locked
When does the Operating system verify the Authenticode Signatures for signed EXEs and signed DLLs? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    When PE Files (exes, dlls etc.) are code signed using signtool, they can be verified to check if they have been authored by trusted publishers. In which scenarios does the Operating system actually verify signed EXEs and DLLs?

    1. Are signatures of EXEs verified every time they are run?
    2. If an EXE has a dynamically linked DLL, is the DLL's signature verified when the EXE is run?
    3. If the EXE dynamically loads a DLL using LoadLibrary, is the DLL's signature verified when the EXE is run?
    4. When an EXE requires elevated privilege (UAC), is the signature of the EXE and the DLL dependencies verified as well? (1-3)

    If this questions belongs in a different category or community, please let me know. Thanks.

    Friday, July 24, 2020 5:01 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Thanks for posting here,

    Could you share the reason that you want to know the process of OS?

    Do you want to verify the PE signature? You could refer to the following sample:

    Example C Program: Verifying the Signature of a PE File

    The issue of using unsigned DLLs in signed projects also seems to be discussed here. It is recommended that you sign the exe and all DLLs used.

    Best Regards,

    Drake

    This “Application Security for Windows Desktop” Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    "Win32 API" forum will be migrating to a new home on Microsoft Q&A !
    We invite you to post new questions in the "Win32 API" forum’s new home on Microsoft Q&A !
    For more information, please refer to the sticky post.

    Monday, July 27, 2020 8:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Drake,

    Thanks for your reply.

    Any DLL or EXE can be accidentally or maliciously modified on a user's machine. I am trying to identify if Authenticode signing a binary (using signtool.exe) automatically protects against this attack vector. I want to know if the OS verifies the Authenticode signature of the EXE and its DLLs prior to loading them. If the OS does it, I don't need to verify the signature in my application. Hope this makes sense.

    Monday, August 3, 2020 1:15 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The following documents may be helpful to you:

    Everything you need to know about Authenticode Code Signing

    Caveats for Authenticode Code Signing

    Best Regards,

    DrakeThis “Application Security for Windows Desktop” Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    "Win32 API" forum will be migrating to a new home on Microsoft Q&A !
    We invite you to post new questions in the "Win32 API" forum’s new home on Microsoft Q&A !
    For more information, please refer to the sticky post.

    Tuesday, August 4, 2020 1:44 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks for the links Drake. Unfortunately they don't address my question and I couldn't find any other documentation on my specific questions. I wonder if someone from the relevant team will be able to answer my question on this thread.
    Thursday, August 6, 2020 4:24 AM