Unfortunately, hackers and other individuals that wish to alter the behavior of software in an unauthorized manner frequently tamper with sensitive binary files. For example, hackers frequently attempt to gain access to Digital Rights Media (DRM) protected computer files, such as songs or other types of digital media files. In some instances, hackers can modify a media player's code to cause the media player to behave in ways that the original developer did not intend. For instance, a hacker can accomplish this by modifying parts of a binary that require copy protection keys that provide access to a protected file, such as a song, movie, or the like.
Hackers typically modify binaries when a binary is located in one of two locations. The first location is on a computer's hard disk or other storage medium. In this instance, hackers may modify the binary file before the file is loaded into memory. Second, hackers may modify the file once the file is loaded into memory.
Typically, the first method of attack is countered by cryptographically checking the hash of the binary and its signature. In contrast, attacks in memory are harder to defend against. This is because, only subsets of the binary may be loaded into memory at any given time. Furthermore, a binary may undergo tolerated modifications during runtime. This difficulty is compounded when code modification needs to be detected across a binary boundary. In other words, it is difficult to detect code modification in other binaries in the same process.
One method of detecting binary modification has been through checking the entire process space. However, this is often inefficient when the process space is of significant size. Another method is checking randomly across the entire process space. However, in this random fashion, a critical piece of code may go unchecked while a less critical piece of code is checked. Additionally, current directed checks are done either only within the same binary or the entire process space outside the binary. Thus, there is a need to detect modification of specific pieces of code across binary boundaries in memory and on hard drives.