1

I've tried to download a signed executable ( http://live.sysinternals.com/procexp.exe ) and modify it. I've thought it can't be done and Windows will somehow prevent me from running it (or warn me at least). But when I change a single character (for example in DOS stub or any other text data) it is still runable.

Before modification, when I run this app it splashes UAC warning showing it signed Microsoft and asking whether I want to run it. After modification, there is no such thing. Even when I revert changes back, it still won't show up. I've compared modified and reverted executable to the original (in total commander) and it shows no difference. But the original still splashes UAC.

Why is that?

I'm using Windows 7 and Firefox.

Improve this question

3 Answers 3

Reset to default
1

I've never tried to do it. Yet when you edited the file, you invalidated the digital signature, you should see it in the Properties of the file.

Windows usually does not check digital signatures. Digital signatures come into play when the file is marked as downloaded from the Internet (if the signature is valid, Windows will show its publisher in the confirmation dialog; otherwise, the publisher will be unknown), and UAC (in this case, the digital signature also confirms the file came from a publisher stored as part of the digital signature).

Whether to show or not to show UAC confirmation is not controlled with digital signature, it's controlled with the application manifest.

So in my understanding, UAC dialog should be shown. But since the modified file fails digital signature check, Windows may decide the file is unsafe to elevate. You could look for messages in Windows event log, there could be events explaining the behavior you see.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

What did you mean by the file being marked as downloaded from the internet? I guess this is the case. I've tried changing random value, save file and change it back to original. So far I haven't run the program. After all changes are reverted I ran it and it showed no popup even though signature is valid. So I guess it somehow changed file's "downloaded" status to "created by user" or else. Where is this kind of information stored? And what is program manifest? But thanks anyway
When you download a file from Internet, some browsers (IE is the first one of course) store a flag on it. You can see it in file properties dialog, General tab. There will be Security line under Attributes which states “This file came from another computer and might be blocked to help protect this computer”. You'll also see Unblock button on the right. Search for ‘application manifest’ and you'll know what it is. Are you sure the digital signature is still valid after you modified the file twice? I really doubt it.
You're right, it really is unblock button there. It is on downloaded file. After copying this file, it remains in the copy too. If I change a file, it disappears. If I change it back to the normal, it won't show again. I'll search manifest and let you know. About digital signatures - it is a specific hash. So if you change something and then revert changes, it has the same hash as the original (both files are the same :)) and digital signature will be valid. Its purpose is not to prevent changes. It's to find differences.
I know how digital signature works. Its purpose is to ensure the file hasn't been modified. Usually it also contains a time stamp. So it can become invalid after you modified the file twice. (Although I agree, it seems it should become valid again.)
0

I have copied chrome.exe in other directory and started writing random bytes in the application.

I checked properties , the digital signature was there. I have changed the application. It was unable to execute (giving some king of internal error not windows error) but still showing valid certificate in properties. Its strange.

I think windows validates certificate of an application only once.

Improve this answer

Comments

0

After you change the file it will still show a digital signature but if you click on the Details button for that signature I think you will find that it says the signature is not valid. When i changed it back to exactly what it originally containsed it once again told me that the signature was valid. (But you have to use an editor that edits the bytes in place - not one that might add a line break or something unintentionally.)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.