(post deleted by author)
Is there a third party app that can be used to warn if I launch a signed app that has been modified?
Or a whitelisting program for Windows? I don’t have secpol.msc
(post deleted by author)
There may be a reasonable way to implement this as a class and template. There should be a Checksum written into the PE Header by the Linker every build.
Checksum: The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all Drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.
The Checksum is Not required to be correct nor checked for ordinary binaries, as noted above, only Drivers and critical.
Maybe @also can confirm if the Clarion Linker follows the Microsoft standard. The below link gives the code for the Checksum algorithm (not sure it is correct). And it discusses it’s use for spotting malware.
Note: I don’t think this method is not going to work for digitally signed binaries because the signature is part of the file added after the Linker calculated. Also malware could update the Linker Checksum in the header.
Clarification: I’m looking for a program that can inspect ANY EXE or DLL that has been signed and tell me if it has been tampered with. I have the template that can tell if my (signed) application is broken when it runs.
The closest I can find is Airlock Digital but it isn’t open source
You can use SignTool, but I think MS is weird about distributing it. That’s why SetupBuilder has a menu choice to install it from the MS site.
1 Like
(post deleted by author)
1 Like
(post deleted by author)
1 Like
As Bruce said, there is code in the Newsgroup for this.
Graham Dawson posted this sample (thanks Graham) which does exactly as you request, ie: can check any file.
Clarion-Demo-Verify-Code-Signing.zip (16.4 KB)
@CarlBarnes “There should be a Checksum written into the [PE Header] by the Linker every build.”
A long time ago the CW linker used it’s own checksum. When I complained about it (probably to Ole or Richard Chapman, but I forget who) they didn’t care. Don’t know if that’s changed by now.
FWIW, in case anyone is interested the IQCQO.DLL that the example app ships with appears to be a C DLL that’s “just” a wrapper around the WinVerifyTrust() API call using the WINTRUST_ACTION_GENERIC_VERIFY_V2 GUID
1 Like
I wrote this before @PaulAttryde posted about IQCQO.
That relies on 2 functions ReturnSigningInfo and VerifySignature in IQCQO.DLL.
The IQCQO DLL properties shows No Details and No Digital Signature. Did @Graham_Dawson say the source of that DLL? Seems like a bad idea to check security using an unknown unsigned DLL.
Code excerpt:
MAP
module('IQCQO')
ReturnSigningInfo(const *cstring inFilename,*cstring outputStr,*long bufferSize),long,C,raw,name('ReturnSigningInfo')
VerifySignature(const *cstring inFilename,*cstring outputStr,*long bufferSize),long,C,raw,name('VerifySignature')
end
END
... CODE ...
bufferSizeNeeded = size(CStrBuffer)
result = VerifySignature(filename,CStrBuffer,bufferSizeNeeded)
IF result
Message('Error ' & CStrBuffer,filename)
ELSE
Message(CStrBuffer,filename)
END
IF CStrBuffer <> 'The file is not signed<13,10>'
bufferSizeNeeded = size(CStrBuffer)
result = ReturnSigningInfo(filename,CStrBuffer,bufferSizeNeeded)
IF result
message('Error ' & CStrBuffer,filename)
ELSE
message(CStrBuffer,filename)
END
END
The Clarion linker writes 0 to the checksum field of the header. This is valid (allowed by PE format specification) value.
My personal opinion. If OS allows to run the program (load EXE and/or DLLs), any kinds of protection from modification implied to that program are just for novices. One who know how to use the debugger (especially, if a “correct” debugger is using) can overcome all these protections.
1 Like
This is one of my pet peeves with people, there’s no need to wrap a call to WinVerifyTrust inside a C DLL when it can be called quite easily from native Clarion code.
But I’ll go get off my soapbox now 
I guess if you want to re-write it, go ahead. My guess is that it was easier to re-use the code he already had, while at the same time being very generous. Then you throw shade on it.
(post deleted by author)
1 Like