Jump to content

Digital Code Signing Your Script


ptrex
 Share

Recommended Posts

Digital Code Signing Your Script

Some time ago I came accros an article tthat mentioned the Digital Code Signing of VBS scripts.

Well this technique we can use to digitally sign our AU3 scripts.

What do you need for that :

1. A Certificate to sign your code :

If you have a windows 2000 server or highern, you can release your own certificate.

Export it to you Development client and install it.

Create a Digital Signature

2. A Code Signing script

; Initialize error handler 
$oMyError = ObjEvent("AutoIt.Error","MyErrFunc")

$Script = "C:\test.vbs"

; --------------------------------- Sign it ----------------------------------
$oSigner = ObjCreate("Scripting.Signer")
$oSigner.SignFile ($Script, "CA") 

$oSigner = ""
; Use a valid certificat 
; you can do this by going to a server that has a certificate service running. 
; And than export a certificate that is OK for Signing Code.
; Then import this on the client.
;This is custom error handler

Func MyErrFunc()
  $HexNumber=hex($oMyError.number,8)
  Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !"       & @CRLF  & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.windescription & @CRLF & _
             "err.number is: "         & @TAB & $HexNumber              & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.lastdllerror   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.helpcontext _
            )
  SetError(1)  ; to check for after this function returnsoÝ÷ Ûp  Ú¶êÞ
)àIÊâ¦Ö®¶­sc²ÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒ6V6²BÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒТb33c¶&Æå6÷tuTÒG'VP¢b33c¶ö&¥6væW"Òö&¤7&VFRgV÷Cµ67&Færå6væW"gV÷C² ¢b33c¶&Æä56væVBÒb33c¶ö&¥6væW"åfW&gfÆRb33cµ67&BÂb33c¶&Æå6÷tuT ¤bb33c¶&Æä56væVBFVà¢6öç6öÆUw&FRgV÷Cµ67&B2&VVâ6væVBâgV÷C²fײÄb¤VÇ6P¢6öç6öÆUw&FRgV÷C²67&B2æ÷B&VVâ6væVBâgV÷C²fײÄb¤VæD` ¢b33c¶õ6væW"ÒgV÷C²gV÷C°

Well there is one thing more to tell.

The OBJECT only signs VBS, WSH, JS etc Extentions only, NOT AU3.

EDIT dd. 14/03/08. It does do work on EXE files compiled with AU3 !!

Therefor you need to fool the system like this :

1. Add this at the last line of your code : #comments-start

2. Rename your AU3 script when signing to VBS.

Now you are ready to sign it.

This is how it should look after the signing :

MsgBox(0,"Info","Hello World")
#comments-start

'' SIG '' Begin signature block
'' SIG '' MIIFKQYJKoZIhvcNAQcCoIIFGjCCBRYCAQExDjAMBggq
'' SIG '' hkiG9w0CBQUAMGYGCisGAQQBgjcCAQSgWDBWMDIGCisG
'' SIG '' AQQBgjcCAR4wJAIBAQQQTvApFpkntU2P5azhDxfrqwIB
'' SIG '' AAIBAAIBAAIBAAIBADAgMAwGCCqGSIb3DQIFBQAEEFWk
'' SIG '' IdVeeZ9UsHEwZXiCQQGgggNeMIIDWjCCAwSgAwIBAgIQ
'' SIG '' fkJ0G34QpJNFoagxjw5AVzANBgkqhkiG9w0BAQUFADBp
'' SIG '' MSUwIwYJKoZIhvcNAQkBFhZiZWhlZXJkZXJAcGxhdGlm
'' SIG '' bGV4LmJlMQswCQYDVQQGEwJCRTEbMBkGA1UEChMSUGxh
'' SIG '' c3RpZmxleCBCZWxnaXVtMRYwFAYDVQQDEw1DQSBQbGFz
'' SIG '' dGlmbGV4MCAXDTAyMTIyMzEzNTgxNFoYDzIxMDExMjIz
'' SIG '' MTQwMzQxWjBpMSUwIwYJKoZIhvcNAQkBFhZiZWhlZXJk
'' SIG '' ZXJAcGxhdGlmbGV4LmJlMQswCQYDVQQGEwJCRTEbMBkG
'' SIG '' A1UEChMSUGxhc3RpZmxleCBCZWxnaXVtMRYwFAYDVQQD
'' SIG '' Ew1DQSBQbGFzdGlmbGV4MFwwDQYJKoZIhvcNAQEBBQAD
'' SIG '' SwAwSAJBAMfEKPc4U06twoNowuv9i6PqVEncgF9C5ubV
'' SIG '' 2M/WV2G8OWC6BcDoAD/19uCDY9owy9v+O0m65xVJueB8
'' SIG '' WQY+kVkCAwEAAaOCAYQwggGAMBMGCSsGAQQBgjcUAgQG
'' SIG '' HgQAQwBBMAsGA1UdDwQEAwIBRjAPBgNVHRMBAf8EBTAD
'' SIG '' AQH/MB0GA1UdDgQWBBRNLeB+jLUbbVNwXKQkrm6+Il2Z
'' SIG '' pzCCARgGA1UdHwSCAQ8wggELMIHDoIHAoIG9hoG6bGRh
'' SIG '' cDovLy9DTj1DQSUyMFBsYXN0aWZsZXgsQ049c3J2cGxi
'' SIG '' ZTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
'' SIG '' aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
'' SIG '' LERDPXBsYXN0aWZsZXgsREM9YmU/Y2VydGlmaWNhdGVS
'' SIG '' ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNS
'' SIG '' TERpc3RyaWJ1dGlvblBvaW50MEOgQaA/hj1odHRwOi8v
'' SIG '' c3J2cGxiZTAxLnBsYXN0aWZsZXguYmUvQ2VydEVucm9s
'' SIG '' bC9DQSUyMFBsYXN0aWZsZXguY3JsMBAGCSsGAQQBgjcV
'' SIG '' AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAqS56bDjdKYOU
'' SIG '' LJFzzZEocKLtw7ms6mljut2XEpXAed5m6/IWE9FdVyLu
'' SIG '' Kd8DsgOk2EcNyn7gF48SokOVf4RsMjGCATUwggExAgEB
'' SIG '' MH0waTElMCMGCSqGSIb3DQEJARYWYmVoZWVyZGVyQHBs
'' SIG '' YXRpZmxleC5iZTELMAkGA1UEBhMCQkUxGzAZBgNVBAoT
'' SIG '' ElBsYXN0aWZsZXggQmVsZ2l1bTEWMBQGA1UEAxMNQ0Eg
'' SIG '' UGxhc3RpZmxleAIQfkJ0G34QpJNFoagxjw5AVzAMBggq
'' SIG '' hkiG9w0CBQUAoE4wEAYKKwYBBAGCNwIBDDECMAAwGQYJ
'' SIG '' KoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHwYJKoZIhvcN
'' SIG '' AQkEMRIEEINwSCZrqB/5msoTUE2GuM4wDQYJKoZIhvcN
'' SIG '' AQEBBQAEQKS51Qu7cESUtTQmWDpoyaoUmVxvZsXLrO61
'' SIG '' P+61QFRvV1CbsejdwtmiUTCetDb/NsVg1STLdSlQVikO
'' SIG '' lG9GybE=
'' SIG '' End signature block

Rename it back to AU3 and you are ready to run a trustworthy script.

Enjoy !!

ptrex

Edited by ptrex
Link to comment
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

@gesller

Thanks for the additional info, good to know where to look

@LIMITER

Regarding the Path question.

Actually you don't specify a path to the certificate.

You only need to reference the name of it in the "SignFile" property.

I my case the certificate was installed using the name CA.

Once installed you can reference it using the name.

$oSigner.SignFile ($Script, "CA")

Regards

ptrex

Link to comment
Share on other sites

@DigitAll

To sign compile scripts,you should create a ".cer" file (digital certificate) and register it with a name by installing it then you should change the

"$Script = "C:\test.vbs"" line with

$Script = "C:\compiled script.exe"

And Hey Presto! The exe has a digital signature (if you created it with "MAKECERT.EXE", then it will be cataloged as being unsafe, because it's created by ROOT CERTIFICATE ...)

HOW TO CREATE A CERTIFICATE :

1.You should download "MAKECERT.EXE" ... (just google it)

2. Open a command prompt and go to the path where's MAKECERT.EXE

3. Then type smth like this :

makecert.exe -sk "NAME" -r -n "CN=Company name,O=organisation,E=email" somename.cer

4.You should see a file called "somename.cer" in that directory ... That's the CERTIFICATE !

HOW TO INSTALL A CERTIFICATE :

1.Open the ".cer" file

2. Click "Install Certificate" button :)

Best regards,

L|M|TER

Edited by LIMITER
Link to comment
Share on other sites

@jackit

The hard part of this simple script is creating and installing a CERTICATE for script signing.

All the rest if explained in the first topic.

Creating and installing a certificate is straight forward to :

1. I go the a Windows Server open the MMC.

2. Go to Certificates (local computer) (If it does not exist you need to add it first)

3. Find a Certificate that allows Code Singning in the list.

4. Export including a shared key. (recall the name of the cert. for later use)

5. Go to the Script Developent PC and install the certificate.

6. Run the script.

@slayerz

Thanks

regards

ptrex

Link to comment
Share on other sites

@ptrex, I had done like what u'd said. For the first try, I'd signed my compiled_script.exe and when I open the property, there's a new tab, "Digital Signature" with my name as a signer .(so glad its working :))

....but when I run the compiled_script.exe , from my process viewer it shows as "Unknown Manufacturer".

I'd a script written in batch (.bat) and compiled it to .exe using QBFC.

When I run my application, it does show my name as the manufacturer (or company name) same like other Windows application that will show the name Microsoft.

Is it possible to do the same as what QBFC does? (QBFC stands for Quick Batch File Compiler)

AUTOIT[sup] I'm lovin' it![/sup]

Link to comment
Share on other sites

@slayerz

This tool is called "RESOURCE HACK" , which is on your system shipped with AU3

1. Go to C:\Program Files\AutoIt3\SciTe\AutoIt3Wrapper and look for "ResHacker.exe"

2. Open the file and select an EXE you want to change.

3. Go to VERSION INFO and make your changes.

I am not reponsible for any damage to the the EXE :)

regards

ptrex

Link to comment
Share on other sites

@slayerz

This tool is called "RESOURCE HACK" , which is on your system shipped with AU3

1. Go to C:\Program Files\AutoIt3\SciTe\AutoIt3Wrapper and look for "ResHacker.exe"

2. Open the file and select an EXE you want to change.

3. Go to VERSION INFO and make your changes.

I am not reponsible for any damage to the the EXE :)

regards

ptrex

@ptrex

Thanks for the explanation...I'll try it,hehe

AUTOIT[sup] I'm lovin' it![/sup]

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...