1

I have an application that tries to verify the mmc.exe (services) signature. (the context of the application I think is irrelevant) I am trying with winapi function which both fails with WinVerifyTrust. I get TRUST_E_BAD_DIGEST when I am trying with verification from catalog, and TRUST_E_NOSIGNATURE when trying from file info. it is very important to mention that my function succeeds on win7, XP but fails on win8.

this is the code snippet for the function 

CATALOG_INFO InfoStruct = {0};
InfoStruct.cbStruct = sizeof(CATALOG_INFO);

WINTRUST_CATALOG_INFO WintrustCatalogStructure = {0};
WintrustCatalogStructure.cbStruct = sizeof(WINTRUST_CATALOG_INFO);

WINTRUST_FILE_INFO WintrustFileStructure = {0};
WintrustFileStructure.cbStruct = sizeof(WINTRUST_FILE_INFO);

GUID ActionGuid = WINTRUST_ACTION_GENERIC_VERIFY_V2;

//Get a context for signature verification.
HCATADMIN Context = NULL;
if(!::CryptCATAdminAcquireContext(&Context, NULL, 0) ){
    return false;
}

//Open file.

cx_handle hFile(::CreateFileW(filename_.c_str(), GENERIC_READ, 7, NULL, OPEN_EXISTING, 0, NULL));
if( INVALID_HANDLE_VALUE == (HANDLE)hFile )
{
    CryptCATAdminReleaseContext(Context, 0);
    return false;
}

//Get the size we need for our hash.
DWORD HashSize = 0;
::CryptCATAdminCalcHashFromFileHandle(hFile, &HashSize, NULL, 0);
if( HashSize == 0 )
{
    //0-sized has means error!
    ::CryptCATAdminReleaseContext(Context, 0);
    return false;
}

//Allocate memory.
buffer hashbuf(HashSize);

//Actually calculate the hash
if( !CryptCATAdminCalcHashFromFileHandle(hFile, &HashSize, hashbuf.data, 0) )
{
    CryptCATAdminReleaseContext(Context, 0);
    return false;
}

//Convert the hash to a string.
buffer MemberTag(((HashSize * 2) + 1) * sizeof(wchar_t));
for( unsigned int i = 0; i < HashSize; i++ ){
    swprintf(&((PWCHAR)MemberTag.data)[i * 2], L"%02X", hashbuf.data[i ]);
}

//Get catalog for our context.
HCATINFO CatalogContext = CryptCATAdminEnumCatalogFromHash(Context, hashbuf, HashSize, 0, NULL);
if ( CatalogContext )
{
    //If we couldn't get information
    if ( !CryptCATCatalogInfoFromContext(CatalogContext, &InfoStruct, 0) )
    {
        //Release the context and set the context to null so it gets picked up below.
        CryptCATAdminReleaseCatalogContext(Context, CatalogContext, 0);
        CatalogContext = NULL;
    }
}

//If we have a valid context, we got our info.  
//Otherwise, we attempt to verify the internal signature.

WINTRUST_DATA WintrustStructure = {0};
WintrustStructure.cbStruct = sizeof(WINTRUST_DATA);

if( !CatalogContext )
{
    load_signature_verification_from_file_info(WintrustFileStructure, WintrustStructure);
} 
else
{
    load_signature_verification_from_catalog(WintrustStructure, WintrustCatalogStructure, InfoStruct, MemberTag);
}

//Call our verification function.
long verification_res = ::WinVerifyTrust(0, &ActionGuid, &WintrustStructure);

//Check return.
bool is_success = SUCCEEDED(verification_res) ? true : false;

// if failed with CatalogContext, try with FILE_INFO
if(!is_success && CatalogContext && verification_res != TRUST_E_NOSIGNATURE)
{
    //warning2(L"Failed verification with Catalog Context: 0x%x %s ; Retrying with FILE_INFO.", verification_res, (const wchar_t*)format_last_error(verification_res));

    load_signature_verification_from_file_info(WintrustFileStructure, WintrustStructure);
    verification_res = ::WinVerifyTrust(0, &ActionGuid, &WintrustStructure);
    is_success = SUCCEEDED(verification_res) ? true : false;
}

if(perr && !is_success && verification_res != TRUST_E_NOSIGNATURE)
{
    perr->code = verification_res;
    perr->description = format_last_error(verification_res);
}

//Free context.
if( CatalogContext ){
    ::CryptCATAdminReleaseCatalogContext(Context, CatalogContext, 0);
}

//If we successfully verified, we need to free.
if( is_success )
{
    WintrustStructure.dwStateAction = WTD_STATEACTION_CLOSE;
    ::WinVerifyTrust(0, &ActionGuid, &WintrustStructure);
}

::CryptCATAdminReleaseContext(Context, 0);

return is_success;

I don't think any thing had changed in this function from win7 to win 8 so what could possibly go wrong?

UPDATE

I did notice that my function does work for task manager at win 8. but again for the mmc it does not work.

Ajay
  • 18,086
  • 12
  • 59
  • 105
whIsrael
  • 27
  • 10

1 Answers1

4

It appears that your general approach is correct and the functions themselves haven't changed. However there are subtle changes; namely the data on which they operate has changed. The hashes stored for files on Windows 8, according to comments on CryptCATAdminCalcHashFromFileHandle, are calculated using SHA-256 hashes.

The SHA-256 hashing algorithm is not supported by CryptCATAdminCalcHashFromFileHandle, so you must update the code to use CryptCATAdminAcquireContext2 and CryptCATAdminCalcHashFromFileHandle2 on Windows 8; the former allows you to acquire a HCATADMIN with a specified hash algorithm, and the latter allows using that HCATADMIN.

(Interestingly, WINTRUST_CATALOG_INFO also points this direction with its HCATADMIN hCatAdmin member, documented as "Windows 8 and Windows Server 2012: Support for this member begins.")

Michael Urman
  • 15,737
  • 2
  • 28
  • 44
  • is there a way to avoid using those functions? i am not sure they supported by win xp and win 7. – whIsrael Oct 06 '14 at 15:27
  • @whIsrael You're right; per the docs they're only available on Windows 8 / Windows Server 2012 and later. So...just don't call them. All these functions are manually dynamically linked, so conditionally invoke the correct code path. – Michael Urman Oct 06 '14 at 15:39