views:

657

answers:

3

Hi everyone.

I'm implementing a locking and copy protection system for my software. I've shut every hole that would allow someone to break my lock (well, that's a little too optimistic, I know!) but the last thing is this:

I hear crackers can change Windows DLLs like Kernel32.dll in a way that the API I use returns a value which is specified by the cracker. I need to prevent this.

At first I thought I could make a hash value for every DLL I use, and check that hash against the calculated hash of the client DLL to see if the file is changed. That won't work since there are many different versions of the DLL for different versions of Windows, and every hotfix and Service Pack provided by Microsoft could change the file.

Then I realized I could check the signature of the file to make sure it has a valid Microsoft signature. Now there are 2 questions:

  1. Does Microsoft sign Windows DLLs? How can I find some info on this signature?
  2. Is a Public key provided to validate the signature? How do I use this key to validate the file?

Any walkthroughs are greatly appreciated. My app is written using Visual Basic.NET.

Thanks guys.

+4  A: 

Are you going to write your own crypto routines so you can validate the signature yourself, or are you going to trust the Crypto API? Are you going to use signatures on the crypto dlls to validate the crypto dlls?

Who watches the watchers?

You'll be wanting to write your own operating system, and you'd better make sure it can't be run in a virtual machine! Perhaps you should make your own hardware hardware too.

Ultimately, you have to trust something. Really. If you're not prepared to trust the user, trust the OS because if you don't trust that, you're going to end up rolling your own hardware to make it 'secure'. Yes, someone will hack your software - it's pretty much inevitable. Make it difficult by all means, but remember that returns diminish (rapidly!)

James Ogden
I get that a lot. The only thing I need in this case is a Public key provided by Microsoft to validate the signature of Windows DLLs. That would be just enough, and I'm sure the "signature" thing is invented for such uses.
TheAgent
Besides, I could write the Crypto routines. I'm making my code too obscure for the cracker to find my validation logic, and I'm placing the validation logic in many different locations. The app won't inform the user of a crack either, it just malfunctions sometimes. That's a good protection scheme!
TheAgent
I would be 99% certain that if Microsoft have signed binaries that they are already validating those signatures as part of their own security mechanism.
Paul
I know they are not validating their own files, since I've seen people actually changing dlls like Kernel32.
TheAgent
+3  A: 

MS does sign some system binaries, depending on the version of Windows and the binary. For example, if you check kernel32.dll on Windows XP:

C:\Windows\system32>sigcheck kernel32.dll
Sigcheck v1.5
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\system32\kernel32.dll:

Verified: Signed
Signing date: 02:07 14/04/2008
Publisher: Microsoft Corporation
Description: Windows NT BASE API Client DLL
Product: Microsoft« Windows« Operating System
Version: 5.1.2600.3119
File version: 5.1.2600.3119 (xpsp_sp2_grd.070416-1301)

You can also use sigcheck to do stuff like find all unsigned binaries in a specific folder, e.g.

sigcheck -u -e c:\windows\system32

I believe that the answer to your second question is "no", although MS does use root certificates for some validation purposes. It doesn't publish public keys in its Windows system binaries because the key pairs can and do change.

But fundamentally if you don't trust the OS, then you're fubar anyway.

Just face it, your app will be cracked. My advice would be to spend only 1% of your effort on slowing down the cracking process, and 99% on creating something that's worth cracking.

RoadWarrior
Thanks RoadWarrior.I do have experience in this area, and I know how much effort I need to spend on locking my software. You have to draw a protective circle around your property, based on the time and resources you have. The bigger the circle, the safer your app.
TheAgent
Just remember that the safer your app, the less likely it will be used.
RoadWarrior
A: 

Other answers say that you can check that the on-disk copies haven't been modified. You're SOL for the in-memory copies.

Broam