All geek questions in one place

What is the safest way to check the loaded DLL files have valid certificates?

I have a binary 'api.dll' that uses another binary 'helper.dll'. I want to authenticate each DLL with digital signatures, but I'm not sure if this is the right way. In the context of a DLL created using visual studio 2010 and linked through dependencies tab. Communication takes place via stub helper.lib, so I obviously did not call LoadLibrary in api.dll code. Part of the problem lies in the fact that I do not know where helper.dll loaded. My initial thoughts:

  • Get a handle to the current process
  • List all loaded modules
  • Find one of them with the name "helper.dll" (if this information is available through modules enum apis) and check the signature, using something like this

Is this the best way to do this?

Secondly, based on my understanding of the somewhat hazy digital signatures / certificates it seems to me that validation is a connection to a certification authority, or certificate must already be listed as a trusted car. As is usually treated as external connections or frowns, or explicitly prohibited? Will it be "established" with the app? Or if necessary in such cases, other less reliable method of verification?

+4
source share
1 answer

You want to verify the signatures loaded DLL. Once they are downloaded, they have already managed to run arbitrary code in your process (see. DllMain ), and you lose.

You might want to delay the loading of DLL. Thus, you do not need to manually do LoadLibrary / GetProcAddress for every function, but you still have a chance to run some code before loading the DLL and will fail if the test fails.

No, WinVerifyTrust not require an Internet connection in real time. Each Windows machine has a list of trusted root certificates. In some checking it extracts the signature and certificates attached to a binary file, verifies that the signature is valid (the contents of the file is actually consistent with what has been signed), and that the certificates form a real chain that leads to one of the trusted roots.

Note that WinVerifyTrust does not check that the file is signed by your own, since it was signed by someone who bought a certificate from a known certificate authorities, and was not then intervened. If you want to confirm that the file actually belongs to you, additional steps need to be taken.

+6
source

Source: https://habr.com/ru/post/1491747/

More articles:


All Articles