1

I have a VB6 application that in parts opens other applications. These applications can be created by approved third parties for integration purposes. I am trying to find a way that I can open these securely and ensure the application that gets opened is the one intended. I want to ensure the .exe cant be replaced by another with the same name. The main application has access to an SQL database. So I was thinking of a hashed key but I then run into a problem where I would need to create a new release for each new integration.

Any suggestions would be fantastic!

Bob77
  • 13,167
  • 1
  • 29
  • 37
Chris Birch
  • 95
  • 7
  • 1
    How about having a "Register/Update approved application" option in your program? It calculates the hash of a approved application that should be added and stores it in a database. Before launching any registered application, you calculated the hash of it and compare it to the one stored. – Hel O'Ween Mar 30 '22 at 10:13
  • 1
    If I understand, you want to make sure the program you're running is really the program you think it is. I can think of three possible levels... 1) Verify file name, path, and size. Possibly even file version with a `GetFileVersionInfoSize` API. Low overhead, low bar to pass, but better than nothing. 2) MD5 Hash (https://stackoverflow.com/questions/2826302/how-to-get-the-md5-hex-hash-for-a-file-using-vba). 3) Verify certificate signature. Accomplishes #2 but lets you publish new versions that will also pass. – User51 Mar 30 '22 at 13:07
  • 1
    Is this intended just as a "correctness" measure? e.g., in case the programmer mistakenly has the wrong EXE in place? Or for actual security? If the latter then I think a limitation of any local mechanism to verify the secondary EXE is that your primary program may have been compromised. – StayOnTarget Mar 30 '22 at 18:40
  • 1
    You can use code-signing certificates. You can issue code-signing certificates from your own CA. You can check if an executable is signed by a certificate that is issued by a CA with predefined public key. You can sign an executable with multiple certificates. You can sign an executable by a "regular" code-signing certificate and your own issued certificates simultaneously. – wqw Apr 01 '22 at 13:45
  • Just wanted to say thank you for everyone's input I am going to review these but the certificates seems a good idea. – Chris Birch Apr 05 '22 at 11:12

0 Answers0