12

I've written a C# .NET application that uses a popular unmanaged DLL file for part of its functionality. The DLL is imported using the standard DllImport from System.Runtime.InteropServices.

However, unfortunately, my application (along with most .NET applications using DllImport) is vulnerable to DLL Hijacking. I.e. an attacker can place a malicous copy of the imported DLL in the same directory as any file opened by my application. This could give the attacker full control of the user's machine.

To mitigate this vulnerability I'd like to verify that the DLL file is properly signed (with default Authenticode) before importing it. I know that signatures can be verified with tools like sigcheck.exe, but this isn't a viable solution for me since I need to do it from within my C# code.

So my question is simply: How can I verify that a DLL has a valid Authenticode signature, from within my managed C# code, before loading the DLL?

Limitations:

  • The imported DLL isn't developed by me, it's from an external company.
  • The DLL is not distributed with my application, it is expected to already be installed prior to running my app.
  • The imported DLL exists in many different versions (and even more will come), so I can't simply verify an MD5 checksum of the DLL before importing it.

Failed approaches:

  • Microsoft have a nice writeup on preventing "DLL preloading attacks", however, this info isn't applicable for .NET's DllImport.
  • I've seen some people suggesting the use of the unmanaged function WinVerifyTrust from Wintrust.dll. This is of course a stupid solution, since that would instead make my application vulnerable to DLL injection via Wintrust.dll.
Community
  • 1
  • 1
Erik
  • 400
  • 1
  • 2
  • 6
  • This is most likely dup of http://stackoverflow.com/questions/3281057/get-timestamp-from-authenticode-signed-files-in-net, but since you are not specifying how unmanaged DLL is signed I can't be really sure. – Alexei Levenkov Jul 20 '13 at 21:09
  • 1
    Why wouldn't an attacker just replace *your* program? Much easier to do. – Hans Passant Jul 20 '13 at 23:10
  • I think you could still use sigcheck.exe. You can run the process from C# and capture it's output: http://stackoverflow.com/a/10380353/1415732 – Alden Jul 21 '13 at 01:46
  • @Alexei: In native land, Authenticode is really the only game in town here. – Billy ONeal Jul 21 '13 at 17:01
  • @Alexi: Yes, I mean verifying an Authenticode signature.However, the p/Invoke solution you refer to wouldn't solve my problem since that solution requires a DllImport of "crypt32.dll". Hence my application would instead be vulnerable to DLL hijacking of crypt32.dll. – Erik Jul 21 '13 at 21:18

1 Answers1

2

You need to employ Authenticode verifier. Answers to this question offer to use P/Invoke and if you need a managed solution, you might be interested in our SecureBlackbox library that among other functionality offers Authenticode signing and signature verification.

However, while you can defend yourself from loading fake DLL, you can't defend the application itself from being cracked. So signature verification protects you from only one attack vector, of course.

Let me point, that replacing WinTrust.dll depends to a different attack vector which requires access to the computer. In this case the attacker can patch your application altogether.

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • In order to verify the signature using "CryptQueryObject" (as recommended in that answer) requres a DllImport of CRYPT32.DLL. As I see it that would instead make my application vulnerable to DLL hijacking of crypt32.dll in the same way as my point was with WinTrust.dll. Also, I'm not worried of my application being cracked, since it is open source. I just wanna protect my users so that they can safely open files with my application without being 0wn3d. – Erik Jul 21 '13 at 21:26
  • 2
    @EricH if there's a chance for DLL hijacking, then the user's computer is already compromised and fake crypt32.dll has already done what it was intended to, long before your application. – Eugene Mayevski 'Callback Jul 22 '13 at 06:02