Reputation: 1670
Can signed executables be tampered with while retaining the integrity of the signature?
I was wondering to what degree I can rely on the digital signatures on files (aka Digital Certificates from Verisign, Simantec etc), when deciding if it's been tampered with or not.
Say I want download an application version that's no longer on the original developer's site but available on a third party sites like cnet, oldapps.com or filehippo. I usually resort to search for old forum entries with people listing the MD5 or SHA1 hash signature to see if they match the hash on the one I've downloaded. That only works with really big devs who's software is widespread.
I was wondering if verifying the file's digital signature is another reliable means of ensuring the file came from the dev and wasn't altered by a third party?
What I'm asking is: if a hacker injects an already signed DLL or EXE with a malcode, effectively changing the file's hash, will it break the digital signature because the signature embeds some kind of digest? Or will the signature be completely unaffected?
Upvotes: 9
Views: 6437
Answers (3)
Reputation: 661
It does not retain the integrity, but it can still run!
OS Version: Windows 10, version 2004, also known as the Windows 10 May 2020 Update
integrity exe file: The exe file you downloaded from somewhere.
tampered exe file: Use the hex editor to modify the 1 byte (8 bits) descriptive text in the "integrity exe file" program, taking care not to damage the program code.
right click xxx.exe - Properties - Digital Signatures - select one Signatures list item - click Details button
integrity exe file -> This digital signature is OK.
tampered exe file -> This digital signature is not valid.
Double click xxx.exe ("Run as administrator" permission required):
User Account Control (UAC) Prompt: Do you want this app to make changes to your device?
integrity exe file -> Blue Verified publisher: xxx
tampered exe file -> Yellow Publisher: Unknown
click Yes -> RUNNING!
Double click xxx.exe (No need for "Run as administrator" permission):
integrity exe file / tampered exe file -> RUNNING!
Upvotes: 0
Reputation: 1670
I decided to answer my own question using an empirical approach rather than taking the taking the Digital Certification authorities word for it.
I devised an experiment where I used a hex editor to modify copies of wdksetup.exe (a signed WDK web installer from Microsoft's website) and studied how the digital signature is affected. I substituted 1byte all the way to 25KB and made a new copy each time I made a substitution. I also used ResourceHacker to add an icon group to one the which added an extra 400KB to the file.
Results:
Substituting 1 single byte will change the SHA1 digest of a file but also cause its Signature to fail checks. The signature will still be there but it will fail any checks. If you send the file to VirusTotal, if you go to properties and click on details on the signature or if you try to run it and look at the Publisher line, you will be notified that the signature is no good. 1 single byte. Brilliant!
That being said, I emphasize that the signature wasn't lost (even when I made substitutions of up to 25KB), so when you go to File properties, there will still be a Digital Signatures tab and it will still say Microsoft. This is very misleading and you have to be careful not to end your inspection there because that tab will still be there whether the signature is valid or not. To ensure that you have a good signature, you have to select the signature and click on details. You will then get a dialogue that tells you if that signature is valid or not. This describes the behavior I observed in Windows 7, I didn't have a copy of 8 or 10 handy to see how the properties dialogues behave there.
Making massive size changing modifications to a file will result in the signature being completely destroyed.
(edit: I was curious to see the impact of size. I repeated the 1byte substitution experiment on a 250mb file with the same results. I was also curious to see if size impacts the possibility of getting collisions in when calculating digests. I did a 1 byte substitution in 3.5GB DVD iso which resulted in both different MD5 and SHA1 hashes.)
Upvotes: 6
Reputation: 34597
Changing executable file in any way should of course invalidate signatures.
here are some links to look for details on how this works:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx
It is a bit hard to find good proof that's what executable signing does, because your are doubting its primary function, and most things seem to assume that it is in fact doing signature verification. Perhaps this:
For example, the Software Publisher Trust Provider can verify that an executable image file comes from a trusted software publisher and that the file has not been modified since it was published. In this case, the pWinTrustData parameter specifies the name of the file and the type of file, such as a Microsoft Portable Executable image file.
from https://msdn.microsoft.com/en-us/library/windows/desktop/aa388208(v=vs.85).aspx
Upvotes: 2
Related Questions
- Does signing the app protect against tampering with the file?
- what happens to exe when we sign it?
- Can I remove a digital signature from a DLL?
- How can I digitally sign an executable?
- Change application signature?
- Appending/Replacing data in exe without breaking its digital signature
- How important is it to digitally sign our executables?
- Digitally signing an application that is compiled from source file?
- Digitally signing an executable, trusting its requests on the server
- Does signing an assembly or an exe with a digital certificate makes it secure against tampering attacks?