Self Virus Check / Exec Alteration

[J. Baker]

A way to check if a virus has infected your own program. Viruses usually attach themselves to the beginning and end of an executable. Without going into a lot of detail about that, either way, it will increase the size of your executable. Replacement code is possible but not as likely as the virus usually wants the program to behave normally, so it can run undetected. The following code is not 100% full proof but may hopefully stop a virus from doing its task or at least alert the user that their system is infected.

Code: Select all

CipherSize$ = "b5af67c75b77f50bc437618b36d0403938006fa4a1bc9d7495972498"

UseSHA2Fingerprint()

If StringFingerprint(Str(FileSize(ProgramFilename())), #PB_Cipher_SHA2, 224) <> CipherSize$
  MessageRequester("ERROR!", "The program has been altered by other means than the developer intended and will now quit.")
EndIf

;The rest of your programs code goes after the file size checking code.

;-------------------------------------------------------------------------------
;The code below should be run on an executable after it has been compiled.
;You will have to compile twice in order to get the correct cipher size.
;CipherSize$ is just a way to hide the actual file size from a virus but is not 100% protection.

;Debug StringFingerprint(Str(FileSize(ProgramFilename())), #PB_Cipher_SHA2, 224)

Be sure to check out kvitaliy's code below too. viewtopic.php?p=559198#p559198

[J. Baker]

You can also file fingerprint your own executable but takes a couple compiles, a hex editor, and an offset (that depends on the executable size). So either way, a file size check would have to be done. Just thought I would mention it in case anyone wanted to go one step further.

[Little John]

I like the idea, thank you!

However, during development this would be quite annoying.
So I'd only include it in the final EXE file:

Code: Select all

CompilerIf #PB_Editor_CreateExecutable
   CipherSize$ = "b5af67c75b77f50bc437618b36d0403938006fa4a1bc9d7495972498"
   
   UseSHA2Fingerprint()
   
   If StringFingerprint(Str(FileSize(ProgramFilename())), #PB_Cipher_SHA2, 224) <> CipherSize$
      MessageRequester("ERROR!", "The program has been altered by other means than the developer intended and will now quit.")
      End
   EndIf
CompilerEndIf

(The constant #PB_Editor_CreateExecutable can only be used after it has been activated in the compiler options.)

[Saki]

Nice Idea

[J. Baker]

Good idea Little John. That's better than commenting and removing comments. Thanks for posting.

[Saki]

There are several possible solutions J.Baker
It just requires the most appropriate description of the requirements for your needs.
These are standard procedures, nothing new.
I have no problems with it, these codes I have ready, not crackable and enhanced, all necessary write and read routines.
I was just about to post them now.

If you find it funny, if I try to give you an exact description of the procedure,
you just have to see for yourself how it works.

[J. Baker]

Saki, fill free to post.

[kvitaliy]

Standard way for Windows using the API MapFileAndCheckSum
Protection will work even if you change 1 bit!

Code: Select all

szFullPath.s=ProgramFilename()
dwFileChecksum.l = 0: dwRealChecksum.l = 0
sz.s = "Hello" ; replace at least 1 character in EXE
MapFileAndCheckSum_(@szFullPath, @dwFileChecksum, @dwRealChecksum)
If dwFileChecksum<>dwRealChecksum 
  
 MessageRequester(sz, "the checksum is Not correct = " + Str(dwFileChecksum) +" R="+  dwRealChecksum)
Else
   MessageRequester(sz,  "the checksum is correct= " + Str(dwFileChecksum) +" R="+  dwRealChecksum)  
EndIf

For correct operation, you need to create and connect a text file (linker.txt) with the following content:
/RELEASE

[Saki]

MapFileAndCheckSum - Microsoft wrote :

Note The Unicode implementation of this function calls the ASCII implementation and as a result, the function can fail if the codepage does not support the characters in the path. For example, if you pass a non-English Unicode file path, and the default codepage is English, the unrecognized non-English wide chars are converted to "??" and the file cannot be opened (the function returns CHECKSUM_OPEN_FAILURE).

I'll give you a little tip.
The easiest solution is to add a small hash to the file name.
This can looks like this: MyFile[edadefcd].exe (CRC32 simplest)
This can also be very easily removed again automatically.
You can simplest check the file length or the whole content.
The more complex and password-dependent the hash, the more secure.

Entire directories can be automatically protected and checked in a few seconds.

[Bitblazer]

The next step would be to add executable compression and code signing. Both have their uses and also disadvantages*, but sadly none of them are the ultimate solution against malware**.

*UPX and others have raised many false AV warnings on end-user machines and due to that making end-users think the executable is suspicious
**some malware can intercept and manipulate API calls to hide itself. So no virus scanner or executable check can spot them on an infected system anymore.

[Little John]

Thank you, kvitaliy! This is very interesting.

[BarryG]

Standard way for Windows using the API MapFileAndCheckSum
Protection will work even if you change 1 bit!

Code: Select all

szFullPath.s=ProgramFilename()
dwFileChecksum.l = 0: dwRealChecksum.l = 0
sz.s = "Hello" ; replace at least 1 character in EXE
MapFileAndCheckSum_(@szFullPath, @dwFileChecksum, @dwRealChecksum)
If dwFileChecksum<>dwRealChecksum 
  
 MessageRequester(sz, "the checksum is Not correct = " + Str(dwFileChecksum) +" R="+  dwRealChecksum)
Else
   MessageRequester(sz,  "the checksum is correct= " + Str(dwFileChecksum) +" R="+  dwRealChecksum)  
EndIf

For correct operation, you need to create and connect a text file (linker.txt) with the following content:
/RELEASE

I agree with Little John; the above is a FANTASTIC tip for detecting alteration of our Windows executables. Thanks!

[Joris]

I feel a bit stupid but ...
I know my Programname of course, but how to know the full path where the exe will become placed (by the user) for ProgramFilename() ?

[BarryG]

That's what ProgramFilename() is for. You don't need to know where the user puts your exe. It gets the exe's path and filename at runtime.

[J. Baker]

Standard way for Windows using the API MapFileAndCheckSum
Protection will work even if you change 1 bit!

Very nice! Thanks!