cgallagher
asked on
Marking start and end of functions for CRC checks
Firstly, I writing in C for a Dos platform. This is using the Microsoft C compliers.
I have an issue with security on a certain piece of code in our software. It is a standard piece of code and I need to be able to perform a CRC on it to ensure that it hasn't been tampered with or an incorrect exe verion put on the computer. My problem is that the code around this may change (bug fixes, s/w additions, etc.) so I need to be able to check this particular part of the exe to ensure it hasn't changed.
The second option is to isolate the function into an exe of it's own, but this is a last resort because of the way the function works with the rest of the code. Changing it to be an independant exe will cause other more awkward security issues that will have to be dealt with.
The 2nd option I know how to do -> so I do not need advice with it. I need ideas on my first point. How do I mark the entry and exit points of a function so that a particular code section can be CRC checked?
Regards,
C.
I have an issue with security on a certain piece of code in our software. It is a standard piece of code and I need to be able to perform a CRC on it to ensure that it hasn't been tampered with or an incorrect exe verion put on the computer. My problem is that the code around this may change (bug fixes, s/w additions, etc.) so I need to be able to check this particular part of the exe to ensure it hasn't changed.
The second option is to isolate the function into an exe of it's own, but this is a last resort because of the way the function works with the rest of the code. Changing it to be an independant exe will cause other more awkward security issues that will have to be dealt with.
The 2nd option I know how to do -> so I do not need advice with it. I need ideas on my first point. How do I mark the entry and exit points of a function so that a particular code section can be CRC checked?
Regards,
C.
ASKER
Ok, that will work if I want to check the CRC of a function within my own executable and that may be sufficient... but I don't think it will. You see if the "CHECK_ME" function was changed how do we know that the "CRC_CHECK" function hasn't been changed as well!!! This is mainly my problem.
Therefore, how do I do a CRC check on that function from another executable, i.e.:
If my executable is "prog.exe" I would like to be able to check the function by running:
crc_chk c:\mydir\prog.exe
the program will be hard coded to check for the particular function (by using the entry and exit points of the function) within the executable... I don't know will you have to load the "prog.exe" into memory first and then check the function??? or can you check the actual executable file itself???
Here's an idea, would it be similar to the way an application finds a function entry point in a DLL? I persume it would...
Thanks for the response!
C.
Therefore, how do I do a CRC check on that function from another executable, i.e.:
If my executable is "prog.exe" I would like to be able to check the function by running:
crc_chk c:\mydir\prog.exe
the program will be hard coded to check for the particular function (by using the entry and exit points of the function) within the executable... I don't know will you have to load the "prog.exe" into memory first and then check the function??? or can you check the actual executable file itself???
Here's an idea, would it be similar to the way an application finds a function entry point in a DLL? I persume it would...
Thanks for the response!
C.
oh, licensing.. now that's a lot harder. The usual way is obscurity, encrypt some very important program data using a key generated by hashing the check_me function. If check_me is frigged, the key will be invalid, and the data useless. This will not stop a determined hack, but very little, if anything, can.
Is it possible for you to deliver your piece as an obj (or library) file?
An easy technique would be to NOT show source code. You can pre-compile your code into one or many linkable .obj or .lib files that act as black boxes. You would only need to provide the interface (usually through the header file) of the functions and/or classes.
This would be better than an isolated EXE because it becomes an internal part of the finished product.
If the project requires multiple platforms, you can create seperate lib/obj files for each situation (16, 32 bit, etc.)
I guess it depends on how REALLY secure you need it to be.
An easy technique would be to NOT show source code. You can pre-compile your code into one or many linkable .obj or .lib files that act as black boxes. You would only need to provide the interface (usually through the header file) of the functions and/or classes.
This would be better than an isolated EXE because it becomes an internal part of the finished product.
If the project requires multiple platforms, you can create seperate lib/obj files for each situation (16, 32 bit, etc.)
I guess it depends on how REALLY secure you need it to be.
Try this:
int MyImportantProc(...)
{
DWORD address1,address2;
__asm mov address1,offset beginCRC
__asm mov address2,offset endCRC
CheckCRC(address1,address2
beginCRC: // begin of code to CRC check
//..here is your very important piece of code
endCRC: // end of code to be CRC checked
//CheckCRC(address1,addres
return 0;
}
int MyImportantProc(...)
{
DWORD address1,address2;
__asm mov address1,offset beginCRC
__asm mov address2,offset endCRC
CheckCRC(address1,address2
beginCRC: // begin of code to CRC check
//..here is your very important piece of code
endCRC: // end of code to be CRC checked
//CheckCRC(address1,addres
return 0;
}
ASKER
ecw:
Ok it's not quite licencing. Its so that external auditors can check the piece of code so that it hasn't changed. This is why we need the external checker and also why I don't think a built in function will work. We don't really care about piracy etc. because considering the area we are in the people don't have a clue about that. So it's not security in the sense that we don't want people copying our s/w. It's more about another company saying: can we trust that your s/w hasn't changed in the area we are concerned with???
Triskelion:
We are not supplying a universal library etc. So we cannot supply a library to out customers. I cannot either supply an obj or source code. What I am trying to get around is isolating it from the program itself. I can isolate it but it will pose other security issues so all I am looking for is a way to CRC it while within the same executable. Supplying an obj file will not help me because I cannont give that to the customer. Actually performing the CRC check is not the problem just yet. It's marking the area I wish to perform the CRC around. I need to be able to run a program on a site that will tell me if the function is intact.
Ok it's not quite licencing. Its so that external auditors can check the piece of code so that it hasn't changed. This is why we need the external checker and also why I don't think a built in function will work. We don't really care about piracy etc. because considering the area we are in the people don't have a clue about that. So it's not security in the sense that we don't want people copying our s/w. It's more about another company saying: can we trust that your s/w hasn't changed in the area we are concerned with???
Triskelion:
We are not supplying a universal library etc. So we cannot supply a library to out customers. I cannot either supply an obj or source code. What I am trying to get around is isolating it from the program itself. I can isolate it but it will pose other security issues so all I am looking for is a way to CRC it while within the same executable. Supplying an obj file will not help me because I cannont give that to the customer. Actually performing the CRC check is not the problem just yet. It's marking the area I wish to perform the CRC around. I need to be able to run a program on a site that will tell me if the function is intact.
If something has changed in the target area, will you disable the program?
ASKER
Another point I would like to pose.
If you generate a MAP file with your exe could you potentially use the functions info to locate their respective position within your exe? Or could you potentially use this MAP file in my situation at all?
Regards,
C.
If you generate a MAP file with your exe could you potentially use the functions info to locate their respective position within your exe? Or could you potentially use this MAP file in my situation at all?
Regards,
C.
ASKER
Triskelion.
Yes. If the function has changed then the program will not run, or will not be allowed to run. This does not neccessarily mean that the program itself has to detect this. Maybe by calling an external program, this external program can check it for us. This means that this "external program" can be run manually as well.
Regards,
C.
Yes. If the function has changed then the program will not run, or will not be allowed to run. This does not neccessarily mean that the program itself has to detect this. Maybe by calling an external program, this external program can check it for us. This means that this "external program" can be run manually as well.
Regards,
C.
You could tag the routine using inline assembler like this:
#pragma optimize("", off)
void Test()
{
// Begin tag
__asm
{
jmp RoutineStart
mov al,'*'
mov ah,'*'
mov al,'*'
mov ah,'S'
mov al,'T'
mov ah,'A'
mov al,'R'
mov ah,'T'
mov al,'*'
mov ah,'*'
mov al,'*'
RoutineStart:
}
// Your code
TRACE("Test test\n");
__asm
{
jmp RoutineEnd
mov al,'*'
mov ah,'*'
mov al,'*'
mov ah,'E'
mov al,'N'
mov ah,'D'
mov al,'*'
mov ah,'*'
mov al,'*'
RoutineEnd:
}
}
#pragma optimize("", on)
Then you could identify the starting point of your code by searching for the starting tag:
EB 16 B0 2A B4 2A B0 2A B4 53 B0 54 B4 41 B0 B4 B0 B4 B0 2A
The ending tag would look like this:
EB 12 B0 2A B4 2A B0 2A B4 45 B0 4E B4 44 B0 B4 B0 2A
I hope this help.
Good Luck,
Steve
#pragma optimize("", off)
void Test()
{
// Begin tag
__asm
{
jmp RoutineStart
mov al,'*'
mov ah,'*'
mov al,'*'
mov ah,'S'
mov al,'T'
mov ah,'A'
mov al,'R'
mov ah,'T'
mov al,'*'
mov ah,'*'
mov al,'*'
RoutineStart:
}
// Your code
TRACE("Test test\n");
__asm
{
jmp RoutineEnd
mov al,'*'
mov ah,'*'
mov al,'*'
mov ah,'E'
mov al,'N'
mov ah,'D'
mov al,'*'
mov ah,'*'
mov al,'*'
RoutineEnd:
}
}
#pragma optimize("", on)
Then you could identify the starting point of your code by searching for the starting tag:
EB 16 B0 2A B4 2A B0 2A B4 53 B0 54 B4 41 B0 B4 B0 B4 B0 2A
The ending tag would look like this:
EB 12 B0 2A B4 2A B0 2A B4 45 B0 4E B4 44 B0 B4 B0 2A
I hope this help.
Good Luck,
Steve
ASKER
Steve,
I created an exe with the above code inserted into the beginning and end of my function, and #pragma before and after the function. I then tried searching for the above with the exe file opened in both binary and text mode, but I couldn't find the tag.
Any Ideas? Would it be anything to do with my project compile or link settings?
Conor.
I created an exe with the above code inserted into the beginning and end of my function, and #pragma before and after the function. I then tried searching for the above with the exe file opened in both binary and text mode, but I couldn't find the tag.
Any Ideas? Would it be anything to do with my project compile or link settings?
Conor.
ASKER
Just a note to anyone who may not have fully gathered what I'm trying to do. I may not have specified this clearly in my initial question. I'm trying to find the location of the code module by searching through the actual exe file on the hard disk (or even the resident program when loaded into memory).
Regards,
C.
Regards,
C.
My hex codes to search for were copied wrong:
Start tag:
eb 16 b0 2a b4 2a b0 2a b4 53 b0 54 b4 41 b0 52 b4 54 b0 2a b4 2a b0 2a
End tag:
EB 12 B0 2A B4 2A B0 2A B4 45 B0 4E B4 44 B0 2a b4 2a b0 2a
Start tag:
eb 16 b0 2a b4 2a b0 2a b4 53 b0 54 b4 41 b0 52 b4 54 b0 2a b4 2a b0 2a
End tag:
EB 12 B0 2A B4 2A B0 2A B4 45 B0 4E B4 44 B0 2a b4 2a b0 2a
ASKER
I cannot even locate the string:
"eb 16 b0"
within my exe. I can find plenty of
"eb 16"
codes but when I try search for it plus the rest of the codes it doesn't seem to find it. I am using Visual C++ 6 to open the file in binary mode. I also tried opening the exe in wordpad to see if that made a difference but I still couldn't locate it.
C.
"eb 16 b0"
within my exe. I can find plenty of
"eb 16"
codes but when I try search for it plus the rest of the codes it doesn't seem to find it. I am using Visual C++ 6 to open the file in binary mode. I also tried opening the exe in wordpad to see if that made a difference but I still couldn't locate it.
C.
I created a stock "Hello World" console application and built it in debug mode with the Test() function and found the routine using VC++ 6.
ASKER
Ok. I see the issue here. I'm using Visual C++ 1.52 to create my exe. I have to use this for creating 16 bit exe's for dos machines. You are using Visual C++ 6 to create your exe's. I changed over to Visual C++ 6 just to test this and I successfully located the string.
I cannot use Visual C++ 6 to create final exe's because my target machines are MsDos machines. I stated in my original question that my target platform was MsDos. Maybe I wasn't really clear about what compilers I was using. When I said Microsoft compilers, I meant either "Microsoft C 6" or "Visual C++ 1.52". Visual C++ 6 cannot create 16 bit exe's for MsDos. They can only create 32 bit exe's which won't run is Dos mode. They run in windows console mode.
Have you any ideas about how I could locate this string if using these compilers?
C.
I cannot use Visual C++ 6 to create final exe's because my target machines are MsDos machines. I stated in my original question that my target platform was MsDos. Maybe I wasn't really clear about what compilers I was using. When I said Microsoft compilers, I meant either "Microsoft C 6" or "Visual C++ 1.52". Visual C++ 6 cannot create 16 bit exe's for MsDos. They can only create 32 bit exe's which won't run is Dos mode. They run in windows console mode.
Have you any ideas about how I could locate this string if using these compilers?
C.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I didn't get back sooner. Was busy. I checked that out and it was only when you mentioned disassembly that I decked what you were getting at. For a 16 bit app it seems to start with the codes
E9 16 00
So thats where I was getting the problem. It's what I was lookin for so you get full marks.
E9 16 00
So thats where I was getting the problem. It's what I was lookin for so you get full marks.
Thanks. I thought I responded to your last comment from 6/4 and suggested that this might be the case. Must have not pressed submit... Good luck :)
ASKER
In case you still have e-mail notification on I must say that I had a slight problem with code and I am going to post a new question. The is that if you change code OUTSIDE of the function you are marking the codes within the function change slightly (possibly due to using different registers or something I'm not sure why). If you're interested you might want to look out for the question.
C.
C.
int check_me(void) { ....
}
void check_me_end(void) {}
int crc_check(void) {
char *start = (char *) check_me;
char *end = (char *) check_me_end;
}