CheckSumVerify - verify integrity of the compiled exe

[trancexx]

There was a thread in general support forum the other day about possibility of compiled executable to verify binary integrity of itself when run. I can't find the topic now to link it, but meh never mind.

Logical solution is to calculate checksum of the exe and save it somewhere. Later when the executable is run the checksum is calculated again and compared to the saved value. If they match, all is ok, and if they don't the exe was altered and verification fails.

 

The obvious problem is how and where to store the hash value. Alternate data stream seems the simplest solution. That way the hash is bound to the exe only and the risks of unwanted manipulations are relatively low. The problem could be if the exe is saved and run from non-NTFS file systems. Another problem is that any read/write action on exe file usually ends up with ADS being deleted.

The other solution is registry writing, but that bounds exe and hash to the system. For another system (or even user) the checking wouldn't be valid.

Third solution is using some sort of ini file. But that means ini has to go everywhere exe goes, otherwise again the check wouldn't make sense. And it would be too simple for someone to manipulate data, to the level the check wouldn't make sense.

 

 

So, this is kind of fourth option. CheckSumVerify2.a3x script below is include file that will calculate the hash of the executable on the first run, save it directly inside that executable using special technique and recheck the hash on every new run. If the new hash wouldn't match the saved one, the script will show message box saying that and further execution will be aborted.

CheckSumVerify2.a3x

 

Just to say that I haven't done any complicated tests to see if it would work in outer space, or even on all supported systems. However my guess is it should work. 

Don't UPX the compiled executables, because I'm calculating checksum of the image on disk and not the one in memory.

 

Here's small example of usage:

 

#include "CheckSumVerify2.a3x"

If @Compiled Then
    MsgBox(64 + 262144, "Aha!", "This is an example exe that does nothing except showing this message." & @CRLF & @CRLF & _
            "But if you change the binary of me I will show error message and won't allow further execution." & @CRLF & _
            $cmdlineraw)
Else
    MsgBox(64 + 262144, "Hey", "This is an example script that does nothing except showing this message." & @CRLF & @CRLF & _
            "But if you compile me I will check binary integrity of the compiled executable every time its run.")
EndIf

If something wouldn't work, or if you have any questions - simply post here. I'll do my best to answer.

 

Edited December 22, 2015 by trancexx

[JohnOne]

Sends my computer up the wall ma'am.

Just sits there opening and closing instances of itself.

Difficult to close too.

All I put was 

MsgBox(0,0,0)

EDIT:

Only when compiled .

Edited September 8, 2014 by JohnOne

[czardas]

I believe the thread you are refering to was moved to chat. I was playing with ideas like this myself yesterday. I'll have to try this later - on another machine. I'll get back!

[trancexx]

I forgot to say that you need to run/compile it with some newer version of AutoIt interpreter. Newer stable, the better.

Edited September 8, 2014 by trancexx

[JohnOne]

Need newer that .3.3.12?

[trancexx]

Nope.

Hm.

[JohnOne]

Same results on 3.3.13.19 Beta

[trancexx]

Could you comment out line 48 and give it another try?

...If something hasn't blown up by now.

Edited September 8, 2014 by trancexx

[Rich071]

I tried a couple of tests against compiled EXE's only. I compiled using your msgbox text and added the, #include "CheckSumVerify.au3", to one of my scripts. In both cases, I used a hex editor and made a one byte change to each EXE.

When running, both modified EXE's., I got the expected results, a message box, "Binary integrity can't be verified. Exiting...".

I like the fact, all you have to do is add, #include "CheckSumVerify.au3", to include it in your script and this could be done after all the testing and debugging is complete and right before distributing.

I like this better than doing a hash compare and the user knows to go get the file again.

However, I can see a possible issue. You had stated, do not use UPX. I would assume, a similar issue would occur if you then added code signing to the EXE.

Overall, I like it.

Thanks,

Edit: I am using the latest AutoIt and Beta and spelling edit.

Edited September 8, 2014 by Rich071

[JohnOne]

Appears to perform normally with that line commented out.

At least the craziness stopped and msgbox appeared and exited normally.

Haven't tried changing binary yet.

[JohnOne]

Just as a comment, I tried to use an app to record the screen to gif to post it, but while the compiled script was running or was started it crashed the app with some .net error.

That no longer occurs either.

[czardas]

I'm just wondering one thing: what is to stop someone from simply removing the line #include "CheckSumVerify.au3" ?

Edited September 8, 2014 by czardas

[JohnOne]

Nothing at all, well only that compiled scripts do not have includes, but I get what you mean. You have to remember though, this is not some sort of protection, we all know there is no real way to do that, but it is a nice thing for your bog standard script developer to have in his handbag. Don't forget, about 99.9999999 % of the population would not even know what decompile meant in terms of apps.

[czardas]

True, but I believe it is possible to take this a step further and make sure you can't just remove the checks by making them an integral part of the program. In other words integrity checks actually become a real dependancy.

It's always nice to see new ideas that might assist, thanks trancexx.

Edited September 9, 2014 by czardas

[trancexx]

JohnOne, could you get back that line and comment-out line 30.

This line reruns the exe after the modifications are being done on first run. When commented out, first run doesn't actually start your script. On next runs only the check is done and original script is executed.

[FaridAgl]

What will happen if someone decompile the source and compile it again? I guess nothing, am I right?

[jchd]

That's true with any self-contained "protection", whatever goal it has. So this is a moot point IMVHO.

[JohnOne]

JohnOne, could you get back that line and comment-out line 30.

This line reruns the exe after the modifications are being done on first run. When commented out, first run doesn't actually start your script. On next runs only the check is done and original script is executed.

That seems to do the trick too.

[czardas]

Recompiling alters the binary. This detail can be used to good effect by breaking so much of the functionality that rebuilding the script would require more effort than simply starting afresh. Once decompiled, the script never runs ever again - at least not without enormous effort to fix it. I believe this to be a valid concept.

Edited September 9, 2014 by czardas

[RTFC]

Dear trancexx,

Please clone yourself ; the world needs more people like you.

A fan.