Sign in to follow this  
Followers 0
ptrex

Digital Code Signing Your Script

52 posts in this topic

#1 ·  Posted (edited)

Digital Code Signing Your Script

Some time ago I came accros an article tthat mentioned the Digital Code Signing of VBS scripts.

Well this technique we can use to digitally sign our AU3 scripts.

What do you need for that :

1. A Certificate to sign your code :

If you have a windows 2000 server or highern, you can release your own certificate.

Export it to you Development client and install it.

Create a Digital Signature

2. A Code Signing script

; Initialize error handler 
$oMyError = ObjEvent("AutoIt.Error","MyErrFunc")

$Script = "C:\test.vbs"

; --------------------------------- Sign it ----------------------------------
$oSigner = ObjCreate("Scripting.Signer")
$oSigner.SignFile ($Script, "CA") 

$oSigner = ""
; Use a valid certificat 
; you can do this by going to a server that has a certificate service running. 
; And than export a certificate that is OK for Signing Code.
; Then import this on the client.
;This is custom error handler

Func MyErrFunc()
  $HexNumber=hex($oMyError.number,8)
  Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !"       & @CRLF  & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.windescription & @CRLF & _
             "err.number is: "         & @TAB & $HexNumber              & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.lastdllerror   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.helpcontext _
            )
  SetError(1)  ; to check for after this function returnsoÝ÷ Ûp  Ú¶êÞ
)àIÊâ¦Ö®¶­sc²ÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒ6V6²BÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒÒТb33c¶&Æå6÷tuTÒG'VP¢b33c¶ö&¥6væW"Òö&¤7&VFRgV÷Cµ67&Færå6væW"gV÷C² ¢b33c¶&Æä56væVBÒb33c¶ö&¥6væW"åfW&gfÆRb33cµ67&BÂb33c¶&Æå6÷tuT ¤bb33c¶&Æä56væVBFVà¢6öç6öÆUw&FRgV÷Cµ67&B2&VVâ6væVBâgV÷C²fײÄb¤VÇ6P¢6öç6öÆUw&FRgV÷C²67&B2æ÷B&VVâ6væVBâgV÷C²fײÄb¤VæD` ¢b33c¶õ6væW"ÒgV÷C²gV÷C°

Well there is one thing more to tell.

The OBJECT only signs VBS, WSH, JS etc Extentions only, NOT AU3.

EDIT dd. 14/03/08. It does do work on EXE files compiled with AU3 !!

Therefor you need to fool the system like this :

1. Add this at the last line of your code : #comments-start

2. Rename your AU3 script when signing to VBS.

Now you are ready to sign it.

This is how it should look after the signing :

MsgBox(0,"Info","Hello World")
#comments-start

'' SIG '' Begin signature block
'' SIG '' MIIFKQYJKoZIhvcNAQcCoIIFGjCCBRYCAQExDjAMBggq
'' SIG '' hkiG9w0CBQUAMGYGCisGAQQBgjcCAQSgWDBWMDIGCisG
'' SIG '' AQQBgjcCAR4wJAIBAQQQTvApFpkntU2P5azhDxfrqwIB
'' SIG '' AAIBAAIBAAIBAAIBADAgMAwGCCqGSIb3DQIFBQAEEFWk
'' SIG '' IdVeeZ9UsHEwZXiCQQGgggNeMIIDWjCCAwSgAwIBAgIQ
'' SIG '' fkJ0G34QpJNFoagxjw5AVzANBgkqhkiG9w0BAQUFADBp
'' SIG '' MSUwIwYJKoZIhvcNAQkBFhZiZWhlZXJkZXJAcGxhdGlm
'' SIG '' bGV4LmJlMQswCQYDVQQGEwJCRTEbMBkGA1UEChMSUGxh
'' SIG '' c3RpZmxleCBCZWxnaXVtMRYwFAYDVQQDEw1DQSBQbGFz
'' SIG '' dGlmbGV4MCAXDTAyMTIyMzEzNTgxNFoYDzIxMDExMjIz
'' SIG '' MTQwMzQxWjBpMSUwIwYJKoZIhvcNAQkBFhZiZWhlZXJk
'' SIG '' ZXJAcGxhdGlmbGV4LmJlMQswCQYDVQQGEwJCRTEbMBkG
'' SIG '' A1UEChMSUGxhc3RpZmxleCBCZWxnaXVtMRYwFAYDVQQD
'' SIG '' Ew1DQSBQbGFzdGlmbGV4MFwwDQYJKoZIhvcNAQEBBQAD
'' SIG '' SwAwSAJBAMfEKPc4U06twoNowuv9i6PqVEncgF9C5ubV
'' SIG '' 2M/WV2G8OWC6BcDoAD/19uCDY9owy9v+O0m65xVJueB8
'' SIG '' WQY+kVkCAwEAAaOCAYQwggGAMBMGCSsGAQQBgjcUAgQG
'' SIG '' HgQAQwBBMAsGA1UdDwQEAwIBRjAPBgNVHRMBAf8EBTAD
'' SIG '' AQH/MB0GA1UdDgQWBBRNLeB+jLUbbVNwXKQkrm6+Il2Z
'' SIG '' pzCCARgGA1UdHwSCAQ8wggELMIHDoIHAoIG9hoG6bGRh
'' SIG '' cDovLy9DTj1DQSUyMFBsYXN0aWZsZXgsQ049c3J2cGxi
'' SIG '' ZTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
'' SIG '' aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
'' SIG '' LERDPXBsYXN0aWZsZXgsREM9YmU/Y2VydGlmaWNhdGVS
'' SIG '' ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNS
'' SIG '' TERpc3RyaWJ1dGlvblBvaW50MEOgQaA/hj1odHRwOi8v
'' SIG '' c3J2cGxiZTAxLnBsYXN0aWZsZXguYmUvQ2VydEVucm9s
'' SIG '' bC9DQSUyMFBsYXN0aWZsZXguY3JsMBAGCSsGAQQBgjcV
'' SIG '' AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAqS56bDjdKYOU
'' SIG '' LJFzzZEocKLtw7ms6mljut2XEpXAed5m6/IWE9FdVyLu
'' SIG '' Kd8DsgOk2EcNyn7gF48SokOVf4RsMjGCATUwggExAgEB
'' SIG '' MH0waTElMCMGCSqGSIb3DQEJARYWYmVoZWVyZGVyQHBs
'' SIG '' YXRpZmxleC5iZTELMAkGA1UEBhMCQkUxGzAZBgNVBAoT
'' SIG '' ElBsYXN0aWZsZXggQmVsZ2l1bTEWMBQGA1UEAxMNQ0Eg
'' SIG '' UGxhc3RpZmxleAIQfkJ0G34QpJNFoagxjw5AVzAMBggq
'' SIG '' hkiG9w0CBQUAoE4wEAYKKwYBBAGCNwIBDDECMAAwGQYJ
'' SIG '' KoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHwYJKoZIhvcN
'' SIG '' AQkEMRIEEINwSCZrqB/5msoTUE2GuM4wDQYJKoZIhvcN
'' SIG '' AQEBBQAEQKS51Qu7cESUtTQmWDpoyaoUmVxvZsXLrO61
'' SIG '' P+61QFRvV1CbsejdwtmiUTCetDb/NsVg1STLdSlQVikO
'' SIG '' lG9GybE=
'' SIG '' End signature block

Rename it back to AU3 and you are ready to run a trustworthy script.

Enjoy !!

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites



Great Idea Ptrex! Anyone looking for the signcode.exe can find some help here..

Share this post


Link to post
Share on other sites

I have a question ...

Where do i put the path to the cert file ?

Share this post


Link to post
Share on other sites

I am having problems too.. Just a duh moment for me.. LOL :)

Share this post


Link to post
Share on other sites

@gesller

Thanks for the additional info, good to know where to look

@LIMITER

Regarding the Path question.

Actually you don't specify a path to the certificate.

You only need to reference the name of it in the "SignFile" property.

I my case the certificate was installed using the name CA.

Once installed you can reference it using the name.

$oSigner.SignFile ($Script, "CA")

Regards

ptrex

Share this post


Link to post
Share on other sites

Thx ptrex !

Share this post


Link to post
Share on other sites

Hi, interesting script yet I don't know how to use it...

Does this script digitaly sign compiled scripts?

...


I FEEL DEVOTION

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

@DigitAll

To sign compile scripts,you should create a ".cer" file (digital certificate) and register it with a name by installing it then you should change the

"$Script = "C:\test.vbs"" line with

$Script = "C:\compiled script.exe"

And Hey Presto! The exe has a digital signature (if you created it with "MAKECERT.EXE", then it will be cataloged as being unsafe, because it's created by ROOT CERTIFICATE ...)

HOW TO CREATE A CERTIFICATE :

1.You should download "MAKECERT.EXE" ... (just google it)

2. Open a command prompt and go to the path where's MAKECERT.EXE

3. Then type smth like this :

makecert.exe -sk "NAME" -r -n "CN=Company name,O=organisation,E=email" somename.cer

4.You should see a file called "somename.cer" in that directory ... That's the CERTIFICATE !

HOW TO INSTALL A CERTIFICATE :

1.Open the ".cer" file

2. Click "Install Certificate" button :)

Best regards,

L|M|TER

Edited by LIMITER

Share this post


Link to post
Share on other sites

Is this free?

Yes, but I haven't tried this yet

I FEEL DEVOTION

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

Quick question:

I downloaded dotNetFx35setup from Microsoft (and installed it) but I can't locate makecert.exe.

Where is IT?

Edited by DigitAll

I FEEL DEVOTION

Share this post


Link to post
Share on other sites

@DigitAll

Did you bother the read my post 9 ?

In there is a link from where you can download it !!

regards,

ptrex

Sorry, I figured it out now.

Thanks very much. Cool script!


I FEEL DEVOTION

Share this post


Link to post
Share on other sites

I did what LIMITER said, and installed the cert...what does that have to do with creating certs? It did nothing???

Share this post


Link to post
Share on other sites

@ptrex , you're awesom buddy! :)


AUTOIT[sup] I'm lovin' it![/sup]

Share this post


Link to post
Share on other sites

@jackit

The hard part of this simple script is creating and installing a CERTICATE for script signing.

All the rest if explained in the first topic.

Creating and installing a certificate is straight forward to :

1. I go the a Windows Server open the MMC.

2. Go to Certificates (local computer) (If it does not exist you need to add it first)

3. Find a Certificate that allows Code Singning in the list.

4. Export including a shared key. (recall the name of the cert. for later use)

5. Go to the Script Developent PC and install the certificate.

6. Run the script.

@slayerz

Thanks

regards

ptrex

Share this post


Link to post
Share on other sites

@ptrex, I had done like what u'd said. For the first try, I'd signed my compiled_script.exe and when I open the property, there's a new tab, "Digital Signature" with my name as a signer .(so glad its working :))

....but when I run the compiled_script.exe , from my process viewer it shows as "Unknown Manufacturer".

I'd a script written in batch (.bat) and compiled it to .exe using QBFC.

When I run my application, it does show my name as the manufacturer (or company name) same like other Windows application that will show the name Microsoft.

Is it possible to do the same as what QBFC does? (QBFC stands for Quick Batch File Compiler)


AUTOIT[sup] I'm lovin' it![/sup]

Share this post


Link to post
Share on other sites

@slayerz

This tool is called "RESOURCE HACK" , which is on your system shipped with AU3

1. Go to C:\Program Files\AutoIt3\SciTe\AutoIt3Wrapper and look for "ResHacker.exe"

2. Open the file and select an EXE you want to change.

3. Go to VERSION INFO and make your changes.

I am not reponsible for any damage to the the EXE :)

regards

ptrex

Share this post


Link to post
Share on other sites

@slayerz

This tool is called "RESOURCE HACK" , which is on your system shipped with AU3

1. Go to C:\Program Files\AutoIt3\SciTe\AutoIt3Wrapper and look for "ResHacker.exe"

2. Open the file and select an EXE you want to change.

3. Go to VERSION INFO and make your changes.

I am not reponsible for any damage to the the EXE :)

regards

ptrex

@ptrex

Thanks for the explanation...I'll try it,hehe


AUTOIT[sup] I'm lovin' it![/sup]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0