Page 1 of 2
Self Virus Check / Exec Alteration
Posted: Fri Sep 04, 2020 2:31 pm
by J. Baker
A way to check if a virus has infected your own program. Viruses usually attach themselves to the beginning and end of an executable. Without going into a lot of detail about that, either way, it will increase the size of your executable. Replacement code is possible but not as likely as the virus usually wants the program to behave normally, so it can run undetected. The following code is not 100% full proof but may hopefully stop a virus from doing its task or at least alert the user that their system is infected.
Code: Select all
CipherSize$ = "b5af67c75b77f50bc437618b36d0403938006fa4a1bc9d7495972498"
UseSHA2Fingerprint()
If StringFingerprint(Str(FileSize(ProgramFilename())), #PB_Cipher_SHA2, 224) <> CipherSize$
MessageRequester("ERROR!", "The program has been altered by other means than the developer intended and will now quit.")
EndIf
;The rest of your programs code goes after the file size checking code.
;-------------------------------------------------------------------------------
;The code below should be run on an executable after it has been compiled.
;You will have to compile twice in order to get the correct cipher size.
;CipherSize$ is just a way to hide the actual file size from a virus but is not 100% protection.
;Debug StringFingerprint(Str(FileSize(ProgramFilename())), #PB_Cipher_SHA2, 224)
Re: Self Virus Check / Exec Alteration
Posted: Fri Sep 04, 2020 2:40 pm
by J. Baker
You can also file fingerprint your own executable but takes a couple compiles, a hex editor, and an offset (that depends on the executable size). So either way, a file size check would have to be done. Just thought I would mention it in case anyone wanted to go one step further.
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 10:38 am
by Little John
I like the idea, thank you!
However, during development this would be quite annoying.
So I'd only include it in the final EXE file:
Code: Select all
CompilerIf #PB_Editor_CreateExecutable
CipherSize$ = "b5af67c75b77f50bc437618b36d0403938006fa4a1bc9d7495972498"
UseSHA2Fingerprint()
If StringFingerprint(Str(FileSize(ProgramFilename())), #PB_Cipher_SHA2, 224) <> CipherSize$
MessageRequester("ERROR!", "The program has been altered by other means than the developer intended and will now quit.")
End
EndIf
CompilerEndIf
(The constant
#PB_Editor_CreateExecutable can only be used after it has been activated in the compiler options.)
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 11:56 am
by Saki
Nice Idea
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 1:22 pm
by J. Baker
Good idea Little John. That's better than commenting and removing comments. Thanks for posting.
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 3:33 pm
by Saki
There are several possible solutions J.Baker
It just requires the most appropriate description of the requirements for your needs.
These are standard procedures, nothing new.
I have no problems with it, these codes I have ready, not crackable and enhanced, all necessary write and read routines.
I was just about to post them now.
If you find it funny, if I try to give you an exact description of the procedure,
you just have to see for yourself how it works.
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 4:23 pm
by J. Baker
Saki, fill free to post.
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 6:22 pm
by kvitaliy
Standard way for Windows using the API
MapFileAndCheckSum
Protection will work even if you change 1 bit!
Code: Select all
szFullPath.s=ProgramFilename()
dwFileChecksum.l = 0: dwRealChecksum.l = 0
sz.s = "Hello" ; replace at least 1 character in EXE
MapFileAndCheckSum_(@szFullPath, @dwFileChecksum, @dwRealChecksum)
If dwFileChecksum<>dwRealChecksum
MessageRequester(sz, "the checksum is Not correct = " + Str(dwFileChecksum) +" R="+ dwRealChecksum)
Else
MessageRequester(sz, "the checksum is correct= " + Str(dwFileChecksum) +" R="+ dwRealChecksum)
EndIf
For correct operation, you need to create and connect a text file (linker.txt) with the following content:
/RELEASE
Re: Self Virus Check / Exec Alteration
Posted: Sat Sep 05, 2020 7:54 pm
by Saki
MapFileAndCheckSum - Microsoft wrote :
Note The Unicode implementation of this function calls the ASCII implementation and as a result, the function can fail if the codepage does not support the characters in the path. For example, if you pass a non-English Unicode file path, and the default codepage is English, the unrecognized non-English wide chars are converted to "??" and the file cannot be opened (the function returns CHECKSUM_OPEN_FAILURE).
I'll give you a little tip.
The easiest solution is to add a small hash to the file name.
This can looks like this: MyFile[edadefcd].exe (CRC32 simplest)
This can also be very easily removed again automatically.
You can simplest check the file length or the whole content.
The more complex and password-dependent the hash, the more secure.
Entire directories can be automatically protected and checked in a few seconds.
Re: Self Virus Check / Exec Alteration
Posted: Sun Sep 06, 2020 6:26 am
by Bitblazer
The next step would be to add
executable compression and
code signing. Both have their uses and also disadvantages*, but sadly none of them are the ultimate solution against malware**.
*UPX and others have raised many false AV warnings on end-user machines and due to that making end-users think the executable is suspicious
**some malware can intercept and manipulate API calls to hide itself. So no virus scanner or executable check can spot them on an infected system anymore.
Re: Self Virus Check / Exec Alteration
Posted: Sun Sep 06, 2020 7:12 am
by Little John
Thank you, kvitaliy! This is very interesting.
Re: Self Virus Check / Exec Alteration
Posted: Sun Sep 06, 2020 7:35 am
by BarryG
kvitaliy wrote:Standard way for Windows using the API
MapFileAndCheckSum
Protection will work even if you change 1 bit!
Code: Select all
szFullPath.s=ProgramFilename()
dwFileChecksum.l = 0: dwRealChecksum.l = 0
sz.s = "Hello" ; replace at least 1 character in EXE
MapFileAndCheckSum_(@szFullPath, @dwFileChecksum, @dwRealChecksum)
If dwFileChecksum<>dwRealChecksum
MessageRequester(sz, "the checksum is Not correct = " + Str(dwFileChecksum) +" R="+ dwRealChecksum)
Else
MessageRequester(sz, "the checksum is correct= " + Str(dwFileChecksum) +" R="+ dwRealChecksum)
EndIf
For correct operation, you need to create and connect a text file (linker.txt) with the following content:
/RELEASE
I agree with Little John; the above is a FANTASTIC tip for detecting alteration of our Windows executables. Thanks!
Re: Self Virus Check / Exec Alteration
Posted: Sun Sep 06, 2020 9:20 am
by Joris
I feel a bit stupid but ...
I know my Programname of course, but how to know the full path where the exe will become placed (by the user) for ProgramFilename() ?
Re: Self Virus Check / Exec Alteration
Posted: Sun Sep 06, 2020 9:27 am
by BarryG
That's what ProgramFilename() is for. You don't need to know where the user puts your exe. It gets the exe's path and filename at runtime.
Re: Self Virus Check / Exec Alteration
Posted: Sun Sep 06, 2020 5:23 pm
by J. Baker
kvitaliy wrote:Standard way for Windows using the API MapFileAndCheckSum
Protection will work even if you change 1 bit!
Very nice! Thanks!