Reputation: 275
Check if a DLL is signed C++
I am trying to check if a DLL is signed based on the file path. I see that there are pre-existing solutions for this type of problem using WinVerifyTrust, however, when I tried checking it against "C:\Windows\System32\kernel32.dll" it said: "The file "C:\Windows\System32\kernel32.dll" is not signed." although kernel32 should be a signed dll. I am on Windows 7 fyi.
This is the source code to the function I called: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx
How can I fix the function?
Upvotes: 6
Views: 5790
Answers (1)
Reputation: 101559
Yes WinVerifyTrust is the correct function to use but you have to be prepared to call it twice.
First you call it with WTD_CHOICE_FILE, if that succeeds then you are done. If not, you must call it again with WTD_CHOICE_CATALOG (CryptCATAdminCalcHashFromFileHandle + CryptCATAdminEnumCatalogFromHash + CryptCATCatalogInfoFromContext) because some Windows files do not embed the certificate information (especially non-PE files). (You can also try to find the catalog info first to avoid calling it twice but I assume this is slower)
There are various threads (this and this) on the Sysinternals forum is perhaps the best resource for questions related to this.
Upvotes: 7
Related Questions
- File Signatures: How do I make sure that a Windows DLL isn't modified?
- Programmatically verify signed dll's C++
- How to implicitly load only signed DLL s
- Check signature of Linux shared-object before load
- Are Windows DLLs signed by Microsoft? Can I detect if they've been tampered with by a third party?
- Verify whether an executable is signed or not (signtool used to sign that exe)
- How to Verify a Digital Signature of a DLL in .NET
- What is the safest way to verify loaded DLLs have valid certificates?
- How to validate a signed DLL has been signed by me?
- Sign a dll using cmd