[RESOLVED] CRC - Self Referencing Routines

[Quiver318]

Hello All,

While I have some great CRC routines that examine external programs for tampering before they are launched by my main program, I would also like my main program to look itself over to see if it has been tampered with or perhaps infected by a virus.

Because of the self-referencing problems associated with storing a CRC value within an EXE that will be inspecting itself with that value, I would like to know if you can give me ideas of clever ways to store the CRC value externally, that would in itself be tamper resistant. Either that, or other neat tricks that would allow me to pull off an accurate self CRC-check?

I know that anti-virus programs often check themselves before scanning a system, but what methods are they using that avoids self-referencing problems?

Thanks!

Quiver

P.S. I am aware that people are capable of breaking any security measure when determined, but I still want to try to make my routines tamper resistant.

[Jenner]

If it's guaranteed that the program will be on a computer hooked to the internet, the best way would be to get the CRC from an external website.

Slipping it into the registry as an encrypted string works well.

I wouldn't try to hide it in the filesystem since different users have different levels of lockdown and you never know what areas of the filesystem your program has access to except for the areas meant for common data storage.

Really, hide it anywhere you like. The primary vector of attack in your program is to alter the check routine to always "Return True" regardless of any cartwheels the routine is doing to check itself or compare CRCs.

[Quiver318]

Thanks, Jenner! I had not considered the Internet route, at all.

I had thought of encrypting the CRC value and sticking it into the registry, but I figured that was a pretty easy to alter it in a brute force style since it is such a tiny value. I guess I can pad the value, and then encrypt it so it is larger and harder to pick appart.

Really the whole thing is just a helpful measure since, as you stated, it is pretty easy for someone to change the code so that a failing CRC value becomes a true value.

Thanks for your ideas!

[dee-u]

Perhaps steganography could come handy in this instance?

[Quiver318]

Perhaps. I have seen programs that can hide information within JPG files. Maybe that is a good way to go. Thanks!