How to retrieve the size of a procedure?

[Keya]

Whoa, how presumptive! ... When in doubt presume the programmer is writing malware!?!?!?

I didn't say anything about malware and presumed nothing.

I misunderstood because you were talking about injecting, I apologise

Performing a checksum on the size of a procedure wouldn't work as you can't inject additional ASM into a compiled image without offsetting hard-coded pointers. Generally these types of changes are either NOPs or replacing ASM with something else but without changing the effective size.

I'm quite confused sorry. I'm not injecting anything or doing any Asm, and i'm not sure what you mean about hard-coded pointers. If you mean the address fixups/relocations that's not an issue because they're already done by the (PE/Mach/Elf) loader for me by the time I make the first checksum of my protected procedure, which i do from my main startup procedure.

It's very simple, something like this pseudocode ...

Code: Select all

Global Checksum
 
Procedure MyProtectedProc()
  ;my procedure i dont want modified by crackers
EndProcedure

Procedure WatcherThread()
  Repeat
    Calculated = CRC(@MyProtectedProc(), GetProcSize(@MyProtectedProc()))
    If Calculated <> Checksum
      Messagebox("Error","Procedure modified"): End
    EndIf
    Delay(1000)
  Forever
EndProcedure

Procedure Main()
 Checksum = CRC(@MyProtectedProc(), GetProcSize(@MyProtectedProc()))
 Create Thread WatcherThread()
EndProcedure

Main()

It seems to be working fine, for example if i set a software breakpoint anywhere in the protected procedure. It wont detect modifications made before my first checksum calculation and i know its trivial to defeat but thats ok i still like it!

[Mistrel]

Calculated = CRC(@MyProtectedProc(), GetProcSize(@MyProtectedProc()))

This is OK because it performs a calculation on the bytes. I thought you were just comparing sizes.