Performing Code Checksum

Created the Monday 18 March 2019. Updated 9 months, 4 weeks ago.

Adversaries may use code checksumming to detect if their code has been modified or tampered with. This technique involves calculating a checksum or hash of the code, storing it, and then periodically checking the current checksum against the stored one. If the checksums do not match, it indicates that the code has been modified and the adversary's code can take appropriate action, such as exiting or altering its behavior.

This technique can be used to detect if anti-debugging routines have been disabled or if the code has been tampered with in other ways. By detecting these modifications, the adversary's code can attempt to evade detection and make reverse engineering more difficult.

Technique Identifier

U0107

Code Snippets

Description

The below example shows how to calculate the checksum of a function used to detect a breakpoint using INT3. Original source code available here:

DWORD CalcFuncCrc(PUCHAR funcBegin, PUCHAR funcEnd)
{
    DWORD crc = 0;
    for (; funcBegin < funcEnd; ++funcBegin)
    {
        crc += *funcBegin;
    }
    return crc;
}
#pragma auto_inline(off)
VOID DebuggeeFunction()
{
    int calc = 0;
    calc += 2;
    calc <<= 8;
    calc -= 3;
}
VOID DebuggeeFunctionEnd()
{
};
#pragma auto_inline(on)
DWORD g_origCrc = 0x2bd0;
int main()
{
    DWORD crc = CalcFuncCrc((PUCHAR)DebuggeeFunction, (PUCHAR)DebuggeeFunctionEnd);
    if (g_origCrc != crc)
    {
        std::cout << "Stop debugging program!" << std::endl;
        exit(-1);
    }
    return 0;
} It was originally published on https://www.apriorit.com/

Description

This code defines a function named calc_func_crc that calculates the checksum of a given function. It also defines the debuggee_function and debuggee_function_end functions, which are used as the input to the calc_func_crc function. The code then calculates the current checksum of the debuggee_function function and compares it to the original checksum stored in the ORIG_CRC variable. If the checksums do not match, it means the function has been modified and the code takes appropriate action. This is just an example and the code may need to be modified for more complex scenarios.

import struct

# Calculate checksum of function
def calc_func_crc(func_begin, func_end):
    crc = 0
    for i in range(func_begin, func_end):
        crc += struct.unpack("B", i)[0]
    return crc

# Debuggee function
def debuggee_function():
    calc = 0
    calc += 2
    calc <<= 8
    calc -= 3

# End of debuggee function
def debuggee_function_end():
    pass

# Original function checksum
ORIG_CRC = 0x2bd0

# Calculate current function checksum
CUR_CRC = calc_func_crc(debuggee_function, debuggee_function_end)

# Check if current checksum matches original checksum
if CUR_CRC != ORIG_CRC:
    print("Stop debugging program!")
    exit(-1)

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software