it or I don't know even that's a good way to do. Any help/hint is highly appreciated.

mazkopolo
  • 391
  • 1
  • 6
  • 21
  • 1
    you'd have to define a var with some space for your hash (whatever hash algorithm you use), compute the hash of the binary AFTER compilation, and embed that hash in the reserved space. That also implies you'd have to EXCLUDE the reserve space from the hash calculations, because by adding the hash after-the-fact will also change the hash of the entire file. – Marc B Nov 10 '14 at 20:09
  • plus, the on-disk representation of a binary is not going to be same as what's loaded into memory. you'd want to hash ONLY the code blocks of the binary and omit any metadata like link/compiler information. – Marc B Nov 10 '14 at 20:10
  • You need to be more specific about where your code runs and what you're trying to defend against. – nobody Nov 10 '14 at 21:02
  • Thanks for your comments. Let me be more specific. I got a parent process (called A) and a child Process (called B). From A's point of view, I can detect tampering by hard coding the hash(B) into A. Apart from that, I want to detect tampering from B itself too. – mazkopolo Nov 10 '14 at 21:53

1 Answers1

1

You should protect your hash from static modifications (while your app is on disk). For example you can sign it with some private key which will be hidden somewhere in the tampering detection code. I can't tell you how you can hide it because it should be your secret.

To have self verified executable you can allocate hash in sources but instruct compiler to store it in named PE/ELF section. When signing your binary exclude your named section from hash calculation and store hash calculated inside.

To put hash into named section for Microsoft compilers you can use

#pragma section("tdhash", read)
__declspec(allocate("tdhash")) const unsigned char hash[32] = {0};

for GCC compilers:

const unsigned char hash[32] __attribute__ ((section ("tdhash"))) = {0};

Note: After changing PE you my want to update checksum in header, also exclude checksum field from hash calculation. The sample for that is in "How to prevent “check integrity” load failures" Microsoft KB article valiable by https://technet.microsoft.com/ru-ru/library/ee829684

Andrey
  • 56
  • 4