7

I was wondering to what degree I can rely on the digital signatures on files (aka Digital Certificates from Verisign, Simantec etc), when deciding if it's been tampered with or not.

Say I want download an application version that's no longer on the original developer's site but available on a third party sites like cnet, oldapps.com or filehippo. I usually resort to search for old forum entries with people listing the MD5 or SHA1 hash signature to see if they match the hash on the one I've downloaded. That only works with really big devs who's software is widespread.

I was wondering if verifying the file's digital signature is another reliable means of ensuring the file came from the dev and wasn't altered by a third party?

What I'm asking is: if a hacker injects an already signed DLL or EXE with a malcode, effectively changing the file's hash, will it break the digital signature because the signature embeds some kind of digest? Or will the signature be completely unaffected?

thebunnyrules
  • 1,520
  • 15
  • 22

3 Answers3

4

I decided to answer my own question using an empirical approach rather than taking the taking the Digital Certification authorities word for it.

I devised an experiment where I used a hex editor to modify copies of wdksetup.exe (a signed WDK web installer from Microsoft's website) and studied how the digital signature is affected. I substituted 1byte all the way to 25KB and made a new copy each time I made a substitution. I also used ResourceHacker to add an icon group to one the which added an extra 400KB to the file.

Results:

  • Substituting 1 single byte will change the SHA1 digest of a file but also cause its Signature to fail checks. The signature will still be there but it will fail any checks. If you send the file to VirusTotal, if you go to properties and click on details on the signature or if you try to run it and look at the Publisher line, you will be notified that the signature is no good. 1 single byte. Brilliant!

  • That being said, I emphasize that the signature wasn't lost (even when I made substitutions of up to 25KB), so when you go to File properties, there will still be a Digital Signatures tab and it will still say Microsoft. This is very misleading and you have to be careful not to end your inspection there because that tab will still be there whether the signature is valid or not. To ensure that you have a good signature, you have to select the signature and click on details. You will then get a dialogue that tells you if that signature is valid or not. This describes the behavior I observed in Windows 7, I didn't have a copy of 8 or 10 handy to see how the properties dialogues behave there.

  • Making massive size changing modifications to a file will result in the signature being completely destroyed.

(edit: I was curious to see the impact of size. I repeated the 1byte substitution experiment on a 250mb file with the same results. I was also curious to see if size impacts the possibility of getting collisions in when calculating digests. I did a 1 byte substitution in 3.5GB DVD iso which resulted in both different MD5 and SHA1 hashes.)

thebunnyrules
  • 1,520
  • 15
  • 22
  • 1
    I'm assuming the signature was removed not because you made a big change, but because you used a tool which does the right thing and removes the signature while making changes. When hacking the file, of course the signature will still be there, that's the point -- it is there to show that the file was signed at some point, then tampered with. Having an invalid signature is more information than having no signature. The fact that ui is not very clear about it is sad, but hopefully Windows doesn't let you run a signed executable with a no-longer valid signature? – MK. Jan 17 '17 at 14:26
  • If I remember the correctly, Windows 10 won't let you run revoked certificates without you going into the properties and overwriting it for that file but this isn't the case for 7. That's ok for me, now that I understand how things works, I'll check the certificates myself. Like I said before, I was using using other checks before but now that I know that I can trust certificates, it's just another great tool available. I wonder why they don't sign iso archive files. – thebunnyrules Jan 18 '17 at 03:24
  • because iso is a disk image format which was designed before crypto signatures where common. – MK. Jan 18 '17 at 03:33
2

Changing executable file in any way should of course invalidate signatures.
here are some links to look for details on how this works: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx

It is a bit hard to find good proof that's what executable signing does, because your are doubting its primary function, and most things seem to assume that it is in fact doing signature verification. Perhaps this:

For example, the Software Publisher Trust Provider can verify that an executable image file comes from a trusted software publisher and that the file has not been modified since it was published. In this case, the pWinTrustData parameter specifies the name of the file and the type of file, such as a Microsoft Portable Executable image file.

from https://msdn.microsoft.com/en-us/library/windows/desktop/aa388208(v=vs.85).aspx

MK.
  • 33,605
  • 18
  • 74
  • 111
  • Thanks, I'll have a read at those. In the meantime, you gave me an idea. I downloaded a MS their site from the their site and am going to experiment in modifying it in different ways to see what happens. I'll put up the results as an answer. – thebunnyrules Jan 16 '17 at 21:50
0

It does not retain the integrity, but it can still run!

OS Version: Windows 10, version 2004, also known as the Windows 10 May 2020 Update

integrity exe file: The exe file you downloaded from somewhere.

tampered exe file: Use the hex editor to modify the 1 byte (8 bits) descriptive text in the "integrity exe file" program, taking care not to damage the program code.

right click xxx.exe - Properties - Digital Signatures - select one Signatures list item - click Details button

integrity exe file -> This digital signature is OK.

tampered exe file -> This digital signature is not valid.

Double click xxx.exe ("Run as administrator" permission required):

User Account Control (UAC) Prompt: Do you want this app to make changes to your device?

integrity exe file -> Blue Verified publisher: xxx

tampered exe file -> Yellow Publisher: Unknown

click Yes -> RUNNING!

Double click xxx.exe (No need for "Run as administrator" permission):

integrity exe file / tampered exe file -> RUNNING!

lovestackh343
  • 581
  • 5
  • 6