So when it was installed onto the end user machine(s) the app modified the file system created date and time as well then?
I’ve been going through mental mind games trying to figure out how I can tell if an exe/dll has been tampered with.
It doesnt detect sidechannel attacks, which is where a bug somewhere else can be used to access the program, like a debugger process injection but what could be done is this.
- Select a hash algo and generate a list of every permutation of the resultant hash output.
- Take one of the hash permutations and embed it into the PE format exe/dll file’s resource section.
- Hash the file using the hash algo selected in step 1. If the hash output matches the hash permutation from step 2, you have a match and can ship it, else repeat step 2.
Slow to do on a single computer, fast on a cloud based data centre, like Amazon’s elastic.
The main advantage is the program can popup a Halt message if the exe/dll has been tampered with and the hash signature doesnt match. If it also phones home the hash signature, not only do you get meta data of when the app was run, but you also get to see what version of an app is being used, along with time of day and the ip address of the user.
No need for a code signing certificate then, but a code signing certificate could still be used to compliment the above measures. However, if the app reports the wrong hash signature but the correct code signing data, then its highlighted a problem in the certificate authority, which could be, they have been hacked or have had to hand over their root certificates possibly at the hands of a secret court order! This assumes the exe/dll has been tampered with and then re codesigned.
In maths its possible to calculate unknowns, and those few steps are easily achieved with templates.
You can find my trust of the state in a black hole.
If you want to take this further, what you could do is.
Select a hash algo and generate a list of every permutation of the resultant hash output.
Take one of the hash permutations and embed it into the PE format exe/dll file’s resource section (honeypot) and also embed it into a random encrypted debugview message or some other section with seemingly random data. Compile.
Hash the file using the hash algo selected in step 1. If the hash output matches the hash permutation from step 2, you have a match and can ship it, else repeat step 2.
Then if the exe/dll not only phones home the hash signature but also a copy of the exe/dll’s, which lets face it are quite small in file size compared to most other programs out there, then you can also see if the exe/dll has been changed, ie they wont necessarily know what extra steps a programmer has done to embed a hash signature in a program besides the obvious honeypot resource file section, but if the exe/dll’s are sent home with the hash signature, you can tell if its genuine or not. Simpler methods can simply be, moving a dot one pixel in direction on a screen, and then checking that pixel location when the exe/dll is phoned home.
The small size of clarion’s exe’s and dll’s make it possible to phone home a copy every time its run with todays internet infrastructure. It wont stop those who have infrastructure level access, but it narrows down the other alternatives to hide their activity that they might cite in order to evade detection.
Other methods include a variation of the phone home method. So if you ever purchase mailling lists from database companies, to do fax mailshots or postal mailshots, they will slip in a few of their own addresses to see if you use those addresses out of contract, because they often apply the condition you have 1-3months to use the mailling list starting from day of purchase. You dont know what are their own addresses, so they get a copy of your mailshot when you use their mailling list, and if you use it again outside of the contract period, they they come after you for breaking the terms of the agreements.
So when you app phones home, it doesnt have to phone home immediately, it could phone home after an hour of it having been run, and the rate the information is packaged up and sent back can also indicate information. So if you send the hash signature and exe/dll’s back home over the internet, you could send it at a slow rate, like 1kb or 2 kb rate, nothing to tie up and hog their internet connection but then when the app is closed the phone home transmission stops, so you get meta data to know when the app was closed, but you also get to see some of the exe/dll’s, in which to see if its been tampered with, specially if markers are distributed throughout the exe and dll’s, or the algo to phone home selects different sections of an exe/dll to start sending back everytime an app is started. And how many homes can your app phone home to? Are you a 2nd home owner or a major landlord?
One of the insurance company methods to detect fraud, is simply to get claimants waiting on the phone during the claims process, the claimant hears music, so those concocting stories for their fraudulent claim, have their guard lowered and often if with a 2nd person, will have a conversation and fine tune their story. So never put a claim in over the phone with someone else around you, the insurance company is listening to you whilst you are waiting for an operator to answer or continue and complete the telephone claims process.
There’s lots of these things going on in real life, including fake science and fake news.
I can tell you now, here in the UK, the level of oversight is so good, they can drop your mobile phone calls, inject sound like interference into calls, if you can imagine it, they can do, because they have done it to me! And Capitalism is just a carrot to manipulate behaviour. I’ve had bank accounts frozen, and stuck in a legal loop with access to no money for weeks, I’ve had direct debits cancelled by banks, and then forced to pay penalties. The City of London is a hive of criminality, a state in its own right which can veto’s everything decided in Westminster, and its the only place in the world, where global corporations can vote. Who knew that?
On the 2nd day I went “missing” in Cambridge, a bloke walked past me in a street eyeballing me who was the spitting image of this guy, John Podesta - Wikipedia. If it was John Podesta, he is a frigging short arse!