Can an EXE self-check, whether a digital certificate is broken?
Hello Friedrich,
as seen in the subjetct, my idea is to make the EXE self-check at startup time,
whether the certrificate of itself is still valid.
It would be okay also, to RUN('CertificateChecker.EXE') (if that certificate is
still valid!) to check my exe from the outside. Like
PROGRAM MyEXE:
DO ROUTINE:CheckCertificate
ROUTINE:CheckCertificate ROUTINE
IF CheckCertificate('CertificateChecker.EXE') = EQ:still_valid
CHAIN(CertificateChecker.EXE')
ELSE
MESSAGE('CertificateChecker.EXE has already been screwed, better run and hide!')
END
PRORGAM CertificateChecker.EXE
... it does the same with My.EXE and CHAIN()s it, if EQ:still_valid.
Is such counterchecking possible?
I ask because there are manipulated versions of VLC and TrueCrypt, CCleaner and
whatnot in the wild.
TIA
Wolfgang
Regards,
Wolfgang Orth
www.odata.de
Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.
Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.
.
Re: Can an EXE self-check, whether a digital certificate is broken?
Hi Wolfgang,
Yes, this can be done. For example, we have such an option in SetupBuilder
10. General Information -> Advanced Settings -> "Verify Code-Signed Install
at Startup".
Internally, it is using our "Get File Info..." (Verify Trust) script
function.
Please note that from time to time, Windows needs a root certificate update
(it's done automatically) to check for revoked certificates. If a machine
has an "outdated" root certificate (e.g. user kills the Update service or
computer not Internet connected for some time)then Windows might return a
"certificate not valid" status.
Some interesting threads:
http://www.lindersoft.com/forums/sho...7567#post87567
http://www.lindersoft.com/forums/sho...7570#post87570
http://www.lindersoft.com/forums/sho...tupBuilder-7-7
http://www.lindersoft.com/forums/sho...8775#post78775
Friedrich
Re: Can an EXE self-check, whether a digital certificate is broken?
>Hi Wolfgang,
>
>Yes, this can be done. For example, we have such an option in SetupBuilder
>10. General Information -> Advanced Settings -> "Verify Code-Signed Install
>at Startup".
>
Yes, I noticed that on installers at the very end.
>Internally, it is using our "Get File Info..." (Verify Trust) script
>function.
>
# So we have added a new "Get Trust [Code-signature]" function that lets you
# optionally perform the Authenticode verification AND retrieve code-signing
# certificate specific information to ensure the update install image was
# signed by your private key
(from your 3rd link)
The question is, can we do that with our own EXE each time at startup?
IF SecurityCheck() = failed....
That way we can assure customers not only, that the initial install was clean,
but also during the programs lifetime we can at least argue, that no virus has
harmed or, if so, the EXE would alert.
Some people might like the idea, I guess.
Have a nice weekend
Wolfgang
Regards,
Wolfgang Orth
www.odata.de
Please note:
From time to time it happens, that I overlook a reply to my postings.
Please don't be angry.
In case of an emergency, try to contact me via mail.
Bitte beachten:
Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
Bitte nicht böse sein.
Im Notfall bitte Kontakt per Mail versuchen.