axprotector exposed - integrity protection of a modular application
TRANSCRIPT
Integrity Protection of a
Modular Application
Rüdiger Kügler | Security Expert
Wolfgang Völker | Director Product Management
AxProtector Exposed
Introduction
2014-04-23 AxProtector Exposed 2
Threats and Requirements for
Independent Software Vendors
and Users
Threats / Requirements
2014-04-23 AxProtector Exposed 3
UserSoftware Vendor
Copy Protection
Mods
Cheats
Virus
Sabotage
Cheats
My application is signed, using Authenticode.
A cracker is NOT able to change my application.
Right?
Question
2014-04-23 AxProtector Exposed 5
Wrong?
My application is signed, using Authenticode.
A cracker is NOT able to change my application.
Right?
Answer
2014-04-23 AxProtector Exposed 9
Wrong?Wrong
Authenticode
2014-04-23 AxProtector Exposed 10
Microsoft Windows starts any application
Without signature
With valid signature
With invalid signature
Authenticode is made to protect the user against virus
Authenticode is not made for copy protection and licensing
I check the Authenticode signature within my own
application. I’m secure.
Right?
Yes, but …
2014-04-23 AxProtector Exposed 11
Wrong?
Signature Check
2014-04-23 AxProtector Exposed 12
Signature check
Valid / not valid?
Who signed?
When was it signed?
Action in case of error
Weak Point
Your Software
WINTRUST.DLL
Well documented API call
Patch
Hook
Override
2014-04-23 AxProtector Exposed 13
Override Code during Runtime in Memory
2014-04-23 AxProtector Exposed 14
var
lib: THandle;
p: Pointer;
old: Cardinal;
// Byte code for assembler
// xor eax, eax;
// ret
// (returns 0)
const
fake: array[0..2] of byte = ($31, $C0, $C3);
Override Code during Runtime in Memory
2014-04-23 AxProtector Exposed 15
begin
// Load Wintrust.dll
lib := LoadLibrary('WINTRUST.DLL');
if (lib <> 0) then begin
// Entry Point of WinVerifyTrust
p := GetProcAddress(lib, 'WinVerifyTrust');
if (p <> nil) then begin
// p is pointer to code of WinVerifyTrust
// in memory
Override Code during Runtime in Memory
2014-04-23 AxProtector Exposed 16
// Remove write protection
VirtualProtect(p, 3,
PAGE_EXECUTE_READWRITE, old);
// Apply patch
move(fake, P^, 3);
// Reset write protection
VirtualProtect(p, 3, old, old);
end;
end;
end;
Myth uncovered:
You CAN override
code in memory,
with standard
user’s privileges!
I check the Authenticode signature within my own
application. I’m secure.
And Again
2014-04-23 AxProtector Exposed 17
Right? Wrong?Wrong
Summary Authenticode
2014-04-23 AxProtector Exposed 18
UserSoftware Vendor
Copy Protection
Mods
Cheats
Virus
Sabotage
Cheats
Features of Wibu-Systems Protection Suite
2014-04-23 AxProtector Exposed 20
Software Authorization (Secure Load)
Only approved software runs on device
Integrity Protection (Tamper Protection)
Detects changes of software during runtime
Automatic Protection (IP Protection)
Protects automatically against reverse engineering and pirates copies
Encryption on Method Level
Increases protection level
.NE
T
Sta
ndar
d
Fra
mew
ork
Java
SE
Java
EE
Em
bedd
ed
Ope
ratin
g
Sys
tem
s
OS
X
Win
dow
s
Des
ktop
Linu
x
Wibu-Systems Protection Suite - Overview
2014-04-23 AxProtector Exposed 21
Software Authorization
(Secure Loader)
Encryption on Method Level
Integrity Protection
(Tamper Protection)
Automatic Protection
(IP Protection)
ExP
rote
ctor
AxP
rote
ctor
.NE
T
AxP
rote
ctor
Java
Wibu-Systems Protection Suite
AxProtector
IxProtector
Best fitting tool suite
2014-04-23 AxProtector Exposed 22
AxProtector
Automatic encryption of native applications and libraries
Adds protection and security shell automatically (AxEngine)
Automatic decryption of applications at startup
Automatic security checks
IxProtector
Encryption on method level
Dynamic decryption using Wupi-API during runtime
Best fitting tool suite
2014-04-23 AxProtector Exposed 23
AxProtector .NET
Automatic protection of .NET assemblies on method level
Adds automatically protection and security shell (AxEngine)
Automatic decryption of methods during runtime
AxProtector Java
Automatic protection of Java applications
ExProtector
For embedded operating systems
AxProtector / IxProtector – Protection Process
2014-04-23 AxProtector Exposed 24
Pro
tect
edE
xecu
tabl
e/ L
ibra
ry
Com
pile
dE
xecu
tabl
e/ L
ibra
ry
Header
Code Section
Header
Encrypted
Code Section
AxEngine(Security Engine)
AxProtector
Definition of licenses
and modules
Data SectionEncrypted
Data Section
Encrypted
Resource SectionResource Section
AxProtector .NET – Unprotected Assembly
2014-04-23 AxProtector Exposed 25
.NET code
can be
disassembled
very easily
AxProtector .NET – Protection Process
2014-04-23 AxProtector Exposed 26
Pro
tect
edA
ssem
bly
Com
pile
dA
ssem
bly
Header
Original Code
Header
Stub Code(Without Intellectual
Properties)
AxEngine(Security Engine)
Encrypted Code(Original Code with
Intellectual Properties)
AxProtector .NET
Definition
of licenses and
modulesAssembly has
same structure
as original
Assembly
ExProtector – Protection Process
2014-04-23 AxProtector Exposed 28
Pro
tect
edE
xecu
tabl
e/ L
ibra
ry
Orig
inal
Exe
cuta
ble
/ Lib
rary
Header
Original Code
Header
Encrypted Code
Credentials(Hash, Signature, …)
ExProtector
Keys for Encryption
Keys for Code
Signing
ExProtector – Integration into Loader
2014-04-23 AxProtector Exposed 29
Operating System
ExEngine
(ExProtector Runtime)
CodeMeter Embedded
Driver
Operating System
(without modification)
Engineering
Modified LoaderOriginal Loader
Root Public Key
Integrity Protection
2014-04-23 AxProtector Exposed 30
Basics of cryptography
Self Check
Exe – Dll Check
Hash Function
Cryptographic checksum
Any data size as input
Small change in input = complete different result
One way function (no way back)
Hash with “key” (salt value)
Check of hash = generate hash and compare with stored value
2014-04-23 AxProtector Exposed 31
Executable + Hash
50 45 00 00 4C 01 09 00 19 5E 42 2A 00 00 00 00
04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 00
00 00 01 00 00 00 00 10 40 00 05 46 61 6C 73 65
04 54 72 75 65 8D 40 00 2C 10 40 00 02 04 43 68
61 72 01 00 00 00 00 FF 00 00 00 90 40 10 40 00
01 07 49 6E 74 65 67 65 72 04 00 00 00 80 FF FF
FF 7F 8B C0 58 10 40 00 01 04 42 79 74 65 01 00
00 00 00 FF 00 00 00 90 6C 10 40 00 01 04 57 6F
72 64 03 00 00 00 00 FF FF 00 00 90 80 10 40 00
01 08 43 61 72 64 69 6E 61 6C 05 00 00 00 00 FF
FF FF FF 90 98 10 40 00 0A 06 53 74 72 69 6E 67
EC 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EC 10 40 00 04 00 00 00 00 00 00 00 44 33 40 00
50 33 40 00 54 33 40 00 58 33 40 00 4C 33 40 00
94 30 40 00 B0 30 40 00 EC 30 40 00 07 54 4F 62
6A 65 63 74 F8 10 40 00 07 07 54 4F 62 6A 65 63
PE..L....^B*....
.True.@.,[email protected]
ar.....ÿ....@.@.
..Integer.....ÿÿ
ÿ..À[email protected]..
rd.....ÿÿ.....@.
..Cardinal.....ÿ
ì.@.............
................
[email protected]@[email protected]@.
.0@.°0@.ì[email protected]
jectø[email protected]
04 33 C0 EB 02 B0 01 59 5A 5B C3 90 53 56 83 C4
F8 8B F2 8B D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF
.3Àë.°.YZ[Ã.SV.Ä
ø.ò.Ø.Ì.V..Ãè£øÿ
2014-04-23 AxProtector Exposed 32
Hash Function
Advantages
Easy to implement
Fast during runtime
Disadvantages
Everybody can generate a hash value (needs to extract salt value)
One module (exe, dll, operating system, …) cannot check integrity of other module
2014-04-23 AxProtector Exposed 33
Signatures
Signature = Sign (Hash(Plaintext), Private Key)
Verification (Hash(Plaintext), Signature, Public Key)
Only person with Private Key can generate signature
Everybody can check a signature
2014-04-23 AxProtector Exposed 34
Signatures
Data
Private
Key
Hash (Digest)
Signature
Yes / NoPublic
Key
2014-04-23 AxProtector Exposed 35
Data
Hash (Digest)Signature
Signature
Executable + Hash + Signature
50 45 00 00 4C 01 09 00 19 5E 42 2A 00 00 00 00
04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 00
00 00 01 00 00 00 00 10 40 00 05 46 61 6C 73 65
04 54 72 75 65 8D 40 00 2C 10 40 00 02 04 43 68
61 72 01 00 00 00 00 FF 00 00 00 90 40 10 40 00
01 07 49 6E 74 65 67 65 72 04 00 00 00 80 FF FF
FF 7F 8B C0 58 10 40 00 01 04 42 79 74 65 01 00
00 00 00 FF 00 00 00 90 6C 10 40 00 01 04 57 6F
72 64 03 00 00 00 00 FF FF 00 00 90 80 10 40 00
01 08 43 61 72 64 69 6E 61 6C 05 00 00 00 00 FF
FF FF FF 90 98 10 40 00 0A 06 53 74 72 69 6E 67
EC 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PE..L....^B*....
.True.@.,[email protected]
ar.....ÿ....@.@.
..Integer.....ÿÿ
ÿ..À[email protected]..
rd.....ÿÿ.....@.
..Cardinal.....ÿ
ì.@.............
................
04 33 C0 EB 02 B0 01 59 5A 5B C3 90 53 56 83 C4
F8 8B F2 8B D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF
.3Àë.°.YZ[Ã.SV.Ä
ø.ò.Ø.Ì.V..Ãè£øÿ
D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF FF 83 3C 24
00 74 0B 8B C4 E8 26 FF FF FF 84 C0 00 00 00 00
EB 02 B0 01 59 5A 5E 5B C3 8D 40 02 33 D2 85 C0
79 03 83 C0 03 C1 F8 02 3D 10 04 30 00 00 00 00
Ø.Ì.V..Ãè£øÿÿ.<$
.t..Äè&ÿÿÿ.À....
ë.°.YZ^[Ã[email protected]Ò.À
y..À.Áø.=.......
2014-04-23 AxProtector Exposed 36
AxProtector – Protection Process
2014-04-23 AxProtector Exposed 37
Pro
tect
edE
xecu
tabl
e/ L
ibra
ry
Com
pile
dE
xecu
tabl
e/ L
ibra
ry
Header
Code Section
Header
Encrypted
Code Section
AxEngine(Security Engine + Public Key)
AxProtector
Definition
of licenses and
modules
Data SectionEncrypted
Data Section
Encrypted
Resource SectionResource Section
Public Key
Private Key for
Signature
Signature
AxProtector
2014-04-23 AxProtector Exposed 38
[WIBU-SYSTEMS Control File]
...
[Commandline]
...
-cav
...
[CheckCodeIntegrity Dlls]
Image1 = ShowHex.dll
...
Check
other
modules
Self
check
04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 00
00 00 01 00 00 00 00 10 40 00 05 46 61 6C 73 65
04 54 72 75 65 8D 40 00 2C 10 40 00 02 04 43 68
61 72 01 00 00 00 00 FF 00 00 00 90 40 10 40 00
01 07 49 6E 74 65 67 65 72 04 00 00 00 80 FF FF
FF 7F 8B C0 58 10 40 00 01 04 42 79 74 65 01 00
00 00 00 FF 00 00 00 90 6C 10 40 00 01 04 57 6F
72 64 03 00 00 00 00 FF FF 00 00 90 80 10 40 00
01 08 43 61 72 64 69 6E 61 6C 05 00 00 00 00 FF
FF FF FF 90 98 10 40 00 0A 06 53 74 72 69 6E 67
EC 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
.True.@.,[email protected]
ar.....ÿ....@.@.
..Integer.....ÿÿ
ÿ..À[email protected]..
rd.....ÿÿ.....@.
..Cardinal.....ÿ
ì.@.............
................
Encrypted Executable + Hash + Signature
50 45 00 00 4C 01 09 00 19 5E 42 2A 00 00 00 00 PE..L....^B*....
04 33 C0 EB 02 B0 01 59 5A 5B C3 90 53 56 83 C4
F8 8B F2 8B D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF
.3Àë.°.YZ[Ã.SV.Ä
ø.ò.Ø.Ì.V..Ãè£øÿ
D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF FF 83 3C 24
00 74 0B 8B C4 E8 26 FF FF FF 84 C0 00 00 00 00
EB 02 B0 01 59 5A 5E 5B C3 8D 40 02 33 D2 85 C0
79 03 83 C0 03 C1 F8 02 3D 10 04 30 00 00 00 00
Ø.Ì.V..Ãè£øÿÿ.<$
.t..Äè&ÿÿÿ.À....
ë.°.YZ^[Ã[email protected]Ò.À
y..À.Áø.=.......
B2 22 E8 E1 CA 85 3E 24 C5 30 D8 4E 89 7A DC D1
59 16 4B 75 53 FC E6 7E 87 1B A8 10 9D 00 10 1D
C7 15 2C AF 69 81 53 62 DE A6 F4 68 23 8F 20 45
49 6F F6 48 22 E7 B0 DA D1 4F 3E EF 39 FA FB 5D
A2 59 D0 BD 1A A9 DD F4 67 44 DB 30 C1 B8 82 0C
C3 FE 28 35 60 C3 50 46 4A 63 4C 37 EE BD 1D 4B
A8 B9 DB C5 D3 AE C5 51 27 B6 7A 80 75 99 52 79
A4 35 9C B2 1E FA D3 DD 10 DD E0 F6 D6 B0 3B 41
E8 D1 D9 6D DD 1B 74 CB 82 63 82 0A F7 B3 0C 21
CF BD 5D 71 23 8F EF C4 4C F0 79 0E 42 AA 06 BF
EA 5F E9 DC C5 2E 7E CC A2 3B 5D C3 F9 5F AC B2
89 59 E3 B0 0F E8 D0 58 D4 6E 7E 9C E2 C9 7A 65
²"èáÊ.>$Å0ØN.zÜÑ
Y.KuSüæ~..¨.....
Ç.,¯i.SbÞ¦ôh#..E
IoöH"ç°ÚÑO>ï9úû]
¢Yн.©ÝôgDÛ0Á¸..
Ãþ(5`ÃPFJcL7î½.K
¨¹ÛÅÓ®ÅQ'¶z.u.Ry
¤5.².úÓÝ.ÝàöÖ°;A
èÑÙmÝ.tË.c..÷³.!
Ͻ]q#.ïÄLðy.Bª.¿
ê_éÜÅ.~Ì¢;]Ãù_¬²
.Yã°.èÐXÔn~.âÉze
2014-04-23 AxProtector Exposed 39
Self Check Executable / Library
Executable
Signature
Validate
Signature(Hash, Public Key,
Signature)
Calculate Hash of Executable
Error Message
Yes
No
AxEngine(Security Engine + Public Key)
2014-04-23 AxProtector Exposed 40
Cross Check Executable / Library
Executable Dynamic Link Library
AxEngine(Security Engine + Public Key)
Signature
AxEngine(Security Engine + Public Key)
Signature
exe - exe
exe - dll
dll - dll
dll - exe
2014-04-23 AxProtector Exposed 41
AxProtector
During development
Generates hash from original executable (relocations)
AxProtector signs hash with private key
AxProtector adds public key into security engine
During runtime
AxEngine decrypts encrypted code
AxEngine generates hash from decrypted code in memory
AxEngine uses public key to check signature of hash
2014-04-23 AxProtector Exposed 42
Demo
2014-04-23 AxProtector Exposed 43
Protection Process
Successful Integrity Check
Tampered exe / dll
Authenticode
2014-04-23 AxProtector Exposed 45
Authenticode
One Single
Point of
Attack!
DLL
DLL
DLL
EXE
DLL
DLL
AxProtector – Integrity Protection
2014-04-23 AxProtector Exposed 47
Easy to use
Security for Software Vendors and Users
No single point for hackers
Each module (EXE / DLL) can be updated separately
Security for Software Vendor and User
2014-04-23 AxProtector Exposed 48
UserSoftware Vendor
Copy Protection
Mods
Cheats
Virus (use Authenticode)
Sabotage
Cheats