I can change signed executable
https://stackoverflow.com/questions/10374207
-
04-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've tried to download a signed executable ( http://live.sysinternals.com/procexp.exe ) and modify it. I've thought it can't be done and Windows will somehow prevent me from running it (or warn me at least). But when I change a single character (for example in DOS stub or any other text data) it is still runable.
Before modification, when I run this app it splashes UAC warning showing it signed Microsoft and asking whether I want to run it. After modification, there is no such thing. Even when I revert changes back, it still won't show up. I've compared modified and reverted executable to the original (in total commander) and it shows no difference. But the original still splashes UAC.
Why is that?
I'm using Windows 7 and Firefox.
Solution
I've never tried to do it. Yet when you edited the file, you invalidated the digital signature, you should see it in the Properties of the file.
Windows usually does not check digital signatures. Digital signatures come into play when the file is marked as downloaded from the Internet (if the signature is valid, Windows will show its publisher in the confirmation dialog; otherwise, the publisher will be unknown), and UAC (in this case, the digital signature also confirms the file came from a publisher stored as part of the digital signature).
Whether to show or not to show UAC confirmation is not controlled with digital signature, it's controlled with the application manifest.
So in my understanding, UAC dialog should be shown. But since the modified file fails digital signature check, Windows may decide the file is unsafe to elevate. You could look for messages in Windows event log, there could be events explaining the behavior you see.
OTHER TIPS
I have copied chrome.exe in other directory and started writing random bytes in the application.
I checked properties , the digital signature was there. I have changed the application. It was unable to execute (giving some king of internal error not windows error) but still showing valid certificate in properties. Its strange.
I think windows validates certificate of an application only once.
After you change the file it will still show a digital signature but if you click on the Details button for that signature I think you will find that it says the signature is not valid. When i changed it back to exactly what it originally containsed it once again told me that the signature was valid. (But you have to use an editor that edits the bytes in place - not one that might add a line break or something unintentionally.)
