C#: How to detect tampering of authenticode signed file

About

Asked 1/10, 2011 at 20:21 Answered 2/10, 2011 at 4:20

I'm trying to write a C# program that verifies the digital signature of exe's. The exe's are signed with an authenticode certificate, and I want to detect tampering.

I've been able to create a SignedCms instance as described here: Get timestamp from Authenticode Signed files in .NET

I assumed SignedCms.CheckSignature would do the trick, but this method never throws an exception... Even not when I modify some bits of the exe...

Mcmanus answered 1/10, 2011 at 20:21 Comment(0)

I'm assuming you've scoured the .NET Framework docs and didn't find what you needed. The answer to this StackOverflow question has a link that describes how to use the native Windows CryptQueryObject function to verify a signature. So all that's left is to check out PInvoke.NET to see how to bring that function into .NET.

Fernanda answered 2/10, 2011 at 4:20 Comment(1)

David Pope: So all a hacker needs to do is overwrite the CryptQueryObject ? lol - security by obscurity doesn't work. – Influence 13/10, 2016 at 11:24

Could you just shell to signtool.exe /verify, and check the result?

I recently wrote a simple app which signs executables using the same method, and it works great.

Signtool on MSDN

Ament answered 1/10, 2011 at 21:11 Comment(2)

Signing an executable is pointless, I can just remove your signing code, or change the signing key. with ilasm + ildasm ... In order for that to work, you'd need a trusted root certificate installed on the OS, and have the os verify the key - a key which was itselfs signed by a trusted authority, exactly like SSL. – Influence 13/10, 2016 at 11:20

We sign with a public trusted cert and verify the trust chain. – Ament 14/10, 2016 at 18:0

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags