Results 1 to 3 of 3

Thread: Can an EXE self-check, whether a digital certificate is broken?

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Default Can an EXE self-check, whether a digital certificate is broken?

    Hello Friedrich,

    as seen in the subjetct, my idea is to make the EXE self-check at startup time,
    whether the certrificate of itself is still valid.

    It would be okay also, to RUN('CertificateChecker.EXE') (if that certificate is
    still valid!) to check my exe from the outside. Like

    PROGRAM MyEXE:

    DO ROUTINE:CheckCertificate

    ROUTINE:CheckCertificate ROUTINE

    IF CheckCertificate('CertificateChecker.EXE') = EQ:still_valid

    CHAIN(CertificateChecker.EXE')

    ELSE

    MESSAGE('CertificateChecker.EXE has already been screwed, better run and hide!')

    END

    PRORGAM CertificateChecker.EXE

    ... it does the same with My.EXE and CHAIN()s it, if EQ:still_valid.

    Is such counterchecking possible?

    I ask because there are manipulated versions of VLC and TrueCrypt, CCleaner and
    whatnot in the wild.

    TIA
    Wolfgang









    Regards,
    Wolfgang Orth
    www.odata.de

    Please note:
    From time to time it happens, that I overlook a reply to my postings.
    Please don't be angry.
    In case of an emergency, try to contact me via mail.

    Bitte beachten:
    Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
    Bitte nicht böse sein.
    Im Notfall bitte Kontakt per Mail versuchen.







    .

  2. #2

    Default Re: Can an EXE self-check, whether a digital certificate is broken?

    Hi Wolfgang,

    Yes, this can be done. For example, we have such an option in SetupBuilder
    10. General Information -> Advanced Settings -> "Verify Code-Signed Install
    at Startup".

    Internally, it is using our "Get File Info..." (Verify Trust) script
    function.

    Please note that from time to time, Windows needs a root certificate update
    (it's done automatically) to check for revoked certificates. If a machine
    has an "outdated" root certificate (e.g. user kills the Update service or
    computer not Internet connected for some time)then Windows might return a
    "certificate not valid" status.

    Some interesting threads:
    http://www.lindersoft.com/forums/sho...7567#post87567
    http://www.lindersoft.com/forums/sho...7570#post87570
    http://www.lindersoft.com/forums/sho...tupBuilder-7-7
    http://www.lindersoft.com/forums/sho...8775#post78775

    Friedrich

  3. #3

    Default Re: Can an EXE self-check, whether a digital certificate is broken?

    >Hi Wolfgang,
    >
    >Yes, this can be done. For example, we have such an option in SetupBuilder
    >10. General Information -> Advanced Settings -> "Verify Code-Signed Install
    >at Startup".
    >

    Yes, I noticed that on installers at the very end.


    >Internally, it is using our "Get File Info..." (Verify Trust) script
    >function.
    >

    # So we have added a new "Get Trust [Code-signature]" function that lets you
    # optionally perform the Authenticode verification AND retrieve code-signing
    # certificate specific information to ensure the update install image was
    # signed by your private key
    (from your 3rd link)

    The question is, can we do that with our own EXE each time at startup?

    IF SecurityCheck() = failed....

    That way we can assure customers not only, that the initial install was clean,
    but also during the programs lifetime we can at least argue, that no virus has
    harmed or, if so, the EXE would alert.

    Some people might like the idea, I guess.

    Have a nice weekend
    Wolfgang



    Regards,
    Wolfgang Orth
    www.odata.de

    Please note:
    From time to time it happens, that I overlook a reply to my postings.
    Please don't be angry.
    In case of an emergency, try to contact me via mail.

    Bitte beachten:
    Von Zeit zu Zeit passiert es mir, dass ich Antworten auf meine Postings übersehe.
    Bitte nicht böse sein.
    Im Notfall bitte Kontakt per Mail versuchen.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •