0

To demonstrate the usefulness of signatures and digital fingerprints I loaded mspaint into a hex editor and altered one character from P to X (the character was located in a string). When I later on launched mspaint I was expecting Windows (xp) to pop up a dialog to warn me and say that the file had been tampered. But no such dialog popped up! Why?

ChrisF
  • 41,278
  • 17
  • 101
  • 154
ragnarius
  • 381
  • 2
  • 5
  • 14
  • 1
    (1) mspaint.exe is not digitally signed under XP. (2) By default you are assumed to know what you're doing and are allowed to execute any program regardless of whether Authenticode is present-and-correct or not. I believe this can be changed by policy, if you really want. (You don't.) All that would happen with a hacked exe would be that the ‘Digital Signatures’ tab in Properties wouldn't appear. – bobince Nov 05 '09 at 14:00
  • too bad it was closed... When I launch a program that I have written myself I get a warning, but when I launch a tampered program there is no warning. As a programmer I find it confusing. –  Nov 05 '09 at 14:54
  • ragnarius, .NET? – Tarnay Kálmán Nov 05 '09 at 15:28
  • Could/should have been rewritten a tiny bit, and then stayed on SO. – Arjan Nov 05 '09 at 15:30

2 Answers2

1

The check probably isn't done for performance reasons. You might have a multi-megabyte executable, and checking it might take a long time.

However, if you load up Process Explorer and tell it to verify digital signatures, it will probably tell you that the digital signature on your tampered version of Paint is invalid.

Anthony Mills
  • 111
  • 3
1

Windows XP by itself does not offer very effective anti-tampering solutions. It's probably up to the developer to write verification code for his app if he wants to protect it from tampering. As for the non-kernel parts of the OS, such as the bundled programs (paint, for instance), they weren't considered critical enough to be protected in such a manner.

luvieere
  • 175
  • 1
  • 1
  • 11