Detect modification

Ruhe · April 24, 2010, 02:16:12 PM

If size and compression & decompression time doesn't matter, what is a good combination of settings to increase security and/or detect file modifications without loss of functionality?

/CodeIntegrityCheck:Yes ?

/StripDebug:Yes ?

/EnableMemoryProtection:Yes ? (Sounds good, but to be honest, I don't understand the description or background of it)

pec2ldr_antidebug or pec2ldr_default ?

Inclusion of pec2codec_crc32.dll ?

CODEC Ordering / Sequence ?

...?

BoB · April 24, 2010, 04:17:56 PM

Quote from: Ruhe on April 24, 2010, 02:16:12 PM
If size and compression & decompression time doesn't matter, what is a good combination of settings to increase security and/or detect file modifications without loss of functionality?

/CodeIntegrityCheck:Yes ?

/StripDebug:Yes ?

/EnableMemoryProtection:Yes ? (Sounds good, but to be honest, I don't understand the description or background of it)

Hi Ruhe,
In answer to above, /CodeIntegrityCheck:Yes (Crc32 of memory image), /StripDebug:Definately ..
Also you will have full functionality unless you use the Thin/Reduced loader.

/EnableMemoryProtection means that the sections of the original file (Code, data, Imports etc) will have the same access rights in the compressed file, which basically means that if the Code section was originally READ/WRITE/EXECUTE access, then it still will have this same protection once packed.
This is useful for compatability reasons mostly, but also will make patching a compressed file slightly harder, as the cracker would have to alter the memory protection of the range of pages that they want to patch.

Quotepec2ldr_antidebug or pec2ldr_default ?

For security, pec2ldr_antidebug, otherwise they have same functionality.

QuoteInclusion of pec2codec_crc32.dll ?

I'm not sure if this is included when code-integrity check is enabled, but it won't break anything to include it.

QuoteCODEC Ordering / Sequence ?

Codec ordering is unimportant, unless you have some special codec that you want to ensure is not patched. For better security you can make your own codec and hook plugins using the SDK provided.

For instance, you could make a single codec plugin that contains 3 codecs; 1st to checksum the data, 2nd to decrypt the data, 3rd to check for debuggers or whatever. Then your protection code is encrypted and crc protected.

BoB

Ruhe · April 24, 2010, 04:34:28 PM

Hi BoB,

thanks for your response and help.

So far I'm trying this: /Ko:Y /Sd:Y /Cic:No /Lh:pec2ldr_antidebug.dll /Ch:pec2codec_lzma2.dll,pec2codec_crc32.dll /Hh:pec2hooks_break_un2pec.dll
but will also include /Emp:Y

About Cic the help says: "A CRC32 codec is provided for full integrity checking and should be used instead of this switch."
The word "Instead" for me means "If you use CRC32 then disable Cic", therefore I've set /Cic:No

About pec2ldr_antidebug.dll (see Blog): "If you don't want to call IsDebuggerPresent yourself, you can simply use this in combination with the standard (re: not henanced) anti-debug loader plug-in (pec2ldr_anti_debug.dll)".
So, using pec2ldr_antidebug.dll also uses IsDebuggerPresent internally?

By the way, does pec2ldr_antidebug.dll also detects Process Monitor?

I'm wondering why the file pec2ldr_antidebug.dll is smaller than pec2ldr_default.dll.

BoB · April 24, 2010, 05:05:01 PM

Hi Ruhe

Quote from: Ruhe on April 24, 2010, 04:34:28 PM
thanks for your response and help.

So far I'm trying this: /Ko:Y /Sd:Y /Cic:No /Lh:pec2ldr_antidebug.dll /Ch:pec2codec_lzma2.dll,pec2codec_crc32.dll /Hh:pec2hooks_break_un2pec.dll
but will also include /Emp:Y

About pec2ldr_antidebug.dll (see Blog): "If you don't want to call IsDebuggerPresent yourself, you can simply use this in combination with the standard (re: not henanced) anti-debug loader plug-in (pec2ldr_anti_debug.dll)".
So, using pec2ldr_antidebug.dll also uses IsDebuggerPresent internally?

Only if you add /Hh:pec2hooks_IsDebuggerPresent.dll to the command-line, then the IsDebuggerPresent hook will detect if either the AntiDebug or EnhancedAntiDebug loaders are in use, and the IsDebuggerPresent Hook protection code will be called way before the original Entrypoint of your original exe. You can still call the hook from your exe code tho, or from a thread and then you'll catch a debugger attaching to your exe also

QuoteBy the way, does pec2ldr_antidebug.dll also detects Process Monitor?

No, and neither does IsDebuggerPresent, but as you've reminded me I'll add to the monitors list of IsDebuggerPresent Hook plugin. Next version (v1.06) will include this..

QuoteI'm wondering why the file pec2ldr_antidebug.dll is smaller than pec2ldr_default.dll.

Good question

Jeremy ?

Have fun!
BoB

Ruhe · April 24, 2010, 05:32:41 PM

Ok, now we have
/Ko:Y /Sd:Y /Cic:No /Emp:Yes /Nb /Lh:pec2ldr_antidebug.dll /Ch:pec2codec_lzma2.dll,pec2codec_crc32.dll /Hh:pec2hooks_break_un2pec.dll

...and a problem: PEC2 (v3.02.1 on Windows 7 Ultimate 32bit) reproducible crashes after including pec2hooks_api_isdebuggerpresent.dll to the command line (/Hh), also by adding it in the GUI.

The mix of Y and Yes for enabling and No (and maybe N) for disabling in the settings is made by the GUI ;-)

BoB · April 24, 2010, 06:31:56 PM

If you goto www.bitsum.com and User Support, and download the latest installer, there is updated (v1.05) IsDebuggerPresent hook plugin in the package. Somehow an older version crept in, which is why there are two versions of PECompact 3.02.1 in the database ..

BoB

Ruhe · April 25, 2010, 07:41:17 AM

The version info of the installed pec2hooks_api_isdebuggerpresent.dll is "v.1.05.0000", MD5: 4af6eab9907da1160f9215f24eae5896
The downloaded ZIP ("[cut]_x32_3.02.1.zip") MD5 is e184378a4f8f6c9c098adaf7bc54bfcb

That's the files with the described problem.

BoB · April 25, 2010, 06:49:45 PM

Hi Ruhe,
After re-reading, I'm not sure if I understood what you wrote before, is it a file that has been packed using the hook plugin that is crashing, or PEC2 crashing while packing ?

Well, v1.05 should have no problems with Win7 32Bit, I tested a lot with that as I have it on my system.
I will try compressing using your cmdline settings in Win7, to see if I have any problems.

BoB

Ruhe · April 26, 2010, 03:00:25 AM

Install PECompact, start its GUI, add a file (.exe), right click the file, change settings, [Select API hook plug-ins], in the dropdown list select the isdebuggerpresent DLL ... the GUI reproducible crashes on two of my Windows 7 systems in the moment I just select it.

The same in console mode:

Compressing with

Code Select

/Ko:Y /Sd:Y /Cic:No /Emp:Yes /Nb /Lh:pec2ldr_antidebug.dll /Ch:pec2codec_lzma2.dll,pec2codec_crc32.dll /Hh:pec2hooks_break_un2pec.dll

works without problems, but it crashes with added pec2hooks_api_isdebuggerpresent.dll

Code Select

/Ko:Y /Sd:Y /Cic:No /Emp:Yes /Nb /Lh:pec2ldr_antidebug.dll /Ch:pec2codec_lzma2.dll,pec2codec_crc32.dll /Hh:pec2hooks_break_un2pec.dll,pec2hooks_api_isdebuggerpresent.dll

After this there is a message box: "Runtime error 216 at 012B0004"

Windows 7 Ultimate 32bit, UAC: highest, DEP: on

Ruhe · April 26, 2010, 12:39:01 PM

Quote from: RuheI'm wondering why the file pec2ldr_antidebug.dll is smaller than pec2ldr_default.dll.

Quote from: BoBGood question Jeremy ?

Jeremy?

Jeremy Collake · April 26, 2010, 01:52:46 PM

Quote from: Ruhe on April 26, 2010, 12:39:01 PM
Quote from: RuheI'm wondering why the file pec2ldr_antidebug.dll is smaller than pec2ldr_default.dll.

Quote from: BoBGood question Jeremy ?

Jeremy?

I checked, and it is a simple linker optimization setting that is different, resulting in slightly different DLL sizes since its linking with the C runtime library and therefore optimizing portions of it for the antidebug loader. Some compiler settings may be different too.

The actual loader itself should not be substantially different in size. Since the loader itself is written in assembly language, these optimizations do not apply to it -- they only apply to the plug-in code that interfaces with the PECompact GUI. The console output of the /Bl (/BenchmarkLoader) switch should indicate the actual loader size when applied to the compressed executable, for your own verification.

Jeremy Collake · April 26, 2010, 02:00:08 PM

Here are the actual loader sizes when extracted from their container DLLs. The 'Total size' is the size after the loader decompression stub is added to the compressed loader. The codec for the loader itself can be changed via the /Lch:pec2codec_*.dll option (/LoaderCodecHost:file). See the 'Advanced' switches. Yes, I added a switch for everything in PECompact, lol.

As you see, the AntiDebug loader is a few bytes larger, as it should be.

Code Select


C:\pec2\output>pec2 /bl /lh:pec2ldr_antidebug.dll
 + Performing loader benchmarks ...
   Loader host: PEC2LDR_ANTIDEBUG.DLL
   Features: 0x0
   Codec host: C:\pec2\output\pec2codec_aplib.dll
  = Uncompressed loader size: 7466
    Compressed loader size: 1416
    Total size: 1761

C:\pec2\output>pec2 /bl /lh:pec2ldr_default.dll
 + Performing loader benchmarks ...
   Loader host: PEC2LDR_DEFAULT.DLL
   Features: 0x0
   Codec host: C:\pec2\output\pec2codec_aplib.dll
  = Uncompressed loader size: 7420
    Compressed loader size: 1387
    Total size: 1732

Ruhe · April 26, 2010, 03:16:13 PM

Ok, so the antidebug loader dll is not smaller because of missing/reduced functionality, right?

Jeremy Collake · April 26, 2010, 05:40:53 PM

Right, it has all the same stuff. As you can see, its actually 46 bytes larger in raw code. The DLL size really is not to be paid attention to at all. It does not reflect the loader size.