Could this PE embeded Licensing Mechanism interfere with Antivirus software?

Question

I'm working on a Windows Native C++ Desktop Software Licensing Mechanism and I'm trying to be as unobtrusive as possible. The idea behind it is simple and I'm trying to deter people from sharing it primarily through adding their personal information in the software and also locking it on an array of target machines.

How Licensing Works:

When someone downloads the software from my server they get a new personalized PE section added to it that contains personally identifiable information and a hash key that protects it from tampering. The hash is checked against an embedded public key and generated by a private key on server.

When the tool runs, it checks itself against the hash key, then calls home and only runs if local tests succeed and it gets the green light from home. As the tools are internet tools that require being online all the time, calling home should almost always be possible, unless blocked through DNS (but I'll include a custom DNS client in the tools to avoid Windows when resolving to call home).

Question:

My main concern is if it's possible for antivirus software to frown upon my custom section embedded in the PE structure? I'm not talking about free data appended to the end of the file. I'm embedding a new section and rewriting the PE.

I did some tests and had no problem but I'm wondering if others have more experience with such things.

Answer 1

It is a common misunderstanding that signatures prevent tampering. They do not prevent it, they only reveal it.

If a user is complicit (they intend to use a cracked/improperly licensed version), allowing them to discover the tampering doesn't get you anywhere.

Your best bet is not to use the unique fingerprint to block operation of the software, which will surely just lead to a warez version which has the license checks patched out, but merely collect data on multiple installations which may be used when pursuing legal action in a civil suit for unauthorized copying.

Answer 2

I see a few red flags:

1. Your application isn't signed by Authenticode, or (worse) your new section invalidated the Authenticode signature. Solution: don't reinvent the wheel, use the Authenticode mechanism instead of your own.

2. Since your executable is unique, it can't be whitelisted.

3. Your app contains its own DNS client. This will be noticed by AV software.

The custom PE section itself isn't going to score too bad, but why so complex? A RT_RCDATA resource seems more appropriate.