49 replies to this topic

[ptrex]

Digital Code Signing Your Script

Some time ago I came accros an article tthat mentioned the Digital Code Signing of VBS scripts.

Well this technique we can use to digitally sign our AU3 scripts.

What do you need for that :

1. A Certificate to sign your code :

If you have a windows 2000 server or highern, you can release your own certificate.
Export it to you Development client and install it.

Create a Digital Signature

2. A Code Signing script

AutoIt        expandcollapse  popup

; Initialize error handler 
$oMyError = ObjEvent("AutoIt.Error","MyErrFunc")

$Script = "C:\test.vbs"

; --------------------------------- Sign it ----------------------------------
$oSigner = ObjCreate("Scripting.Signer")
$oSigner.SignFile ($Script, "CA") 

$oSigner = ""
; Use a valid certificat 
; you can do this by going to a server that has a certificate service running. 
; And than export a certificate that is OK for Signing Code.
; Then import this on the client.
;This is custom error handler

Func MyErrFunc()
  $HexNumber=hex($oMyError.number,8)
  Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !"       & @CRLF  & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.windescription & @CRLF & _
             "err.number is: "         & @TAB & $HexNumber              & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.lastdllerror   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.helpcontext _
            )
  SetError(1)  ; to check for after this function returnsƒo݊÷ ÛpŠ   Ú¶êÞ
œ’)àIÊâ¦Ö®¶ˆ­sc²ÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒ6†V6²—BÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒТb33c¶&Æå6†÷tuT’ÒG'VP¢b33c¶ö&¥6–væW"Òö&¤7&VFR‚gV÷Cµ67&—F–ærå6–væW"gV÷C² ¢b33c¶&Æä—56–væVBÒb33c¶ö&¥6–væW"åfW&–g”f–ÆR‚b33cµ67&—BÂb33c¶&Æå6†÷tuT’ ¤–bb33c¶&Æä—56–væVBF†Và¢6öç6öÆUw&—FR‚gV÷Cµ67&—B†2&VVâ6–væVBâgV÷C²fײÄb’¤VÇ6P¢6öç6öÆUw&—FR‚gV÷C²67&—B†2æ÷B&VVâ6–væVBâgV÷C²fײÄb’¤VæD–` ¢b33c¶õ6–væW"ÒgV÷C²gV÷C°

Well there is one thing more to tell.
The OBJECT only signs VBS, WSH, JS etc Extentions only, NOT AU3.

EDIT dd. 14/03/08. It does do work on EXE files compiled with AU3 !!

Therefor you need to fool the system like this :
1. Add this at the last line of your code : #comments-start
2. Rename your AU3 script when signing to VBS.

Now you are ready to sign it.

This is how it should look after the signing :

Plain Text        expandcollapse  popup

MsgBox(0,"Info","Hello World")
#comments-start

'' SIG '' Begin signature block
'' SIG '' MIIFKQYJKoZIhvcNAQcCoIIFGjCCBRYCAQExDjAMBggq
'' SIG '' hkiG9w0CBQUAMGYGCisGAQQBgjcCAQSgWDBWMDIGCisG
'' SIG '' AQQBgjcCAR4wJAIBAQQQTvApFpkntU2P5azhDxfrqwIB
'' SIG '' AAIBAAIBAAIBAAIBADAgMAwGCCqGSIb3DQIFBQAEEFWk
'' SIG '' IdVeeZ9UsHEwZXiCQQGgggNeMIIDWjCCAwSgAwIBAgIQ
'' SIG '' fkJ0G34QpJNFoagxjw5AVzANBgkqhkiG9w0BAQUFADBp
'' SIG '' MSUwIwYJKoZIhvcNAQkBFhZiZWhlZXJkZXJAcGxhdGlm
'' SIG '' bGV4LmJlMQswCQYDVQQGEwJCRTEbMBkGA1UEChMSUGxh
'' SIG '' c3RpZmxleCBCZWxnaXVtMRYwFAYDVQQDEw1DQSBQbGFz
'' SIG '' dGlmbGV4MCAXDTAyMTIyMzEzNTgxNFoYDzIxMDExMjIz
'' SIG '' MTQwMzQxWjBpMSUwIwYJKoZIhvcNAQkBFhZiZWhlZXJk
'' SIG '' ZXJAcGxhdGlmbGV4LmJlMQswCQYDVQQGEwJCRTEbMBkG
'' SIG '' A1UEChMSUGxhc3RpZmxleCBCZWxnaXVtMRYwFAYDVQQD
'' SIG '' Ew1DQSBQbGFzdGlmbGV4MFwwDQYJKoZIhvcNAQEBBQAD
'' SIG '' SwAwSAJBAMfEKPc4U06twoNowuv9i6PqVEncgF9C5ubV
'' SIG '' 2M/WV2G8OWC6BcDoAD/19uCDY9owy9v+O0m65xVJueB8
'' SIG '' WQY+kVkCAwEAAaOCAYQwggGAMBMGCSsGAQQBgjcUAgQG
'' SIG '' HgQAQwBBMAsGA1UdDwQEAwIBRjAPBgNVHRMBAf8EBTAD
'' SIG '' AQH/MB0GA1UdDgQWBBRNLeB+jLUbbVNwXKQkrm6+Il2Z
'' SIG '' pzCCARgGA1UdHwSCAQ8wggELMIHDoIHAoIG9hoG6bGRh
'' SIG '' cDovLy9DTj1DQSUyMFBsYXN0aWZsZXgsQ049c3J2cGxi
'' SIG '' ZTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
'' SIG '' aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
'' SIG '' LERDPXBsYXN0aWZsZXgsREM9YmU/Y2VydGlmaWNhdGVS
'' SIG '' ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNS
'' SIG '' TERpc3RyaWJ1dGlvblBvaW50MEOgQaA/hj1odHRwOi8v
'' SIG '' c3J2cGxiZTAxLnBsYXN0aWZsZXguYmUvQ2VydEVucm9s
'' SIG '' bC9DQSUyMFBsYXN0aWZsZXguY3JsMBAGCSsGAQQBgjcV
'' SIG '' AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAqS56bDjdKYOU
'' SIG '' LJFzzZEocKLtw7ms6mljut2XEpXAed5m6/IWE9FdVyLu
'' SIG '' Kd8DsgOk2EcNyn7gF48SokOVf4RsMjGCATUwggExAgEB
'' SIG '' MH0waTElMCMGCSqGSIb3DQEJARYWYmVoZWVyZGVyQHBs
'' SIG '' YXRpZmxleC5iZTELMAkGA1UEBhMCQkUxGzAZBgNVBAoT
'' SIG '' ElBsYXN0aWZsZXggQmVsZ2l1bTEWMBQGA1UEAxMNQ0Eg
'' SIG '' UGxhc3RpZmxleAIQfkJ0G34QpJNFoagxjw5AVzAMBggq
'' SIG '' hkiG9w0CBQUAoE4wEAYKKwYBBAGCNwIBDDECMAAwGQYJ
'' SIG '' KoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHwYJKoZIhvcN
'' SIG '' AQkEMRIEEINwSCZrqB/5msoTUE2GuM4wDQYJKoZIhvcN
'' SIG '' AQEBBQAEQKS51Qu7cESUtTQmWDpoyaoUmVxvZsXLrO61
'' SIG '' P+61QFRvV1CbsejdwtmiUTCetDb/NsVg1STLdSlQVikO
'' SIG '' lG9GybE=
'' SIG '' End signature block

Rename it back to AU3 and you are ready to run a trustworthy script.

Enjoy !!

ptrex

Edited by ptrex, 14 March 2008 - 08:44 PM.

[gseller]

Great Idea Ptrex! Anyone looking for the signcode.exe can find some help here..

[LIMITER]

I have a question ...

Where do i put the path to the cert file ?

[gseller]

I am having problems too.. Just a duh moment for me.. LOL

[ptrex]

@gesller

Thanks for the additional info, good to know where to look

@LIMITER

Regarding the Path question.
Actually you don't specify a path to the certificate.
You only need to reference the name of it in the "SignFile" property.

I my case the certificate was installed using the name CA.
Once installed you can reference it using the name.

$oSigner.SignFile ($Script, "CA")

Regards

ptrex

[LIMITER]

Thx ptrex !

[Alcoholic]

Hi, interesting script yet I don't know how to use it...

Does this script digitaly sign compiled scripts?

...

[LIMITER]

@DigitAll

To sign compile scripts,you should create a ".cer" file (digital certificate) and register it with a name by installing it then you should change the
"$Script = "C:\test.vbs"" line with

$Script = "C:\compiled script.exe"

And Hey Presto! The exe has a digital signature (if you created it with "MAKECERT.EXE", then it will be cataloged as being unsafe, because it's created by ROOT CERTIFICATE ...)

HOW TO CREATE A CERTIFICATE :

1.You should download "MAKECERT.EXE" ... (just google it)
2. Open a command prompt and go to the path where's MAKECERT.EXE
3. Then type smth like this :

makecert.exe -sk "NAME" -r -n "CN=Company name,O=organisation,E=email" somename.cer

4.You should see a file called "somename.cer" in that directory ... That's the CERTIFICATE !

HOW TO INSTALL A CERTIFICATE :

1.Open the ".cer" file
2. Click "Install Certificate" button

Best regards,
L|M|TER

Edited by LIMITER, 13 March 2008 - 12:22 PM.

[ptrex]

@all

This might get you all to get started.

MakeCert

Thanks LIMITER.

regards

ptrex

[Alcoholic]

Is this free?

Yes, but I haven't tried this yet

[Alcoholic]

Quick question:

I downloaded dotNetFx35setup from Microsoft (and installed it) but I can't locate makecert.exe.
Where is IT?

Edited by DigitAll, 13 March 2008 - 01:41 PM.

[ptrex]

@DigitAll

Did you bother the read my post 9 ?

In there is a link from where you can download it !!

regards,

ptrex

[Alcoholic]

@DigitAll

Did you bother the read my post 9 ?

In there is a link from where you can download it !!

regards,

ptrex

Sorry, I figured it out now.
Thanks very much. Cool script!

[Swift]

I did what LIMITER said, and installed the cert...what does that have to do with creating certs? It did nothing???

[slayerz]

@ptrex , you're awesom buddy!

[ptrex]

@jackit

The hard part of this simple script is creating and installing a CERTICATE for script signing.

All the rest if explained in the first topic.

Creating and installing a certificate is straight forward to :

1. I go the a Windows Server open the MMC.
2. Go to Certificates (local computer) (If it does not exist you need to add it first)
3. Find a Certificate that allows Code Singning in the list.
4. Export including a shared key. (recall the name of the cert. for later use)

5. Go to the Script Developent PC and install the certificate.
6. Run the script.

@slayerz

Thanks

regards

ptrex

[slayerz]

@ptrex, I had done like what u'd said. For the first try, I'd signed my compiled_script.exe and when I open the property, there's a new tab, "Digital Signature" with my name as a signer .(so glad its working )

....but when I run the compiled_script.exe , from my process viewer it shows as "Unknown Manufacturer".
I'd a script written in batch (.bat) and compiled it to .exe using QBFC.
When I run my application, it does show my name as the manufacturer (or company name) same like other Windows application that will show the name Microsoft.

Is it possible to do the same as what QBFC does? (QBFC stands for Quick Batch File Compiler)

[ptrex]

@slayerz

This tool is called "RESOURCE HACK" , which is on your system shipped with AU3

1. Go to C:\Program Files\AutoIt3\SciTe\AutoIt3Wrapper and look for "ResHacker.exe"

2. Open the file and select an EXE you want to change.

3. Go to VERSION INFO and make your changes.

I am not reponsible for any damage to the the EXE

regards

ptrex

[slayerz]

@slayerz

This tool is called "RESOURCE HACK" , which is on your system shipped with AU3

1. Go to C:\Program Files\AutoIt3\SciTe\AutoIt3Wrapper and look for "ResHacker.exe"

2. Open the file and select an EXE you want to change.

3. Go to VERSION INFO and make your changes.

I am not reponsible for any damage to the the EXE

regards

ptrex

@ptrex
Thanks for the explanation...I'll try it,hehe

[mmavipc]

I get that it can't find the private key????