Checksum of a function in memory

Question

I am making a kind of anti-hack thing for a program, and I want to be able to create a checksum of the bytes of a function to see if it has been modified. I know how to do a checksum, but how do I get how many bytes I should checksum? Is there a way to get the size of my function?

Answer 1

Don't even try. You cannot assume that a function is contiguous in memory: it may have basicblocks with lower start addresses than its entrypoint; it may share trailing basicblocks with other functions; it may contain interspersed data or alignment bytes or it may disappear entirely, depending on the calling site (due to the compiler deciding to inline the function).

There is no way for your code to know the size of the generated function. Just think about it: the size is entirely dependent on what the compiler emits and that depends on all kinds of compiler settings and flags (think an optimizing, heavily inlined release build vs a debug build or using enhanced instruction sets like SSE vs not using them).

Also, as already indicated, such a checksum check is trivial to work around as a hacker - just another branch you have to invert.

And lastly, as an exercise for the curious and because potential malicious hackers will use it too, I'd recommend locking at your binary via the IDA Pro disassembler. This will make a lot of the problems with your intended anti-hack mitigation obvious...

If you really do want to continue down this path I'd recommend anti reversing resources or running a post processing step on your code that
a) chains all of your functions together by inserting jumps connecting them which will never be taken. Hide the branches behind opaque predicates. This will make the disassembly hard to read/understand and will even break some disassemblers doing static flow analysis due to the resulting immense function size.
b) redirects all function calls through a single big branching function. This will have a performance impact on your code but it will also make the callgraph completely unusable/unreadable.

Answer 2

In theory you can use the length of the symbol pointing to the function in your executable (assuming you can get your hands on it), but it's not actually required to be right -- the system won't care, it just goes to the start of the function and runs until the function returns. You can try finding the start of the next function and assuming the functions are sequential (besides padding, but there's no reason not to just checksum that too), but that requires that you know which function comes after the one you want to checksum. Either way, you'd have to have the executable analyze itself in memory to find that part of the header

Answer 3

Code is usually in read only memory so that it can't change.

But you could embed a checksum for a DLL so that just after it is loaded it validates its own image and aborts if the DLL disk image has been modified. But has that not already been done by the OS?

Answer 4

Standard doesn't allow to use function as an argument of the sizeof operator. So there is no portable way to get size of the function body. Moreover a function shouldn't necessarily be placed in a continuous memory block. Parts of the several functions could be shuffled in one place (that is what VS do in the Release build).