What are 3 - 5 methods for making my Windows desktop program tamper-proof or tamper-aware? [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 8 years ago.

Improve this question

I have been tasked with creating a piece of software for my client that will compute certain system statistics in the background (this is not a foreground process). The target platform is Windows XP - 7 and the language/technology is flexible. However, I feel that the client's most challenging requirement is that the software must run when the PC starts and it must be tamper-aware. That is, the client wants to receive an email if a user attempts to stop/disable the software.

I recognize that at any given time somebody can pick up the machine and drop it in a river and there's no way I can alert the client that such has happened. I explained this and their response is that "it's not a problem if it does not come back online". I guess they expect to monitor which systems go offline for extended periods of time and deal with those in some way.

The challenge is that they want to receive an alert (e.g. an email notification) in the event that the system was up and running but the statistical software was not. For example, the following scenarios would trigger the notification email:

a) user uses task manager to kill my process and then runs other programs. The next time my process starts it should notify that it was tampered with. b) user disables the mechanism that starts the process on boot (e.g. registry key), reboots the machine, and runs other programs. The next time my process starts it should notify that it was tampered with.

Finally, the client prefers this to be a portable app and not require a Windows installation.

As I said, the technology is flexible: we can use C++, C#.NET, WSH, or anything else for the Windows platform. I've been developing software for nearly a decade now but have not encountered a need for tamper-awareness. So the question is, what are some different methods for making my Windows desktop program tamper-aware?

The notification piece is simple as I can just call a foreign web service when the program restarts and the web service can send the email notification. The tricky part is the logic to determine if the system was running while my program was not?

Answer 1

The easiest way to notice that your program has been closed in an unwanted way, is to have a 'lock' file somewhere, that your program removes if it is closed in a normal way (by system shutdown event). On startup you can see the lock file, and deduce that your program was closed abnormally.

For knowing that your program isn't run every day the computer is run you could alter your lock file and add an encoded date of last run. On startup check that date with i.e. messages in the eventlog. If there are messages there that are not today, but later than last run date in your lock file, it means the computer was running without your program.

you could also use the registry for this, or - if you have the webservice at your disposal anyways, have it just send the data there.

• Start program
• Find last date of computer being run that is not today.
• Send that info to a webservice
• That webservice can store the info and deduce that the computer was run without your program if the last computer run date is not the same as the last program run date
• That webservice can deduce that your software was closed because it has a still open 'session'
• On closing: Send a close message to the webservice

Answer 2

a) user uses task manager to kill my process and then runs other programs. The next time my process starts it should notify that it was tampered with.

You could potentially block the user from killing your process in the first place. Check out SetWindowsHookEx with a WH_CALLWNDPROC hook. You can then use your hook method to see if the message is both lethal (WM_CLOSE, WM_QUIT) and directed at your app. Then you can take appropriate action (although be somewhat careful if you decide to block any lethal messages, since you can potentially block your system from shutting down - I haven't checked the interactions between WM_QUERYENDSESSION/WM_ENDSESSION and WM_QUIT, although the WM_ENDSESSION docs suggest WM_QUIT is never called during system shutdown).

b) user disables the mechanism that starts the process on boot (e.g. registry key), reboots the machine, and runs other programs. The next time my process starts it should notify that it was tampered with.

This is honestly quite a bit harder. I'm not sure there's much you can do here, since anything you can monitor to detect a "missed startup" (other running apps, system uptime, etc.) could potentially be turned against you by the following chain of events:

• User disables your app's startup registry entry
• User restarts the system
• User does whatever they want
• User re-enables your app's startup registry entry
• User restarts the system

You could try monitoring the registry key in question, perhaps checking it once just before your app shuts down, and send the tamper warning if it's been destroyed. You can also recreate it at that point. The problem is, you're essentially relying on a chain of protection here: your app needs to be running to determine if the auto-start key is present or missing. If your user is clever, he can bypass that entirely by using a LiveCD/LiveUSB to disable the app's startup registry key, then re-enable it (perhaps with the same LiveCD/LiveUSB) when he sees fit to do so. Or he could just use a LiveCD/LiveUSB to do whatever he wants to do and ignore your app entirely. Ultimately I think your user has the upper hand by default here, unless you can install yourself at the very lowest levels (firmware?). Even then a desperate, tech-savvy user could potentially take out the system's hard drive, put it in a hard drive reader in another computer, and disable the startup key.

I think you'll have to determine how far you want to take this: are you looking for an absolute lockdown that nobody can bypass, or do you just want to hinder normal users from wasting time on a company PC?

Answer 3

If this is on a corporate network, how about using MAC address of the client computer?

A trusted server will be doing the observation, and you would have the client program identify itself to this server.

The server will monitor if this computer is online by ways of the MAC address being alive. Since the MAC will not change, once a client is known to the server, it can monitor it.