tamper detection in a child process

Question

I am developing a simple application using C and would like to know if there is any way I can detect when the application has been tampered. Based on my knowledge Hash is one way to ensure the integrity of data but I don't know how to hard-code the hash of the process inside my code when I am compiling it or I don't know even that's a good way to do. Any help/hint is highly appreciated.

Answer 1

You should protect your hash from static modifications (while your app is on disk). For example you can sign it with some private key which will be hidden somewhere in the tampering detection code. I can't tell you how you can hide it because it should be your secret.

To have self verified executable you can allocate hash in sources but instruct compiler to store it in named PE/ELF section. When signing your binary exclude your named section from hash calculation and store hash calculated inside.

To put hash into named section for Microsoft compilers you can use

#pragma section("tdhash", read)
__declspec(allocate("tdhash")) const unsigned char hash[32] = {0};

for GCC compilers:

const unsigned char hash[32] __attribute__ ((section ("tdhash"))) = {0};

Note: After changing PE you my want to update checksum in header, also exclude checksum field from hash calculation. The sample for that is in "How to prevent “check integrity” load failures" Microsoft KB article valiable by https://technet.microsoft.com/ru-ru/library/ee829684