C#: How to detect tampering of authenticode signed file

Question

I'm trying to write a C# program that verifies the digital signature of exe's. The exe's are signed with an authenticode certificate, and I want to detect tampering.

I've been able to create a SignedCms instance as described here: Get timestamp from Authenticode Signed files in .NET

I assumed SignedCms.CheckSignature would do the trick, but this method never throws an exception... Even not when I modify some bits of the exe...

score 5 · Answer 1 · edited May 23 '17 at 11:45

5

I'm assuming you've scoured the .NET Framework docs and didn't find what you needed. The answer to this StackOverflow question has a link that describes how to use the native Windows CryptQueryObject function to verify a signature. So all that's left is to check out PInvoke.NET to see how to bring that function into .NET.

edited May 23 '17 at 11:45

Community

1
1

answered Oct 02 '11 at 04:20

David Pope

6,457
2
35
45

David Pope: So all a hacker needs to do is overwrite the CryptQueryObject ? lol - security by obscurity doesn't work. – Stefan Steiger Oct 13 '16 at 11:24

score 0 · Answer 2 · answered Oct 01 '11 at 21:11

0

Could you just shell to signtool.exe /verify, and check the result?

I recently wrote a simple app which signs executables using the same method, and it works great.

Signtool on MSDN

answered Oct 01 '11 at 21:11

tomfanning

9,552
4
50
78

1

Signing an executable is pointless, I can just remove your signing code, or change the signing key. with ilasm + ildasm ... In order for that to work, you'd need a trusted root certificate installed on the OS, and have the os verify the key - a key which was itselfs signed by a trusted authority, exactly like SSL. – Stefan Steiger Oct 13 '16 at 11:20
We sign with a public trusted cert and verify the trust chain. – tomfanning Oct 14 '16 at 18:00

C#: How to detect tampering of authenticode signed file

2 Answers2

Linked