How EXACTLY sign DLLs for AppInitDlls ? RRS feed

  • Question

  • I just bought certificate from GoDaddy,tried and it did not work to sign dll for Windows 2008 x64 (in vmware)

    As recommended in the manual:

    I compiled the dll with /integritycheck

    signed with /ph option and added cross certificate with /ac option.

    When I verified the DLL with command: signtool verify /pa /v ldr.dll

    It shows certificate chains, notes that File HAS page hashes, and finally Successfully verified: 1

    But when I insert the DLL to AppInit_dlls all programs fails with error message about bad image mydll.dll

    I enabled verbose debug of Code Integrity and there is a message:

    Code Integrity completed validating file hash. Status 0xc0000428.

    Have I bought improper certificate or I missed something?

    Saturday, August 31, 2013 6:28 AM

All replies

  • Should work.

    Could you please try to run LoadLibrary("yourdll.dll", LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) and see if you get the same error?

    Monday, September 16, 2013 5:09 AM
  • I have a similar issue. My goal is to use RequireSignedAppInit_DLLs with AppInit_DLLs (and yes I know all the concerns with AppInit_DLLs) on Windows 7 32 & 64 bit machines.

    I tested my DLL unsigned and signed 4 ways, and Windows' version.dll (unsigned) & Windows' atl100.dll (signed). All 7 DLLs were copied to my testing directory and absolute paths where used. Except for the 2 unsigned DLLs, right-click properties shows the signatures & certificates as valid.

    LoadLibraryExW( dll_name, 0, 0 ) loads all 7 DLLs, and LoadLibraryExW( dll_name, 0, LOAD_LIBRARY_REQUIRE_SIGNED_TARGET ) loads none with GetLastError returning 577 ("Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.").

    Does anyone know why signed DLLs do not work with LOAD_LIBRARY_REQUIRE_SIGNED_TARGET or AppInit_DLLs?

    I signed my DLL 4 ways: /ac, /ac + /t, /t, and neither cross or time-stamped. All 4 methods require either /pa or /kp with SignTool verify to pass, and fail verify with neither /pa or /kp.

    Monday, January 20, 2014 7:02 PM
  • HuntAndPeck, LOAD_LIBRARY_REQUIRE_SIGNED_TARGET requires that your file be linked with the /INTEGRITYCHECK linker option in addition to meeting the kernel-mode signing policy.

    If you have existing .dlls that you can't recompile, you can edit them instead with editbin.  Note that doing so will invalidate the signature, and you'll have to sign them again.

    editbin /INTEGRITYCHECK whatever.dll

    Tuesday, January 21, 2014 6:49 AM
  • Oh. Of course. Thank you Myria. /INTEGRITYCHECK made it work...

    BUT...it appears that /INTEGRITYCHECK is not compatible with Vista.

    Is such a signed DLL NOT compatible with Vista? On Windows 7 & WIndows 2003 Server another signed DLL  runs fine, but on Vista (x86 SP2), I get a "Bad Image" message when starting an EXE that loads the DLL like:

    abcdefg.EXE Bad Image

    C:\Program ...\pqrstu.dll is either not designed to run on Windows or it contains an error. Try installing the program again ...

    (The DLL & EXE used to work on Vista before signing, and still works after signing on the other OSes I've tested so far. I will double check this is still true.)

    Some more info:

    I signed the DLL, then did editbin /INTEGRITYCHECK and signed again. A compare of Link /DUMP /ALL outputs shows the only difference is in this area of the report:

               1ED1C6 checksum
                   2 subsystem (Windows GUI)
                 140 DLL characteristics
                       Dynamic base
                       NX compatible

             1E5E09 checksum
                   2 subsystem (Windows GUI)
                 1C0 DLL characteristics
                       Dynamic base
                       Check integrity
                       NX compatible

    The DLL with Check integrity set does not load without the "Bad Image" message on a Vista 32 machine. The signature is reported okay in both cases on that machine. Both DLLs work on other OSes I tested.

    • Edited by HuntAndPeck Saturday, February 1, 2014 2:42 PM
    Saturday, February 1, 2014 3:39 AM
  • Found it. /ph is required when signing for Vista, but optional for Win 7 on up.

    http://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx seems to be one of the few places where /ac, /ph, /INTEGRITYCHECK and Vista are mentioned together.

    My procedure is now:

    editbin /INTEGRITYCHECK my.dll
    signtool.exe sign /v /ph /ac somecross.cer /f my.pfx /p mypwd /t http://.../timestamp.dll my.dll

    For testing, I leave out the /t http://.../timestamp.dll part so the certificate in my.dll will expire in a year.

    Saturday, February 1, 2014 3:15 PM