-3

We have made a C++ Native Win32 application that is closed source. We want to protect our intellectual property and we are worried that competitors can inspect our .exe file and identify what Win32 functions we have used and from there gain an understanding of what techniques we used. For an experienced person, you can work out pretty easily the main methodology we use for port management.

An example of how our .exe is able to be inspected:

  • Is it normal for a PE file/.exe to openly state the Win32 functions like this?
  • Is there a way to not have Win32 functions explicitly stated in the .exe(like utorrent)?
  • Maybe we can configure Visual Studio 2010 to not explicitly state the functions?
  • Is our only solution obfuscation or a third party application that can package/encrypt our .exe

When I inspect the utorrent.exe I notice no Win32 functions in the .exe. And I know that Utorrent was developed to be lightweight, is closed source and developed in C++(not sure if native Win32 was used though) - which is similar to our application. If you inspect Chrome.exe you can see all the Win32 functions explicitly stated just like in our .exe and I also know that Chrome was developed to be lightweight, in C++ and using native WinAPI and is open source which is all very similar to our application. This is what we want to avoid.

Community
  • 1
  • 1
sazr
  • 24,984
  • 66
  • 194
  • 362
  • 4
    Security through obscurity. If someone wants to monitor Win32 API calls, they can, no matter how you address them. – CodeCaster Mar 24 '13 at 10:16
  • 3
    You're aware that people can, gasp, disassemble executables too? – Mat Mar 24 '13 at 10:17
  • 1
    You can import by ordinal.. but that doesn't keep anyone from knowing what you imported. It just makes it harder if they're going to open it in a text editor, but only in that case. – harold Mar 24 '13 at 10:18
  • @harold yes that sounds interesting. Maybe make a answer so I could accept? – sazr Mar 24 '13 at 10:20
  • 1
    @JakeM utorrent doesn't import by ordinal. And importing by ordinal doesn't conceal anything at all. The ordinal values of Win32 APIs are well known. – David Heffernan Mar 24 '13 at 10:21
  • 1
    Does this help? http://stackoverflow.com/questions/3898716/how-to-build-an-executable-without-import-table-in-c-c – Roger Rowland Mar 24 '13 at 10:22
  • I think the names are there to resolve references to DLL symbols. If you use static linking, the names are not needed. – brian beuning Mar 24 '13 at 12:19
  • @brianbeuning You cannot link to DLLs statically. You use dynamic linking. Those names are from the import table which lists the implicit imports. – David Heffernan Mar 24 '13 at 22:23
  • @davidheffernan Many times a library is available as both a static and a dynamic library. This is true for the MSVC C run-time library. Using a static library, when available, will remove these strings. – brian beuning Mar 24 '13 at 22:34

1 Answers1

6

The bottom line is that there is no way to protect a third party from working out what your program does. Your program can be debugged. If the computer can execute it, then a third party can reverse engineer it.

I believe that utorrent uses an image packer which is why you cannot inspect its imports easily. But all you need to do is inspect the unpacked image and all will be revealed.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • I understand that once the process is running it can be inspected. But my question is how to remove/obsfuscate the Win32 functions within the static exe file. The goal is to make it less blatant rather than bullet-proof our intellectual property – sazr Mar 24 '13 at 10:21
  • 2
    Well, you can do the same as utorrent and use a packer. But anybody that is interested enough in reverse engineering your product will be able to defeat that, in my opinion. – David Heffernan Mar 24 '13 at 10:22
  • 4
    Of course they can. Monitoring API calls made by a particular application is rather trivial. You don't even have to be a programmer to download and run [Process Monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx). Moreover, the notion that a set of API calls constitutes your "intellectual property" strikes me as utterly bunk. It's *algorithms* and *design* that constitute intellectual property; the PE format exposes neither. – Cody Gray - on strike Mar 24 '13 at 10:49
  • @CodyGray Where on earth do I claim that Win32 API Functions are my intellectual property. Using comprehension you will see that the assertions are 'PE Format compromises our intellectual property' NOT WinAPI Functions are my intellectual property. Regarding port management, theres 2 methodologies to do it using WinAPI functions. By inspecting the .exe and using deduction `competitors can ... identify what Win32 functions we have used and from there gain an understanding of what techniques we used.` Our approach closes an acknowledged(by competitors) gap ... – sazr Mar 24 '13 at 21:58
  • ... and an understanding of our technique may spur competitors to close the gap in their own applications. – sazr Mar 24 '13 at 21:59