Code signing

c++ / delphi package - dll injection and api hooking

Code signing

Postby PSLorde » Sat Oct 17, 2015 6:19 pm

That code signing you recommend to use?
PSLorde
 
Posts: 7
Joined: Sat Oct 17, 2015 6:15 pm

Re: Code signing

Postby madshi » Sat Oct 17, 2015 6:27 pm

I suppose you're asking which certificate provider I recommend?

Depends on whether you need to support Windows 10 with SecureBoot enabled. If you do, you'll have to get one of those "EV" Code Signing Certificates. See more details here:

http://blogs.msdn.com/b/windows_hardwar ... ws-10.aspx

Only a few providers can offer those. E.g. try digicert.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Postby PSLorde » Sat Oct 17, 2015 6:34 pm

Yeah, my problem its with secure boot. if i signing my code will work without disable secure boot? You know something about comodo code signing https://cheapsslsecurity.com/comodo/cod ... kQodTO0GEA

i use AppInit_DLLs to load my dlls, but only if secure boot its disabled.
PSLorde
 
Posts: 7
Joined: Sat Oct 17, 2015 6:15 pm

Re: Code signing

Postby madshi » Sat Oct 17, 2015 6:39 pm

I don't think Comodo supports EV certificates yet, but I don't really know for sure, you'd need to ask them.

Usually you only need to sign drivers. If you use AppInit_DLLs, then I don't know if you need to sign at all. Of course signing everything helps with avoiding anti-virus false positives. But if we're only talking about user mode dlls and exes, then you probably don't need an EV certificate, and a normal certificate should suffice (if you need one at all). I don't really have any knowledge about AppInit_DLLs, though, so I can't tell you if it needs signed dlls or not.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Postby PSLorde » Sat Oct 17, 2015 6:44 pm

if i signin my dll you think i will need disable secure boot?
PSLorde
 
Posts: 7
Joined: Sat Oct 17, 2015 6:15 pm

Re: Code signing

Postby madshi » Sat Oct 17, 2015 6:46 pm

As I said, I've no knowledge about AppInit_DLLs.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Postby iconic » Sat Oct 17, 2015 7:22 pm

@PSLorde

AppInit_DLLs registry key only takes effect after rebooting and can be disabled on newer OS versions via a separate registry key. That method only injects into processes that link against user32.dll so it's no better than SetWindowsHookEx. Why use it?

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Code signing

Postby choochy2003 » Mon Oct 19, 2015 1:36 am

A note about code signing with an EV code signing certificate; As these certificates use a SHA2 hashing algorithm they are not compatible with anything lower than Windows 8. SHA2 EV Code Signing certificates are not supported on Windows XP, Vista or 7 (for now). So you will either have to ship 2 versions of your files for the different OS groups (The cheaper option), or you can double sign your files with both a SHA1 and a SHA2 certificate. I have not yet tried the latter, however the order of signing is apparently important. The SHA1 certificate must be the first in the chain.
choochy2003
 
Posts: 76
Joined: Fri Mar 21, 2008 4:52 am

Re: Code signing

Postby madshi » Mon Oct 19, 2015 6:44 am

choochy2003 wrote:A note about code signing with an EV code signing certificate; As these certificates use a SHA2 hashing algorithm they are not compatible with anything lower than Windows 8. SHA2 EV Code Signing certificates are not supported on Windows XP, Vista or 7 (for now). So you will either have to ship 2 versions of your files for the different OS groups (The cheaper option), or you can double sign your files with both a SHA1 and a SHA2 certificate. I have not yet tried the latter, however the order of signing is apparently important. The SHA1 certificate must be the first in the chain.

Interesting! How does double signing work? You simply run signtool twice?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Code signing

Postby choochy2003 » Sat Oct 24, 2015 1:24 am

Yes, dual-signing requires you to run SignTool twice, using the /as switch on your second call. The /as switch just commands SignTool to append the signature.The other caveats are that you must use the VS2012 (or newer) developer command prompt for SHA2 signing and that you use the http://timestamp.geotrust.com/tsa timestamp server inplace of the timestamp.verisign.com server that you use for your SHA1 certificate.
choochy2003
 
Posts: 76
Joined: Fri Mar 21, 2008 4:52 am

Re: Code signing

Postby madshi » Tue Oct 27, 2015 3:14 pm

Ok, thank you!
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests