axprotector exposed - integrity protection of a modular application

Integrity Protection of a

Modular Application

Rüdiger Kügler | Security Expert

[email protected]

Wolfgang Völker | Director Product Management

[email protected]

AxProtector Exposed

Introduction

2014-04-23 AxProtector Exposed 2

Threats and Requirements for

Independent Software Vendors

and Users

Threats / Requirements


UserSoftware Vendor

Copy Protection

Mods

Cheats

Virus

Sabotage

Cheats

Authenticode


Friend or Foe?

My application is signed, using Authenticode.

A cracker is NOT able to change my application.

Right?

Question


Wrong?

Correctly Signed Application


It works.

The Patch


Invalid Signature


It STILL works!

My application is signed, using Authenticode.

A cracker is NOT able to change my application.

Right?

Answer


Wrong?Wrong

Authenticode


Microsoft Windows starts any application

Without signature

With valid signature

With invalid signature

Authenticode is made to protect the user against virus

Authenticode is not made for copy protection and licensing

I check the Authenticode signature within my own

application. I’m secure.

Right?

Yes, but …


Wrong?

Signature Check


Signature check

Valid / not valid?

Who signed?

When was it signed?

Action in case of error

Weak Point

Your Software

WINTRUST.DLL

Well documented API call

Patch

Hook

Override


Override Code during Runtime in Memory


var

lib: THandle;

p: Pointer;

old: Cardinal;

// Byte code for assembler

// xor eax, eax;

// ret

// (returns 0)

const

fake: array[0..2] of byte = ($31, $C0, $C3);



begin

// Load Wintrust.dll

lib := LoadLibrary('WINTRUST.DLL');

if (lib <> 0) then begin

// Entry Point of WinVerifyTrust

p := GetProcAddress(lib, 'WinVerifyTrust');

if (p <> nil) then begin

// p is pointer to code of WinVerifyTrust

// in memory



// Remove write protection

VirtualProtect(p, 3,

PAGE_EXECUTE_READWRITE, old);

// Apply patch

move(fake, P^, 3);

// Reset write protection

VirtualProtect(p, 3, old, old);

end;

end;

end;

Myth uncovered:

You CAN override

code in memory,

with standard

user’s privileges!

I check the Authenticode signature within my own

application. I’m secure.

And Again


Right? Wrong?Wrong

Summary Authenticode


UserSoftware Vendor

Copy Protection

Mods

Cheats

Virus

Sabotage

Cheats

Solution


Wibu-Systems Protection Suite

Features of Wibu-Systems Protection Suite


Software Authorization (Secure Load)

Only approved software runs on device

Integrity Protection (Tamper Protection)

Detects changes of software during runtime

Automatic Protection (IP Protection)

Protects automatically against reverse engineering and pirates copies

Encryption on Method Level

Increases protection level

.NE

T

Sta

ndar

d

Fra

mew

ork

Java

SE

Java

EE

Em

bedd

ed

Ope

ratin

g

Sys

tem

s

OS

X

Win

dow

s

Des

ktop

Linu

x

Wibu-Systems Protection Suite - Overview


Software Authorization

(Secure Loader)

Encryption on Method Level

Integrity Protection

(Tamper Protection)

Automatic Protection

(IP Protection)

ExP

rote

ctor

AxP

rote

ctor

.NE

T

AxP

rote

ctor

Java

Wibu-Systems Protection Suite

AxProtector

IxProtector

Best fitting tool suite


AxProtector

Automatic encryption of native applications and libraries

Adds protection and security shell automatically (AxEngine)

Automatic decryption of applications at startup

Automatic security checks

IxProtector

Encryption on method level

Dynamic decryption using Wupi-API during runtime

Best fitting tool suite


AxProtector .NET

Automatic protection of .NET assemblies on method level

Adds automatically protection and security shell (AxEngine)

Automatic decryption of methods during runtime

AxProtector Java

Automatic protection of Java applications

ExProtector

For embedded operating systems

AxProtector / IxProtector – Protection Process


Pro

tect

edE

xecu

tabl

e/ L

ibra

ry

Com

pile

dE

xecu

tabl

e/ L

ibra

ry

Header

Code Section

Header

Encrypted

Code Section

AxEngine(Security Engine)

AxProtector

Definition of licenses

and modules

Data SectionEncrypted

Data Section

Encrypted

Resource SectionResource Section

AxProtector .NET – Unprotected Assembly


.NET code

can be

disassembled

very easily

AxProtector .NET – Protection Process


Pro

tect

edA

ssem

bly

Com

pile

dA

ssem

bly

Header

Original Code

Header

Stub Code(Without Intellectual

Properties)

AxEngine(Security Engine)

Encrypted Code(Original Code with

Intellectual Properties)

AxProtector .NET

Definition

of licenses and

modulesAssembly has

same structure

as original

Assembly

AxProtector .NET – Protected Assembly


Code is

protected now!

ExProtector – Protection Process


Pro

tect

edE

xecu

tabl

e/ L

ibra

ry

Orig

inal

Exe

cuta

ble

/ Lib

rary

Header

Original Code

Header

Encrypted Code

Credentials(Hash, Signature, …)

ExProtector

Keys for Encryption

Keys for Code

Signing

ExProtector – Integration into Loader


Operating System

ExEngine

(ExProtector Runtime)

CodeMeter Embedded

Driver

Operating System

(without modification)

Engineering

Modified LoaderOriginal Loader

Root Public Key

Integrity Protection


Basics of cryptography

Self Check

Exe – Dll Check

Hash Function

Cryptographic checksum

Any data size as input

Small change in input = complete different result

One way function (no way back)

Hash with “key” (salt value)

Check of hash = generate hash and compare with stored value


Executable + Hash

50 45 00 00 4C 01 09 00 19 5E 42 2A 00 00 00 00

04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 00

00 00 01 00 00 00 00 10 40 00 05 46 61 6C 73 65

04 54 72 75 65 8D 40 00 2C 10 40 00 02 04 43 68

61 72 01 00 00 00 00 FF 00 00 00 90 40 10 40 00

01 07 49 6E 74 65 67 65 72 04 00 00 00 80 FF FF

FF 7F 8B C0 58 10 40 00 01 04 42 79 74 65 01 00

00 00 00 FF 00 00 00 90 6C 10 40 00 01 04 57 6F

72 64 03 00 00 00 00 FF FF 00 00 90 80 10 40 00

01 08 43 61 72 64 69 6E 61 6C 05 00 00 00 00 FF

FF FF FF 90 98 10 40 00 0A 06 53 74 72 69 6E 67

EC 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

EC 10 40 00 04 00 00 00 00 00 00 00 44 33 40 00

50 33 40 00 54 33 40 00 58 33 40 00 4C 33 40 00

94 30 40 00 B0 30 40 00 EC 30 40 00 07 54 4F 62

6A 65 63 74 F8 10 40 00 07 07 54 4F 62 6A 65 63

PE..L....^B*....

[email protected]...

[email protected]

.True.@.,[email protected]

ar.....ÿ....@.@.

..Integer.....ÿÿ

ÿ..À[email protected]..

...ÿ[email protected]

rd.....ÿÿ.....@.

..Cardinal.....ÿ

ÿÿÿ[email protected]

ì.@.............

................

ì[email protected]@.

[email protected]@[email protected]@.

.0@.°0@.ì[email protected]

jectø[email protected]

04 33 C0 EB 02 B0 01 59 5A 5B C3 90 53 56 83 C4

F8 8B F2 8B D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF

.3Àë.°.YZ[Ã.SV.Ä

ø.ò.Ø.Ì.V..Ãè£øÿ


Hash Function

Advantages

Easy to implement

Fast during runtime

Disadvantages

Everybody can generate a hash value (needs to extract salt value)

One module (exe, dll, operating system, …) cannot check integrity of other module


Signatures

Signature = Sign (Hash(Plaintext), Private Key)

Verification (Hash(Plaintext), Signature, Public Key)

Only person with Private Key can generate signature

Everybody can check a signature


Signatures

Data

Private

Key

Hash (Digest)

Signature

Yes / NoPublic

Key


Data

Hash (Digest)Signature

Signature

Executable + Hash + Signature

50 45 00 00 4C 01 09 00 19 5E 42 2A 00 00 00 00

04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 00

00 00 01 00 00 00 00 10 40 00 05 46 61 6C 73 65

04 54 72 75 65 8D 40 00 2C 10 40 00 02 04 43 68

61 72 01 00 00 00 00 FF 00 00 00 90 40 10 40 00

01 07 49 6E 74 65 67 65 72 04 00 00 00 80 FF FF

FF 7F 8B C0 58 10 40 00 01 04 42 79 74 65 01 00

00 00 00 FF 00 00 00 90 6C 10 40 00 01 04 57 6F

72 64 03 00 00 00 00 FF FF 00 00 90 80 10 40 00

01 08 43 61 72 64 69 6E 61 6C 05 00 00 00 00 FF

FF FF FF 90 98 10 40 00 0A 06 53 74 72 69 6E 67

EC 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PE..L....^B*....


[email protected]


ar.....ÿ....@.@.

..Integer.....ÿÿ



rd.....ÿÿ.....@.

..Cardinal.....ÿ


ì.@.............

................

04 33 C0 EB 02 B0 01 59 5A 5B C3 90 53 56 83 C4




D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF FF 83 3C 24

00 74 0B 8B C4 E8 26 FF FF FF 84 C0 00 00 00 00

EB 02 B0 01 59 5A 5E 5B C3 8D 40 02 33 D2 85 C0

79 03 83 C0 03 C1 F8 02 3D 10 04 30 00 00 00 00

Ø.Ì.V..Ãè£øÿÿ.<$

.t..Äè&ÿÿÿ.À....

ë.°.YZ^[Ã[email protected]Ò.À

y..À.Áø.=.......


AxProtector – Protection Process


Pro

tect

edE

xecu

tabl

e/ L

ibra

ry

Com

pile

dE

xecu

tabl

e/ L

ibra

ry

Header

Code Section

Header

Encrypted

Code Section

AxEngine(Security Engine + Public Key)

AxProtector

Definition

of licenses and

modules

Data SectionEncrypted

Data Section

Encrypted

Resource SectionResource Section

Public Key

Private Key for

Signature

Signature

AxProtector


[WIBU-SYSTEMS Control File]

...

[Commandline]

...

-cav

...

[CheckCodeIntegrity Dlls]

Image1 = ShowHex.dll

...

Check

other

modules

Self

check

04 10 40 00 03 07 42 6F 6F 6C 65 61 6E 01 00 00

00 00 01 00 00 00 00 10 40 00 05 46 61 6C 73 65

04 54 72 75 65 8D 40 00 2C 10 40 00 02 04 43 68

61 72 01 00 00 00 00 FF 00 00 00 90 40 10 40 00

01 07 49 6E 74 65 67 65 72 04 00 00 00 80 FF FF

FF 7F 8B C0 58 10 40 00 01 04 42 79 74 65 01 00

00 00 00 FF 00 00 00 90 6C 10 40 00 01 04 57 6F

72 64 03 00 00 00 00 FF FF 00 00 90 80 10 40 00

01 08 43 61 72 64 69 6E 61 6C 05 00 00 00 00 FF

FF FF FF 90 98 10 40 00 0A 06 53 74 72 69 6E 67

EC 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


[email protected]


ar.....ÿ....@.@.

..Integer.....ÿÿ



rd.....ÿÿ.....@.

..Cardinal.....ÿ


ì.@.............

................

Encrypted Executable + Hash + Signature

50 45 00 00 4C 01 09 00 19 5E 42 2A 00 00 00 00 PE..L....^B*....

04 33 C0 EB 02 B0 01 59 5A 5B C3 90 53 56 83 C4




D8 8B CC 8D 56 04 8B C3 E8 A3 F8 FF FF 83 3C 24

00 74 0B 8B C4 E8 26 FF FF FF 84 C0 00 00 00 00

EB 02 B0 01 59 5A 5E 5B C3 8D 40 02 33 D2 85 C0

79 03 83 C0 03 C1 F8 02 3D 10 04 30 00 00 00 00

Ø.Ì.V..Ãè£øÿÿ.<$

.t..Äè&ÿÿÿ.À....

ë.°.YZ^[Ã[email protected]Ò.À

y..À.Áø.=.......

B2 22 E8 E1 CA 85 3E 24 C5 30 D8 4E 89 7A DC D1

59 16 4B 75 53 FC E6 7E 87 1B A8 10 9D 00 10 1D

C7 15 2C AF 69 81 53 62 DE A6 F4 68 23 8F 20 45

49 6F F6 48 22 E7 B0 DA D1 4F 3E EF 39 FA FB 5D

A2 59 D0 BD 1A A9 DD F4 67 44 DB 30 C1 B8 82 0C

C3 FE 28 35 60 C3 50 46 4A 63 4C 37 EE BD 1D 4B

A8 B9 DB C5 D3 AE C5 51 27 B6 7A 80 75 99 52 79

A4 35 9C B2 1E FA D3 DD 10 DD E0 F6 D6 B0 3B 41

E8 D1 D9 6D DD 1B 74 CB 82 63 82 0A F7 B3 0C 21

CF BD 5D 71 23 8F EF C4 4C F0 79 0E 42 AA 06 BF

EA 5F E9 DC C5 2E 7E CC A2 3B 5D C3 F9 5F AC B2

89 59 E3 B0 0F E8 D0 58 D4 6E 7E 9C E2 C9 7A 65

²"èáÊ.>$Å0ØN.zÜÑ

Y.KuSüæ~..¨.....

Ç.,¯i.SbÞ¦ôh#..E

IoöH"ç°ÚÑO>ï9úû]

¢YÐ½.©ÝôgDÛ0Á¸..

Ãþ(5`ÃPFJcL7î½.K

¨¹ÛÅÓ®ÅQ'¶z.u.Ry

¤5.².úÓÝ.ÝàöÖ°;A

èÑÙmÝ.tË.c..÷³.!

Ï½]q#.ïÄLðy.Bª.¿

ê_éÜÅ.~Ì¢;]Ãù_¬²

.Yã°.èÐXÔn~.âÉze


Self Check Executable / Library

Executable

Signature

Validate

Signature(Hash, Public Key,

Signature)

Calculate Hash of Executable

Error Message

Yes

No



Cross Check Executable / Library

Executable Dynamic Link Library


Signature


Signature

exe - exe

exe - dll

dll - dll

dll - exe


AxProtector

During development

Generates hash from original executable (relocations)

AxProtector signs hash with private key

AxProtector adds public key into security engine

During runtime

AxEngine decrypts encrypted code

AxEngine generates hash from decrypted code in memory

AxEngine uses public key to check signature of hash


Demo


Protection Process

Successful Integrity Check

Tampered exe / dll

Summary


Authenticode


Authenticode

One Single

Point of

Attack!

DLL

DLL

DLL

EXE

DLL

DLL

AxProtector


DLL

DLL

DLL

EXE

DLL

DLL

AxProtector – Integrity Protection


Easy to use

Security for Software Vendors and Users

No single point for hackers

Each module (EXE / DLL) can be updated separately

Security for Software Vendor and User


UserSoftware Vendor

Copy Protection

Mods

Cheats

Virus (use Authenticode)

Sabotage

Cheats

Thank You


WIBU-SYSTEMS AG

www.wibu.com