0

This Stackoverflow question asked how to modify the version information in an existing binary (DLL or EXE). The answer was to use Visual Studio. I tried on a 3rd party DLL our PC supplier gave us to read system metrics (such as battery voltage or motherboard temperature). The supplier had neglected to add any version information to the DLL. This proved disturbingly easy to do and the version information when viewing file properties looks absolutely legitimate.

This Superuser question shows how to use a fantastic utility called Autoruns to see what is starting up and running on your computer. One of the high-rated answers suggested being suspicious of DLLs or EXEs where the Publisher was unknown or blank.

Now I ran Autoruns myself and identified a Java DLL not currently loaded into memory. The DLL was loaded into VS and the "Company Name" modified from "Oracle Corporation" to "HonkyTonks". Reloading Autoruns...and lo and behold, the "Publisher" now shows "HonkyTonks"! Holding the mouse over the DLL in Windows Explorer also shows version information with any modification I care to make.

So my questions are:

1) Is the suggestion to look for Company Name/Publisher useful (in terms of security)?

2) This looks to me like a security loophole because many otherwise competent computer users may see "Microsoft Corporation" or similar in the version information and assume the file is legit. Is this a known loophole and if so does it apply to all versions of Windows and possibly other OS? Am I just behind-the-times and one should never trust this information?

3) Can you programmatically detect whether the version information had been modified in this way?

4) Can you lock down the version information in our own binaries so that it cannot be modified so easily by someone else?

Thanks.

Community
  • 1
  • 1
AlainD
  • 5,413
  • 6
  • 45
  • 99
  • 2
    Yes, editing embedded resources is made easy by resource editor applications. But it's not really any different than editing binaries with a hex editor. You can't stop people from doing that. The only thing you can do, as far as detecting it, is digitally sign your applications.This will ensure that the binaries have not been modified by anyone other than the author. – Cody Gray - on strike Feb 02 '16 at 16:29
  • IoW, if the binary isn't digitally signed, you can't trust it. The version information may have been changed, the code may have been changed. – Harry Johnston Feb 03 '16 at 04:14

1 Answers1

1

  1. In terms of security, the version information is mostly unuseful. It provides only the basic information about a publisher and as you mentioned can be easily forged.

  2. Yes, that's why in Microsoft's .Net Framework you can digitally sign assemblies and executables. In this case, even modification of a version information will lead to denying of execution or loading of a signed binary. And the only way to fake the assembly is to steal the private key used to sign this assembly.

  3. No. It's only possible if you have signed the executable or DLL. But in classic Windows (not MS .Net) it's almost impossible to do. Because you need to store the public part of the key used for verification in secure place. Otherwise, the hacker can replace public key with his own and your verification program will fail to detect the fake.

  4. You can sign the binary and put the digital signature inside of it or a separate file. And validate the signature against the binary before loading it. And you must secure the public key storage.

Alexey Kiselev
  • 916
  • 7
  • 8