April 06, 2012 Protecting PE files | |
|---|---|
 | Another security question for whomever can help. As I understand it (please correct me if I am wrong), the digital signature applied with something like signtool.exe incorporates a checksum but otherwise does not alter the file structure (such as the code and data sections). Is it feasable for a cracker to infect an exe with a patch while still causing the checksum to be calculated with the same result (maybe by adding or removing bogus instructions), thus forging the signed exe? More importantly, what recommendations do any of you have for protecting PE files that you want to sell (from reverse engineering)? It looks like a common way of doing this is to use some sort of "packer" that either compresses, encrypts, or both, the code section of the PE file, which is then uncompressed/decrypted and somehow loaded by the entry point function at runtime. Is it very difficult to write your own program to do something like this, or is there a decent commercial product to start with that is known to work well? When I search for stuff like this I seem to find some whitepapers but otherwise endless dead links . . . Thanks, Erik |
ReplyApril 12, 2012 Re: Protecting PE files | |
|---|---|
 Posted in reply to Erik Weber | On 4/6/2012 7:33 AM, Erik Weber wrote: > Another security question for whomever can help. > > As I understand it (please correct me if I am wrong), the digital > signature applied with something like signtool.exe incorporates a > checksum but otherwise does not alter the file structure (such as > the code and data sections). Is it feasable for a cracker to > infect an exe with a patch while still causing the checksum to be > calculated with the same result (maybe by adding or removing bogus > instructions), thus forging the signed exe? Yes. > More importantly, what recommendations do any of you have for > protecting PE files that you want to sell (from reverse > engineering)? It looks like a common way of doing this is to use > some sort of "packer" that either compresses, encrypts, or both, > the code section of the PE file, which is then > uncompressed/decrypted and somehow loaded by the entry point > function at runtime. Is it very difficult to write your own > program to do something like this, or is there a decent commercial > product to start with that is known to work well? When I search > for stuff like this I seem to find some whitepapers but otherwise > endless dead links . . . It's a lost cause to try and prevent people from disassembling your PE file. |
April 12, 2012 Re: Protecting PE files | |
|---|---|
Posted in reply to Walter Bright | Thanks. |