Has my EXE been modified?

Does anyone have a simple method of determining whether the running EXE has been modified? With or without code signing, Windows doesn’t help.

For example, I did a search and replace on Clarion.exe and changed “SoftVelocity” to “HardVelocity” and nothing complained when I ran the EXE. If you inspect the code signing certificate, it says it’s invalid, but the program runs anyway. So why bother with code signing if it can’t detect modified code? No wonder viruses can modify executables with impunity!

So firstly, yes, exe’s can be changed without windows complaining. Your program needs to explicitly check the certificate on startup if you want to prevent that. I don’t have the code to do that to hand, but Wolfgang did a webinar on this, and posted code to the newsgroup.

2 Likes

ClarionLive #503, #512 and #515. Thanks.

Edit:

Then there’s this: Masquerading as a Windows System Binary Using Digital Signatures

I’m curious to know whether a self-signed certificate triggers an alarm in the Ultimate Code Sign Checker. Has anyone tried it?

I think for an exercise, it would be interesting to build an app that changes the strings found inside all the apps you can find on your hard drive!

You know like the debugview messages that can be built into an app which are activated using a command line switch, its not hard to load an exe, dll or com addon into a string, use STRPOS or Match to pull out some text from certain offsets which can be learnt use the PE format, and when a string is found, modify a single character, save it and then try to run it.

I think it would be quite illuminating and I think I would start with the web browsers and network connected apps, like svchost*, conhost.exe and a few others.

We know AV/antiMalware apps dont do this, but I suspect they are relying on people setting their group policy rule that only allows hashed files to run.
Work with Software Restriction Policies Rules | Microsoft Learn

Of course, Group Policy doesnt exist on Home versions of windows, so those users dont have that security feature to use if they wanted. Likewise how many others even have hash rules switched on?

Setting up and maintaining Group Policy is arguably a full time job in itself, the likes of which can only be afforded by large organisations. I know you can buy the services of, to buy in an initial configuration, but with the rate of updates released by some companies, using those updates becomes a time consuming chore rehashing files and updating GPO rules.

  • svchost allows alot to happen and I’ve seen suggestions, although a tedious process, to be able to lock it down at the firewall level, one needs to copy it into separate subfolders and rename to something like svchost_1, svchost_2 and then the different command line “processes” using it get reconfigured to one of newly created instances of it. This way each individual instance of svchost, ie svchost_1, svchost_2 can then be locked down at the windows firewall level, because currently you cant prevent malware using svchost, its a design flaw according to some and svchost is quite privileged. :grinning: And then the original svchost is prevented from communicating with the outside world by the firewall, so only the svchost_[instance] < commandline > can get past the windows firewall if a rule allow its. I certainly wouldn’t have any internet servers using svchost, like webserver or email servers, because its like bolting a revolving door onto your machine, any one can come and go!

And then considering some countries have turned their internet infrastructure into a virtual internet like an online version of the enormous dome in the Truman Show, gives you an insight into who is really behind the hacking of most people’s computer systems! Its like an adaption of Herbert Hoover’s New Deal. Those packets arriving at your firewall with an ip address from an address block assigned to some foreign country isnt always.

There is something for everyone for online and its cheaper, and easier to manage if everyone is stuck in front of their computer or smartphone where everyone can be watched! Population Management 101.

20+ years ago, before code signing certificates were a thing, we had a similar requirement from the Venezuelan government to ensure our code for dealing with fiscal printers hadn’t been tampered with.
IIRC we came up with a post-compile process that used extra fields in the MZ DOS header of the executable to store the current date & time. Then when the application ran it checked the timestamp we added against the date/time the OS had for the file and if they were different it refused to run

So when it was installed onto the end user machine(s) the app modified the file system created date and time as well then?

I’ve been going through mental mind games trying to figure out how I can tell if an exe/dll has been tampered with.
It doesnt detect sidechannel attacks, which is where a bug somewhere else can be used to access the program, like a debugger process injection but what could be done is this.

  1. Select a hash algo and generate a list of every permutation of the resultant hash output.
  2. Take one of the hash permutations and embed it into the PE format exe/dll file’s resource section.
  3. Hash the file using the hash algo selected in step 1. If the hash output matches the hash permutation from step 2, you have a match and can ship it, else repeat step 2.

Slow to do on a single computer, fast on a cloud based data centre, like Amazon’s elastic.

The main advantage is the program can popup a Halt message if the exe/dll has been tampered with and the hash signature doesnt match. If it also phones home the hash signature, not only do you get meta data of when the app was run, but you also get to see what version of an app is being used, along with time of day and the ip address of the user.

No need for a code signing certificate then, but a code signing certificate could still be used to compliment the above measures. However, if the app reports the wrong hash signature but the correct code signing data, then its highlighted a problem in the certificate authority, which could be, they have been hacked or have had to hand over their root certificates possibly at the hands of a secret court order! This assumes the exe/dll has been tampered with and then re codesigned.

In maths its possible to calculate unknowns, and those few steps are easily achieved with templates.

You can find my trust of the state in a black hole.

Edit.
If you want to take this further, what you could do is.

  1. Select a hash algo and generate a list of every permutation of the resultant hash output.

  2. Take one of the hash permutations and embed it into the PE format exe/dll file’s resource section (honeypot) and also embed it into a random encrypted debugview message or some other section with seemingly random data. Compile.

  3. Hash the file using the hash algo selected in step 1. If the hash output matches the hash permutation from step 2, you have a match and can ship it, else repeat step 2.

Then if the exe/dll not only phones home the hash signature but also a copy of the exe/dll’s, which lets face it are quite small in file size compared to most other programs out there, then you can also see if the exe/dll has been changed, ie they wont necessarily know what extra steps a programmer has done to embed a hash signature in a program besides the obvious honeypot resource file section, but if the exe/dll’s are sent home with the hash signature, you can tell if its genuine or not. Simpler methods can simply be, moving a dot one pixel in direction on a screen, and then checking that pixel location when the exe/dll is phoned home.

The small size of clarion’s exe’s and dll’s make it possible to phone home a copy every time its run with todays internet infrastructure. It wont stop those who have infrastructure level access, but it narrows down the other alternatives to hide their activity that they might cite in order to evade detection.

Other methods include a variation of the phone home method. So if you ever purchase mailling lists from database companies, to do fax mailshots or postal mailshots, they will slip in a few of their own addresses to see if you use those addresses out of contract, because they often apply the condition you have 1-3months to use the mailling list starting from day of purchase. You dont know what are their own addresses, so they get a copy of your mailshot when you use their mailling list, and if you use it again outside of the contract period, they they come after you for breaking the terms of the agreements.

So when you app phones home, it doesnt have to phone home immediately, it could phone home after an hour of it having been run, and the rate the information is packaged up and sent back can also indicate information. So if you send the hash signature and exe/dll’s back home over the internet, you could send it at a slow rate, like 1kb or 2 kb rate, nothing to tie up and hog their internet connection but then when the app is closed the phone home transmission stops, so you get meta data to know when the app was closed, but you also get to see some of the exe/dll’s, in which to see if its been tampered with, specially if markers are distributed throughout the exe and dll’s, or the algo to phone home selects different sections of an exe/dll to start sending back everytime an app is started. And how many homes can your app phone home to? Are you a 2nd home owner or a major landlord?

One of the insurance company methods to detect fraud, is simply to get claimants waiting on the phone during the claims process, the claimant hears music, so those concocting stories for their fraudulent claim, have their guard lowered and often if with a 2nd person, will have a conversation and fine tune their story. So never put a claim in over the phone with someone else around you, the insurance company is listening to you whilst you are waiting for an operator to answer or continue and complete the telephone claims process. :grinning:

There’s lots of these things going on in real life, including fake science and fake news.

I can tell you now, here in the UK, the level of oversight is so good, they can drop your mobile phone calls, inject sound like interference into calls, if you can imagine it, they can do, because they have done it to me! And Capitalism is just a carrot to manipulate behaviour. I’ve had bank accounts frozen, and stuck in a legal loop with access to no money for weeks, I’ve had direct debits cancelled by banks, and then forced to pay penalties. The City of London is a hive of criminality, a state in its own right which can veto’s everything decided in Westminster, and its the only place in the world, where global corporations can vote. Who knew that?

On the 2nd day I went “missing” in Cambridge, a bloke walked past me in a street eyeballing me who was the spitting image of this guy, John Podesta - Wikipedia. If it was John Podesta, he is a frigging short arse! :grinning:

Is there a third party app that can be used to warn if I launch a signed app that has been modified?

Or a whitelisting program for Windows? I don’t have secpol.msc

I’m not aware of one, but what others do is generate a checksum, store it in the resource file and then when the exe is loaded, it loads the resource strings and checks them.

Quite how that works in other programming IDE’s considering the problem of you need to know the checksum or hash signature in advance in order to save it into the exe, I dont know, maybe these other IDE’s are doing the brute force 3 step process I’ve listed above, or maybe its loading the exe into memory, stripping out the checksum/hash signature then hashing the exe minus checksum/hash sig, but the latter kind of defeats the purpose then, like moving deckchairs on a sinking ship. :grinning:

As for loading resources, like a template to load the resources, I’ve written Ansi source code to do that which you can see here along with some of the source code if you fancy writing some of it yourself.

This is on my list of things to move into a template as its an exe or dll called from a #Rundll and I want to integrate it more into the ide.

If you want other sources, info etc, have a look at this link.
Tamper Aware and Self Healing Code - CodeProject

There may be a reasonable way to implement this as a class and template. There should be a Checksum written into the PE Header by the Linker every build.

Checksum: The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all Drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

The Checksum is Not required to be correct nor checked for ordinary binaries, as noted above, only Drivers and critical.

Maybe @also can confirm if the Clarion Linker follows the Microsoft standard. The below link gives the code for the Checksum algorithm (not sure it is correct). And it discusses it’s use for spotting malware.

Note: I don’t think this method is not going to work for digitally signed binaries because the signature is part of the file added after the Linker calculated. Also malware could update the Linker Checksum in the header.

Clarification: I’m looking for a program that can inspect ANY EXE or DLL that has been signed and tell me if it has been tampered with. I have the template that can tell if my (signed) application is broken when it runs.

The closest I can find is Airlock Digital but it isn’t open source

You can use SignTool, but I think MS is weird about distributing it. That’s why SetupBuilder has a menu choice to install it from the MS site.

1 Like

So the best I can find so far is SigCheck
Sigcheck - Sysinternals | Microsoft Learn

This command downloads a list of trusted certs from MS and compares with your machines certificates listing those no present in the MS Trusted Certificate list.
sigcheck64 -vt

In the past I did have something on here which was creating a new intermediate cert about once every day or two. It wasnt me creating them and I didnt have any software on here which created these certs AFAIK. Periodically I will place a firewall between my machine and network switch to monitor the traffic. In the past I have seen what looks like encrypted vpn traffic coming from my computer which is not something I’ve done, and the best bit is I have every MS security option switched on!

This command scans for unsigned files in a folder
sigcheck -u -e c:\windows\system32\

But I cant find anything else to highlight a signed file which has been modified. This is where search engines can work against you.

1 Like

According to this article, MS dont publish the algorithm used to generate the PE checksum, so I dont know if @also will know. MS might have published it in the past
An Analysis of the Windows PE Checksum Algorithm - CodeProject

On the official website PE Format - Win32 apps | Microsoft Learn

Optional Header Windows Offset 64/64 4bytes
CheckSum The image file checksum.
The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

The Optional Header Windows section is only used by linkers and loaders and so this checksum seems to me to be a checksum to make sure this section is not corrupted and not a checksum for the integrity of the entire PE exe/dll file.

At the moment it seems to be a case of use Group Policy to only run software which has been hashed and allowed to run, which means any new software has to be hashed and then updated automatically to the Group Policy Object in order to run it.

No wonder the 5eyes targeted software companies, I dont know any Clarion programmer who has ever generated and compiled a program, and then had the IDE generate a hash for this newly created exe/dll, and add it automatically to the GPO before it can be run either direct or via the debugger.
More information about hashes | Microsoft Learn

WDAC uses the Authenticode/PE image hash algorithm when calculating the hash of a file. Unlike the more popular, but less secure, flat file hash, the Authenticode hash calculation omits the file’s checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn’t change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don’t need to revise the policy hash rules when the digital signature on the file is updated.

The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.

Thats a lot of extra steps or hurdles in order to just test the multitude of incremental updates the programmers do throughout their day. No wonder someone told me, if I didnt want to get hacked, dont put your computer online! My Dev machine is offline with only a USB stick for passing data but I cant scan the USB stick sectors and check for additional malware hiding on it or in it, and USB sticks have processors built into them like (micro) SD cards do, which can hide embedded malware which no AV system will ever detect, its beyond their scope and ability.

I dont know of any AV system that scans firmware on devices for malware, does anyone else?

Edit. Looking in the MS Defender applications section.
Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) | Microsoft Learn

This caught my eye

8 Required:EV Signers This option isn’t currently supported. No

Is this MS vapourware? Listing something but then saying its not supported?

Edit2.

Having looked into the Autheticode statement about hashing a file and using that for their Group Policy Object, I dont think its actually secure because it ignores the code signing in a way. Or its taking the code signing bits out, hashing the file and confirming whether the code signing matches the exe, but it seems insecure because anyone can mod the file and add a new cert to the file.
And where they say the less secure flat file hash, which is a hash of the entire file complete with any code signing certs if present, then that hash is only as good as the source.

So from a programmers perspective, if the flat file hash was used with the GPO, as soon as the compiler has created the exe or dll, a flat file hash needs to be performed and the resulting has added to the GPO. This process should take a few seconds at best, because the hackers would need to detect the compiler process and inject any malware into an exe/dll either during compilation or better still tamper with handcode before compilation. Alternatively they need a way to hack the GPO object, which is also possible but resource burns thems in a way before they can add their malware at their leesure [spelt leisure]. :grinning: I’m all for resource burning spooky hackers, the state is arguably the best experts in that when looking at how it runs a country and steals peoples lives.

And even if a dev could produce exe/dlls without it being tampered, there is the reliance on the runtime and other parts of a programming language to avoid bugs which could be a backdoor, and then they can do a man in the middle attack which could be done with people downloading said software off a website. At best any website displaying a checksum next to a download link could be viewing a malicious download webpage. Any checksums supplied with downloads needs to come from a different source and delivery method, just like 2FA relies on a security code coming typically via a text message, but I’m also reminded even that system is not infallible when considering the infrastructure can be man in the middled.

So TLDR, I think I’ll just use a flat file hash with GPO, Codesigning seems pointless and at best virtue signalling for non critical thinkers!

We are forced to trust so much at our peril.

1 Like

As Bruce said, there is code in the Newsgroup for this.

Graham Dawson posted this sample (thanks Graham) which does exactly as you request, ie: can check any file.

Clarion-Demo-Verify-Code-Signing.zip (16.4 KB)

@CarlBarnes “There should be a Checksum written into the [PE Header] by the Linker every build.”

A long time ago the CW linker used it’s own checksum. When I complained about it (probably to Ole or Richard Chapman, but I forget who) they didn’t care. Don’t know if that’s changed by now.

I knew I saw that somewhere. Thanks Julian and @Graham_Dawson

FWIW, in case anyone is interested the IQCQO.DLL that the example app ships with appears to be a C DLL that’s “just” a wrapper around the WinVerifyTrust() API call using the WINTRUST_ACTION_GENERIC_VERIFY_V2 GUID

1 Like

I wrote this before @PaulAttryde posted about IQCQO.

That relies on 2 functions ReturnSigningInfo and VerifySignature in IQCQO.DLL.

The IQCQO DLL properties shows No Details and No Digital Signature. Did @Graham_Dawson say the source of that DLL? Seems like a bad idea to check security using an unknown unsigned DLL.

Code excerpt:

 MAP
     module('IQCQO')
         ReturnSigningInfo(const *cstring inFilename,*cstring outputStr,*long bufferSize),long,C,raw,name('ReturnSigningInfo')
         VerifySignature(const *cstring inFilename,*cstring outputStr,*long bufferSize),long,C,raw,name('VerifySignature')
     end
 END

... CODE ...       
   bufferSizeNeeded = size(CStrBuffer)
   result = VerifySignature(filename,CStrBuffer,bufferSizeNeeded)
   IF result
      Message('Error ' & CStrBuffer,filename)
   ELSE
      Message(CStrBuffer,filename)
   END    
   IF CStrBuffer <> 'The file is not signed<13,10>'                
      bufferSizeNeeded = size(CStrBuffer)
      result = ReturnSigningInfo(filename,CStrBuffer,bufferSizeNeeded)
      IF result
          message('Error ' & CStrBuffer,filename)
      ELSE
          message(CStrBuffer,filename)
      END    
   END

Source is here

https://www.icetips.com/downloadfile.php?FileID=267

1 Like