PDA

View Full Version : Can an EXE self-check, whether a digital certificate is broken?



NewsArchive
09-22-2017, 10:04 AM
Hello Friedrich,

as seen in the subjetct, my idea is to make the EXE self-check at startup time,
whether the certrificate of itself is still valid.

It would be okay also, to RUN('CertificateChecker.EXE') (if that certificate is
still valid!) to check my exe from the outside. Like

PROGRAM MyEXE:

DO ROUTINE:CheckCertificate

ROUTINE:CheckCertificate ROUTINE

IF CheckCertificate('CertificateChecker.EXE') = EQ:still_valid

CHAIN(CertificateChecker.EXE')

ELSE

MESSAGE('CertificateChecker.EXE has already been screwed, better run and hide!')

END

PRORGAM CertificateChecker.EXE

... it does the same with My.EXE and CHAIN()s it, if EQ:still_valid.

Is such counterchecking possible?

I ask because there are manipulated versions of VLC and TrueCrypt, CCleaner and
whatnot in the wild.

TIA
Wolfgang









Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.







.

NewsArchive
09-23-2017, 03:24 AM
Hi Wolfgang,

Yes, this can be done. For example, we have such an option in SetupBuilder
10. General Information -> Advanced Settings -> "Verify Code-Signed Install
at Startup".

Internally, it is using our "Get File Info..." (Verify Trust) script
function.

Please note that from time to time, Windows needs a root certificate update
(it's done automatically) to check for revoked certificates. If a machine
has an "outdated" root certificate (e.g. user kills the Update service or
computer not Internet connected for some time)then Windows might return a
"certificate not valid" status.

Some interesting threads:
http://www.lindersoft.com/forums/showthread.php?47566-Dual-vs-SHA2-code-signing&p=87567#post87567
http://www.lindersoft.com/forums/showthread.php?47566-Dual-vs-SHA2-code-signing&p=87570#post87570
http://www.lindersoft.com/forums/showthread.php?35474-New-security-function-in-SetupBuilder-7-7
http://www.lindersoft.com/forums/showthread.php?43842&p=78775#post78775

Friedrich

NewsArchive
09-23-2017, 03:25 AM
>Hi Wolfgang,
>
>Yes, this can be done. For example, we have such an option in SetupBuilder
>10. General Information -> Advanced Settings -> "Verify Code-Signed Install
>at Startup".
>

Yes, I noticed that on installers at the very end.


>Internally, it is using our "Get File Info..." (Verify Trust) script
>function.
>

# So we have added a new "Get Trust [Code-signature]" function that lets you
# optionally perform the Authenticode verification AND retrieve code-signing
# certificate specific information to ensure the update install image was
# signed by your private key
(from your 3rd link)

The question is, can we do that with our own EXE each time at startup?

IF SecurityCheck() = failed....

That way we can assure customers not only, that the initial install was clean,
but also during the programs lifetime we can at least argue, that no virus has
harmed or, if so, the EXE would alert.

Some people might like the idea, I guess.

Have a nice weekend
Wolfgang



Regards,
Wolfgang Orth
www.odata.de

Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.

Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.