A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #28480  by evelyette
 Wed May 11, 2016 8:14 am
Hello,

I've been trying to determine how ESET SysInspector http://support.eset.com/kb762/?viewlocale=en_US checks whether a DLL in system32 is valid or not. Below is a screenshot of an example, where ESET SysInspector flags the DLL with "Status 5 (unknown)", rather than "Status 1 (fine)". The executable is quite large and everything happens in the program startup, which makes it somewhat annoying to reverse engineer.
bug3.png
bug3.png (107.61 KiB) Viewed 837 times
Does anybody know how tools like ESET SysInspector check whether the file. It must check the file size, file hash, etc. I'm interested in the following:

1. What exactly the check routines check on the system files in order to mark them with status unknown/fine?

2. Does the system have any information about existing files stored somewhere in registry, so it knows the valid hash of a system file, as well as other details. Such information must be linked with the TrustedInstaller, which must modify the information once the update has been installed on the system. If for example, TrustedInstalled installs a new kernel32.dll into the system32 folder, what information needs to store into the system registry (or someplace else) in order to verify that the new file is indeed correct.

3. This is strongly linked with SFC.EXE, which is why I would also like to know how this small tool checks whether the file is valid or not - disregarding the fact about whether the file was placed into the system32 folder by TrustedInstaller or by a highly technical administrator. I'm researching how exactly the verification occurs and what checks are being made by SFC.EXE as well as other tools like ESET SysInspector.
 #28482  by Vrtule
 Wed May 11, 2016 12:36 pm
I expect that system files are digitaly signed by a certificate from Microsoft. So, you can obtain certificate common name CN and check whether the signature is valid (WinVerifyTrust). Howerver, I don't know whether ESET does this but I think that this procedure is just a part of their doings.

There also is (or was, in the elder days) a service monitoring changes to certain system files that was replacing the changes ones with the original ones. Not sure how this thing works today.
 #28483  by evelyette
 Wed May 11, 2016 3:07 pm
Hi,

Thank you for your response. First, I would like to inform you that the service, which was monitoring the system files and replaced them with their original couterparts was only present in Windows up until Windows XP (not sure if it was available in prior Windows than Windows XP). Therefore, starting from Vista, the service is not there anymore and system administrator can take ownership of the system files and modify them.

I've check whether the WinVerifyTrust function is in the imports of SysInspector.exe as well as sfc.exe, but it isn't. These are the functions imported by the sfc.exe:
Address Ordinal Name Library
------- ------- ---- -------
0000000100001000 AllocateAndInitializeSid ADVAPI32
0000000100001008 FreeSid ADVAPI32
0000000100001010 CheckTokenMembership ADVAPI32
0000000100001018 RegQueryValueExW ADVAPI32
0000000100001020 RegEnumValueW ADVAPI32
0000000100001028 RegOpenKeyExW ADVAPI32
0000000100001038 QueryPerformanceCounter KERNEL32
0000000100001040 Sleep KERNEL32
0000000100001048 GetSystemInfo KERNEL32
0000000100001050 MapViewOfFile KERNEL32
0000000100001058 UnmapViewOfFile KERNEL32
0000000100001060 FreeLibrary KERNEL32
0000000100001068 HeapAlloc KERNEL32
0000000100001070 SystemTimeToFileTime KERNEL32
0000000100001078 CompareFileTime KERNEL32
0000000100001080 LocalFree KERNEL32
0000000100001088 SetEvent KERNEL32
0000000100001090 GetProcessHeap KERNEL32
0000000100001098 LoadLibraryW KERNEL32
00000001000010A0 GetVersionExW KERNEL32
00000001000010A8 FileTimeToSystemTime KERNEL32
00000001000010B0 GetModuleFileNameW KERNEL32
00000001000010B8 CreateFileW KERNEL32
00000001000010C0 GetFileSizeEx KERNEL32
00000001000010C8 GetLastError KERNEL32
00000001000010D0 GetLocalTime KERNEL32
00000001000010D8 CreateFileMappingW KERNEL32
00000001000010E0 LocaleNameToLCID KERNEL32
00000001000010E8 CreateEventW KERNEL32
00000001000010F0 GetProductInfo KERNEL32
00000001000010F8 QueueUserWorkItem KERNEL32
0000000100001100 GetFileTime KERNEL32
0000000100001108 GetUserDefaultUILanguage KERNEL32
0000000100001110 GetDiskFreeSpaceExW KERNEL32
0000000100001118 CloseHandle KERNEL32
0000000100001120 HeapSetInformation KERNEL32
0000000100001128 GetProcAddress KERNEL32
0000000100001130 GetConsoleOutputCP KERNEL32
0000000100001138 FormatMessageW KERNEL32
0000000100001140 GetModuleHandleW KERNEL32
0000000100001148 WaitForSingleObject KERNEL32
0000000100001150 GetTickCount KERNEL32
0000000100001158 GetCurrentThreadId KERNEL32
0000000100001160 GetCurrentProcessId KERNEL32
0000000100001168 GetSystemTimeAsFileTime KERNEL32
0000000100001170 SetUnhandledExceptionFilter KERNEL32
0000000100001178 TerminateProcess KERNEL32
0000000100001180 GetCurrentProcess KERNEL32
0000000100001188 UnhandledExceptionFilter KERNEL32
0000000100001190 lstrcmpiW KERNEL32
0000000100001198 GetWindowsDirectoryW KERNEL32
00000001000011A0 lstrlenW KERNEL32
00000001000011B0 6 SysFreeString OLEAUT32
00000001000011B8 2 SysAllocString OLEAUT32
00000001000011C8 PowerDeterminePlatformRole POWRPROF
00000001000011D8 VerQueryValueW VERSION
00000001000011E0 GetFileVersionInfoW VERSION
00000001000011E8 GetFileVersionInfoSizeW VERSION
00000001000011F8 _initterm msvcrt
0000000100001200 _amsg_exit msvcrt
0000000100001208 __setusermatherr msvcrt
0000000100001210 _commode msvcrt
0000000100001218 _fmode msvcrt
0000000100001220 __set_app_type msvcrt
0000000100001228 ?terminate@@YAXXZ msvcrt
0000000100001230 __C_specific_handler msvcrt
0000000100001238 exit msvcrt
0000000100001240 wcsstr msvcrt
0000000100001248 wcsrchr msvcrt
0000000100001250 strtok msvcrt
0000000100001258 atoi msvcrt
0000000100001260 strstr msvcrt
0000000100001268 wcstoul msvcrt
0000000100001270 swscanf msvcrt
0000000100001278 wcschr msvcrt
0000000100001280 mbstowcs msvcrt
0000000100001288 _wtof msvcrt
0000000100001290 ??2@YAPEAX_K@Z msvcrt
0000000100001298 __wgetmainargs msvcrt
00000001000012A0 wcstok msvcrt
00000001000012A8 strtoul msvcrt
00000001000012B0 _cexit msvcrt
00000001000012B8 _exit msvcrt
00000001000012C0 _XcptFilter msvcrt
00000001000012C8 memset msvcrt
00000001000012D0 _vsnwprintf msvcrt
00000001000012D8 _getmbcp msvcrt
00000001000012E0 _wsetlocale msvcrt
00000001000012E8 ??3@YAXPEAX@Z msvcrt
00000001000012F0 _snwprintf_s msvcrt
00000001000012F8 printf msvcrt
0000000100001300 _wcsnicmp msvcrt
0000000100001308 _wcsicmp msvcrt
0000000100001310 _strnicmp msvcrt
0000000100001318 memcpy msvcrt
0000000100001328 RtlExpandEnvironmentStrings_U ntdll
0000000100001330 RtlAnsiStringToUnicodeString ntdll
0000000100001338 RtlInitUnicodeString ntdll
0000000100001340 RtlCaptureContext ntdll
0000000100001348 RtlLookupFunctionEntry ntdll
0000000100001350 RtlVirtualUnwind ntdll
0000000100001358 RtlFreeUnicodeString ntdll
0000000100001360 RtlInitAnsiString ntdll
0000000100001370 CoCreateInstance ole32
0000000100001378 CoUninitialize ole32
0000000100001380 CoInitializeEx ole32
0000000100001388 CoGetMalloc ole32
While the SysInspector has the following functions imported:
Address Ordinal Name Library
------- ------- ---- -------
000000013F83D000 RegQueryValueW ADVAPI32
000000013F83D008 AdjustTokenPrivileges ADVAPI32
000000013F83D010 OpenProcessToken ADVAPI32
000000013F83D018 ImpersonateSelf ADVAPI32
000000013F83D020 DuplicateTokenEx ADVAPI32
000000013F83D028 SetThreadToken ADVAPI32
000000013F83D030 DuplicateToken ADVAPI32
000000013F83D038 GetSidSubAuthorityCount ADVAPI32
000000013F83D040 GetSidIdentifierAuthority ADVAPI32
000000013F83D048 IsValidSid ADVAPI32
000000013F83D050 GetSidSubAuthority ADVAPI32
000000013F83D058 GetSecurityDescriptorDacl ADVAPI32
000000013F83D060 InitializeSecurityDescriptor ADVAPI32
000000013F83D068 SetSecurityDescriptorDacl ADVAPI32
000000013F83D070 RegEnumKeyW ADVAPI32
000000013F83D078 RevertToSelf ADVAPI32
000000013F83D080 CryptAcquireContextW ADVAPI32
000000013F83D088 CryptReleaseContext ADVAPI32
000000013F83D090 FreeSid ADVAPI32
000000013F83D098 EqualSid ADVAPI32
000000013F83D0A0 AllocateAndInitializeSid ADVAPI32
000000013F83D0A8 GetTokenInformation ADVAPI32
000000013F83D0B0 OpenThreadToken ADVAPI32
000000013F83D0B8 RegDeleteKeyW ADVAPI32
000000013F83D0C0 RegDeleteValueW ADVAPI32
000000013F83D0C8 RegEnumValueW ADVAPI32
000000013F83D0D0 RegEnumKeyExW ADVAPI32
000000013F83D0D8 RegQueryInfoKeyW ADVAPI32
000000013F83D0E0 RegCreateKeyW ADVAPI32
000000013F83D0E8 RegOpenKeyW ADVAPI32
000000013F83D0F0 LookupPrivilegeValueW ADVAPI32
000000013F83D100 17 InitCommonControls COMCTL32
000000013F83D110 GetOpenFileNameW COMDLG32
000000013F83D118 GetSaveFileNameW COMDLG32
000000013F83D128 GetTextMetricsW GDI32
000000013F83D130 GetBkColor GDI32
000000013F83D138 CombineRgn GDI32
000000013F83D140 Ellipse GDI32
000000013F83D148 Rectangle GDI32
000000013F83D150 SelectClipRgn GDI32
000000013F83D158 SetBkColor GDI32
000000013F83D160 GetPixel GDI32
000000013F83D168 CreateDIBitmap GDI32
000000013F83D170 SetBitmapBits GDI32
000000013F83D178 GetBitmapBits GDI32
000000013F83D180 ExtTextOutW GDI32
000000013F83D188 CreateDIBSection GDI32
000000013F83D190 EnumFontFamiliesW GDI32
000000013F83D198 SetDIBits GDI32
000000013F83D1A0 GetDIBits GDI32
000000013F83D1A8 CreateBitmap GDI32
000000013F83D1B0 GetDeviceCaps GDI32
000000013F83D1B8 DPtoLP GDI32
000000013F83D1C0 LPtoDP GDI32
000000013F83D1C8 CreateRectRgn GDI32
000000013F83D1D0 RectInRegion GDI32
000000013F83D1D8 CreateFontIndirectW GDI32
000000013F83D1E0 GetTextExtentPoint32W GDI32
000000013F83D1E8 GetViewportExtEx GDI32
000000013F83D1F0 GetWindowExtEx GDI32
000000013F83D1F8 GetMapMode GDI32
000000013F83D200 CreateCompatibleBitmap GDI32
000000013F83D208 GetObjectW GDI32
000000013F83D210 GetCurrentObject GDI32
000000013F83D218 CreatePen GDI32
000000013F83D220 DeleteDC GDI32
000000013F83D228 StretchBlt GDI32
000000013F83D230 BitBlt GDI32
000000013F83D238 SelectObject GDI32
000000013F83D240 CreateCompatibleDC GDI32
000000013F83D248 DeleteObject GDI32
000000013F83D250 CreateSolidBrush GDI32
000000013F83D258 CopyMetaFileW GDI32
000000013F83D260 CreateDCW GDI32
000000013F83D268 SetTextColor GDI32
000000013F83D270 CreateHatchBrush GDI32
000000013F83D278 CreatePatternBrush GDI32
000000013F83D280 Escape GDI32
000000013F83D288 ExcludeClipRect GDI32
000000013F83D290 GetClipBox GDI32
000000013F83D298 GetObjectType GDI32
000000013F83D2A0 GetStockObject GDI32
000000013F83D2A8 IntersectClipRect GDI32
000000013F83D2B0 LineTo GDI32
000000013F83D2B8 RectVisible GDI32
000000013F83D2C0 PtVisible GDI32
000000013F83D2C8 GetTextFaceW GDI32
000000013F83D2D0 GetViewportOrgEx GDI32
000000013F83D2D8 GetWindowOrgEx GDI32
000000013F83D2E0 GetBoundsRect GDI32
000000013F83D2E8 FillRgn GDI32
000000013F83D2F0 SetPaletteEntries GDI32
000000013F83D2F8 ExtFloodFill GDI32
000000013F83D300 SetPixelV GDI32
000000013F83D308 PtInRegion GDI32
000000013F83D310 FrameRgn GDI32
000000013F83D318 RoundRect GDI32
000000013F83D320 CreateRoundRectRgn GDI32
000000013F83D328 OffsetRgn GDI32
000000013F83D330 EnumFontFamiliesExW GDI32
000000013F83D338 Polyline GDI32
000000013F83D340 Polygon GDI32
000000013F83D348 CreatePolygonRgn GDI32
000000013F83D350 CreateEllipticRgn GDI32
000000013F83D358 SetDIBColorTable GDI32
000000013F83D360 SetPixel GDI32
000000013F83D368 GetTextCharsetInfo GDI32
000000013F83D370 RealizePalette GDI32
000000013F83D378 GetSystemPaletteEntries GDI32
000000013F83D380 GetPaletteEntries GDI32
000000013F83D388 GetNearestPaletteIndex GDI32
000000013F83D390 CreatePalette GDI32
000000013F83D398 GetRgnBox GDI32
000000013F83D3A0 GetTextColor GDI32
000000013F83D3A8 SetRectRgn GDI32
000000013F83D3B0 PatBlt GDI32
000000013F83D3B8 CreateRectRgnIndirect GDI32
000000013F83D3C0 ScaleWindowExtEx GDI32
000000013F83D3C8 ScaleViewportExtEx GDI32
000000013F83D3D0 OffsetWindowOrgEx GDI32
000000013F83D3D8 OffsetViewportOrgEx GDI32
000000013F83D3E0 SetWindowOrgEx GDI32
000000013F83D3E8 SetWindowExtEx GDI32
000000013F83D3F0 SetViewportOrgEx GDI32
000000013F83D3F8 SetViewportExtEx GDI32
000000013F83D400 TextOutW GDI32
000000013F83D408 MoveToEx GDI32
000000013F83D410 RestoreDC GDI32
000000013F83D418 SetTextAlign GDI32
000000013F83D420 SetROP2 GDI32
000000013F83D428 SetPolyFillMode GDI32
000000013F83D430 GetLayout GDI32
000000013F83D438 SetLayout GDI32
000000013F83D440 SetMapMode GDI32
000000013F83D448 SetBkMode GDI32
000000013F83D450 SelectPalette GDI32
000000013F83D458 ExtSelectClipRgn GDI32
000000013F83D460 SaveDC GDI32
000000013F83D470 ImmReleaseContext IMM32
000000013F83D478 ImmGetOpenStatus IMM32
000000013F83D480 ImmGetContext IMM32
000000013F83D490 FreeEnvironmentStringsW KERNEL32
000000013F83D498 GetEnvironmentStringsW KERNEL32
000000013F83D4A0 GetComputerNameW KERNEL32
000000013F83D4A8 HeapSize KERNEL32
000000013F83D4B0 RaiseException KERNEL32
000000013F83D4B8 HeapReAlloc KERNEL32
000000013F83D4C0 HeapFree KERNEL32
000000013F83D4C8 HeapAlloc KERNEL32
000000013F83D4D0 GetProcessHeap KERNEL32
000000013F83D4D8 lstrlenW KERNEL32
000000013F83D4E0 VerifyVersionInfoW KERNEL32
000000013F83D4E8 VerSetConditionMask KERNEL32
000000013F83D4F0 ExpandEnvironmentStringsA KERNEL32
000000013F83D4F8 LoadLibraryExA KERNEL32
000000013F83D500 SetEnvironmentVariableA KERNEL32
000000013F83D508 WriteConsoleW KERNEL32
000000013F83D510 OutputDebugStringW KERNEL32
000000013F83D518 ReadConsoleW KERNEL32
000000013F83D520 GetConsoleMode KERNEL32
000000013F83D528 GetConsoleCP KERNEL32
000000013F83D530 LCMapStringW KERNEL32
000000013F83D538 GetStringTypeW KERNEL32
000000013F83D540 GetCPInfo KERNEL32
000000013F83D548 GetOEMCP KERNEL32
000000013F83D550 GetACP KERNEL32
000000013F83D558 IsValidCodePage KERNEL32
000000013F83D560 TerminateProcess KERNEL32
000000013F83D568 SetUnhandledExceptionFilter KERNEL32
000000013F83D570 UnhandledExceptionFilter KERNEL32
000000013F83D578 LoadLibraryExW KERNEL32
000000013F83D580 GetTimeZoneInformation KERNEL32
000000013F83D588 GetLocaleInfoW KERNEL32
000000013F83D590 OpenProcess KERNEL32
000000013F83D598 LocalAlloc KERNEL32
000000013F83D5A0 QueryDosDeviceW KERNEL32
000000013F83D5A8 FreeResource KERNEL32
000000013F83D5B0 FindResourceExW KERNEL32
000000013F83D5B8 OpenFileMappingW KERNEL32
000000013F83D5C0 VirtualProtect KERNEL32
000000013F83D5C8 VirtualFree KERNEL32
000000013F83D5D0 VirtualAlloc KERNEL32
000000013F83D5D8 FileTimeToLocalFileTime KERNEL32
000000013F83D5E0 UnmapViewOfFile KERNEL32
000000013F83D5E8 MapViewOfFile KERNEL32
000000013F83D5F0 GetFileInformationByHandle KERNEL32
000000013F83D5F8 SetFileAttributesW KERNEL32
000000013F83D600 GetFileAttributesW KERNEL32
000000013F83D608 GetTempFileNameW KERNEL32
000000013F83D610 CopyFileW KERNEL32
000000013F83D618 MoveFileW KERNEL32
000000013F83D620 DeleteFileW KERNEL32
000000013F83D628 SetEndOfFile KERNEL32
000000013F83D630 SetFilePointer KERNEL32
000000013F83D638 SetErrorMode KERNEL32
000000013F83D640 FindNextFileW KERNEL32
000000013F83D648 FindFirstFileExW KERNEL32
000000013F83D650 FlushFileBuffers KERNEL32
000000013F83D658 GetCurrentProcessId KERNEL32
000000013F83D660 SystemTimeToTzSpecificLocalTime KERNEL32
000000013F83D668 FindClose KERNEL32
000000013F83D670 FindFirstFileW KERNEL32
000000013F83D678 RtlDeleteFunctionTable KERNEL32
000000013F83D680 RtlAddFunctionTable KERNEL32
000000013F83D688 SetLastError KERNEL32
000000013F83D690 GetLocalTime KERNEL32
000000013F83D698 GetSystemInfo KERNEL32
000000013F83D6A0 ExitThread KERNEL32
000000013F83D6A8 GetCommandLineW KERNEL32
000000013F83D6B0 ExitProcess KERNEL32
000000013F83D6B8 GetFullPathNameW KERNEL32
000000013F83D6C0 WideCharToMultiByte KERNEL32
000000013F83D6C8 GetEnvironmentVariableW KERNEL32
000000013F83D6D0 GetTimeFormatW KERNEL32
000000013F83D6D8 FileTimeToSystemTime KERNEL32
000000013F83D6E0 GetDateFormatW KERNEL32
000000013F83D6E8 GetTempPathW KERNEL32
000000013F83D6F0 OutputDebugStringA KERNEL32
000000013F83D6F8 GetOverlappedResult KERNEL32
000000013F83D700 GetLastError KERNEL32
000000013F83D708 ReadFile KERNEL32
000000013F83D710 GetFileSize KERNEL32
000000013F83D718 WriteFile KERNEL32
000000013F83D720 Sleep KERNEL32
000000013F83D728 GetModuleHandleW KERNEL32
000000013F83D730 GetModuleFileNameW KERNEL32
000000013F83D738 LocalFree KERNEL32
000000013F83D740 MultiByteToWideChar KERNEL32
000000013F83D748 FindResourceW KERNEL32
000000013F83D750 LoadResource KERNEL32
000000013F83D758 LockResource KERNEL32
000000013F83D760 SizeofResource KERNEL32
000000013F83D768 SetFileTime KERNEL32
000000013F83D770 GetFileTime KERNEL32
000000013F83D778 MoveFileExW KERNEL32
000000013F83D780 TerminateThread KERNEL32
000000013F83D788 GetCurrentProcess KERNEL32
000000013F83D790 DuplicateHandle KERNEL32
000000013F83D798 WaitForMultipleObjects KERNEL32
000000013F83D7A0 GetTickCount KERNEL32
000000013F83D7A8 GetCurrentThread KERNEL32
000000013F83D7B0 SetThreadPriority KERNEL32
000000013F83D7B8 GetSystemTimeAsFileTime KERNEL32
000000013F83D7C0 FreeLibrary KERNEL32
000000013F83D7C8 GetProcAddress KERNEL32
000000013F83D7D0 LoadLibraryW KERNEL32
000000013F83D7D8 GlobalFree KERNEL32
000000013F83D7E0 GlobalUnlock KERNEL32
000000013F83D7E8 GlobalLock KERNEL32
000000013F83D7F0 GlobalAlloc KERNEL32
000000013F83D7F8 RtlVirtualUnwind KERNEL32
000000013F83D800 QueryPerformanceCounter KERNEL32
000000013F83D808 GetStartupInfoW KERNEL32
000000013F83D810 GetStdHandle KERNEL32
000000013F83D818 GetFileType KERNEL32
000000013F83D820 SetStdHandle KERNEL32
000000013F83D828 VirtualQuery KERNEL32
000000013F83D830 RtlPcToFileHeader KERNEL32
000000013F83D838 RtlUnwindEx KERNEL32
000000013F83D840 RtlLookupFunctionEntry KERNEL32
000000013F83D848 IsProcessorFeaturePresent KERNEL32
000000013F83D850 SearchPathW KERNEL32
000000013F83D858 GetProfileIntW KERNEL32
000000013F83D860 SetEvent KERNEL32
000000013F83D868 GetCurrentThreadId KERNEL32
000000013F83D870 GetFileAttributesExW KERNEL32
000000013F83D878 lstrcpyW KERNEL32
000000013F83D880 UnlockFile KERNEL32
000000013F83D888 LockFile KERNEL32
000000013F83D890 GetVolumeInformationW KERNEL32
000000013F83D898 lstrcmpiW KERNEL32
000000013F83D8A0 GetCurrentDirectoryW KERNEL32
000000013F83D8A8 GlobalFlags KERNEL32
000000013F83D8B0 GetUserDefaultUILanguage KERNEL32
000000013F83D8B8 GetSystemDefaultUILanguage KERNEL32
000000013F83D8C0 CompareStringW KERNEL32
000000013F83D8C8 WaitForSingleObject KERNEL32
000000013F83D8D0 LeaveCriticalSection KERNEL32
000000013F83D8D8 GetThreadLocale KERNEL32
000000013F83D8E0 GlobalGetAtomNameW KERNEL32
000000013F83D8E8 LocalReAlloc KERNEL32
000000013F83D8F0 ResetEvent KERNEL32
000000013F83D8F8 EnterCriticalSection KERNEL32
000000013F83D900 DeleteCriticalSection KERNEL32
000000013F83D908 InitializeCriticalSection KERNEL32
000000013F83D910 GlobalHandle KERNEL32
000000013F83D918 GlobalReAlloc KERNEL32
000000013F83D920 SuspendThread KERNEL32
000000013F83D928 GlobalSize KERNEL32
000000013F83D930 MulDiv KERNEL32
000000013F83D938 FormatMessageW KERNEL32
000000013F83D940 GetSystemDirectoryW KERNEL32
000000013F83D948 GlobalDeleteAtom KERNEL32
000000013F83D950 lstrcmpW KERNEL32
000000013F83D958 GlobalAddAtomW KERNEL32
000000013F83D960 GlobalFindAtomW KERNEL32
000000013F83D968 QueryActCtxW KERNEL32
000000013F83D970 lstrcmpA KERNEL32
000000013F83D978 GetVersionExW KERNEL32
000000013F83D980 GetPrivateProfileIntW KERNEL32
000000013F83D988 GetPrivateProfileStringW KERNEL32
000000013F83D990 WritePrivateProfileStringW KERNEL32
000000013F83D998 TlsAlloc KERNEL32
000000013F83D9A0 TlsGetValue KERNEL32
000000013F83D9A8 TlsSetValue KERNEL32
000000013F83D9B0 TlsFree KERNEL32
000000013F83D9C0 TransparentBlt MSIMG32
000000013F83D9D0 CreateStdAccessibleObject OLEACC
000000013F83D9D8 AccessibleObjectFromWindow OLEACC
000000013F83D9E0 LresultFromObject OLEACC
000000013F83D9F0 114 VarBstrFromDate OLEAUT32
000000013F83D9F8 10 VariantCopy OLEAUT32
000000013F83DA00 9 __imp_VariantClear OLEAUT32
000000013F83DA08 4 SysAllocStringLen OLEAUT32
000000013F83DA10 161 LoadTypeLib OLEAUT32
000000013F83DA18 420 OleCreateFontIndirect OLEAUT32
000000013F83DA20 184 SystemTimeToVariantTime OLEAUT32
000000013F83DA28 185 VariantTimeToSystemTime OLEAUT32
000000013F83DA30 2 SysAllocString OLEAUT32
000000013F83DA38 6 SysFreeString OLEAUT32
000000013F83DA40 8 VariantInit OLEAUT32
000000013F83DA48 7 SysStringLen OLEAUT32
000000013F83DA50 16 SafeArrayDestroy OLEAUT32
000000013F83DA58 12 VariantChangeType OLEAUT32
000000013F83DA68 CommandLineToArgvW SHELL32
000000013F83DA70 ShellExecuteExW SHELL32
000000013F83DA78 DragAcceptFiles SHELL32
000000013F83DA80 DragQueryFileW SHELL32
000000013F83DA88 SHAppBarMessage SHELL32
000000013F83DA90 DragFinish SHELL32
000000013F83DA98 SHGetDesktopFolder SHELL32
000000013F83DAA0 SHGetSpecialFolderLocation SHELL32
000000013F83DAA8 ShellExecuteW SHELL32
000000013F83DAB8 StrFormatKBSizeW SHLWAPI
000000013F83DAC0 PathStripToRootW SHLWAPI
000000013F83DAC8 PathIsUNCW SHLWAPI
000000013F83DAD0 PathFindFileNameW SHLWAPI
000000013F83DAD8 PathFindExtensionW SHLWAPI
000000013F83DAE0 PathRemoveFileSpecW SHLWAPI
000000013F83DAF0 DestroyWindow USER32
000000013F83DAF8 GetWindowPlacement USER32
000000013F83DB00 SetWindowPlacement USER32
000000013F83DB08 GetDlgItem USER32
000000013F83DB10 GetDlgCtrlID USER32
000000013F83DB18 SetFocus USER32
000000013F83DB20 GetCapture USER32
000000013F83DB28 GetMenu USER32
000000013F83DB30 SetMenu USER32
000000013F83DB38 TrackPopupMenu USER32
000000013F83DB40 SetActiveWindow USER32
000000013F83DB48 ScrollWindow USER32
000000013F83DB50 SetScrollPos USER32
000000013F83DB58 GetScrollPos USER32
000000013F83DB60 SetScrollRange USER32
000000013F83DB68 GetScrollRange USER32
000000013F83DB70 ShowScrollBar USER32
000000013F83DB78 SetPropW USER32
000000013F83DB80 GetPropW USER32
000000013F83DB88 RemovePropW USER32
000000013F83DB90 GetWindowTextW USER32
000000013F83DB98 GetWindowTextLengthW USER32
000000013F83DBA0 AdjustWindowRectEx USER32
000000013F83DBA8 MapWindowPoints USER32
000000013F83DBB0 GetWindowLongPtrW USER32
000000013F83DBB8 SetWindowLongPtrW USER32
000000013F83DBC0 GetClassLongPtrW USER32
000000013F83DBC8 GetTopWindow USER32
000000013F83DBD0 GetLastActivePopup USER32
000000013F83DBD8 SetScrollInfo USER32
000000013F83DBE0 GetScrollInfo USER32
000000013F83DBE8 WinHelpW USER32
000000013F83DBF0 MonitorFromWindow USER32
000000013F83DBF8 ShowWindow USER32
000000013F83DC00 MoveWindow USER32
000000013F83DC08 SetDlgItemTextW USER32
000000013F83DC10 GetDlgItemTextW USER32
000000013F83DC18 CheckDlgButton USER32
000000013F83DC20 SetWindowTextW USER32
000000013F83DC28 IsDialogMessageW USER32
000000013F83DC30 GetMenuCheckMarkDimensions USER32
000000013F83DC38 DrawTextExW USER32
000000013F83DC40 GrayStringW USER32
000000013F83DC48 TabbedTextOutW USER32
000000013F83DC50 BeginPaint USER32
000000013F83DC58 EndPaint USER32
000000013F83DC60 ClientToScreen USER32
000000013F83DC68 CreateDialogIndirectParamW USER32
000000013F83DC70 EndDialog USER32
000000013F83DC78 GetNextDlgTabItem USER32
000000013F83DC80 GetKeyNameTextW USER32
000000013F83DC88 MapVirtualKeyW USER32
000000013F83DC90 SendDlgItemMessageA USER32
000000013F83DC98 IntersectRect USER32
000000013F83DCA0 WindowFromPoint USER32
000000013F83DCA8 PostQuitMessage USER32
000000013F83DCB0 SetWindowContextHelpId USER32
000000013F83DCB8 MapDialogRect USER32
000000013F83DCC0 ShowOwnedPopups USER32
000000013F83DCC8 CopyImage USER32
000000013F83DCD0 RealChildWindowFromPoint USER32
000000013F83DCD8 KillTimer USER32
000000013F83DCE0 IsClipboardFormatAvailable USER32
000000013F83DCE8 MessageBeep USER32
000000013F83DCF0 CharNextW USER32
000000013F83DCF8 CopyAcceleratorTableW USER32
000000013F83DD00 InvalidateRgn USER32
000000013F83DD08 GetNextDlgGroupItem USER32
000000013F83DD10 CharUpperW USER32
000000013F83DD18 GetMenuDefaultItem USER32
000000013F83DD20 DrawIconEx USER32
000000013F83DD28 EnableScrollBar USER32
000000013F83DD30 HideCaret USER32
000000013F83DD38 InvertRect USER32
000000013F83DD40 NotifyWinEvent USER32
000000013F83DD48 RegisterClipboardFormatW USER32
000000013F83DD50 GetMenuStringW USER32
000000013F83DD58 DrawStateW USER32
000000013F83DD60 DrawEdge USER32
000000013F83DD68 SetWindowRgn USER32
000000013F83DD70 UnionRect USER32
000000013F83DD78 IsMenu USER32
000000013F83DD80 MonitorFromPoint USER32
000000013F83DD88 BringWindowToTop USER32
000000013F83DD90 LoadAcceleratorsW USER32
000000013F83DD98 TranslateAcceleratorW USER32
000000013F83DDA0 InsertMenuItemW USER32
000000013F83DDA8 UnpackDDElParam USER32
000000013F83DDB0 ReuseDDElParam USER32
000000013F83DDB8 GetComboBoxInfo USER32
000000013F83DDC0 IsZoomed USER32
000000013F83DDC8 GetSystemMenu USER32
000000013F83DDD0 PostThreadMessageW USER32
000000013F83DDD8 WaitMessage USER32
000000013F83DDE0 GetKeyboardLayout USER32
000000013F83DDE8 IsCharLowerW USER32
000000013F83DDF0 MapVirtualKeyExW USER32
000000013F83DDF8 ToUnicodeEx USER32
000000013F83DE00 GetKeyboardState USER32
000000013F83DE08 CreateAcceleratorTableW USER32
000000013F83DE10 DestroyAcceleratorTable USER32
000000013F83DE18 SetCursorPos USER32
000000013F83DE20 SetParent USER32
000000013F83DE28 SetClassLongPtrW USER32
000000013F83DE30 CopyIcon USER32
000000013F83DE38 IsChild USER32
000000013F83DE40 CharUpperBuffW USER32
000000013F83DE48 DrawMenuBar USER32
000000013F83DE50 DefFrameProcW USER32
000000013F83DE58 DefMDIChildProcW USER32
000000013F83DE60 TranslateMDISysAccel USER32
000000013F83DE68 GetUpdateRect USER32
000000013F83DE70 SubtractRect USER32
000000013F83DE78 CreateMenu USER32
000000013F83DE80 GetWindowRgn USER32
000000013F83DE88 DrawIcon USER32
000000013F83DE90 ValidateRect USER32
000000013F83DE98 GetKeyState USER32
000000013F83DEA0 GetMessageW USER32
000000013F83DEA8 CreateWindowExW USER32
000000013F83DEB0 GetClassInfoExW USER32
000000013F83DEB8 CallWindowProcW USER32
000000013F83DEC0 DefWindowProcW USER32
000000013F83DEC8 GetMessageTime USER32
000000013F83DED0 UnregisterClassW USER32
000000013F83DED8 EqualRect USER32
000000013F83DEE0 GetWindowThreadProcessId USER32
000000013F83DEE8 GetForegroundWindow USER32
000000013F83DEF0 LoadImageW USER32
000000013F83DEF8 DispatchMessageW USER32
000000013F83DF00 TranslateMessage USER32
000000013F83DF08 PeekMessageW USER32
000000013F83DF10 GetIconInfo USER32
000000013F83DF18 LoadBitmapW USER32
000000013F83DF20 CopyRect USER32
000000013F83DF28 GetSysColorBrush USER32
000000013F83DF30 DrawFocusRect USER32
000000013F83DF38 DrawFrameControl USER32
000000013F83DF40 FrameRect USER32
000000013F83DF48 GetMenuItemInfoW USER32
000000013F83DF50 GetMenuItemID USER32
000000013F83DF58 SetMenuDefaultItem USER32
000000013F83DF60 ExitWindowsEx USER32
000000013F83DF68 GetSystemMetrics USER32
000000013F83DF70 IsWindowEnabled USER32
000000013F83DF78 GetWindow USER32
000000013F83DF80 GetClassNameW USER32
000000013F83DF88 GetActiveWindow USER32
000000013F83DF90 SetMenuItemBitmaps USER32
000000013F83DF98 GetDoubleClickTime USER32
000000013F83DFA0 DestroyMenu USER32
000000013F83DFA8 EndDeferWindowPos USER32
000000013F83DFB0 BeginDeferWindowPos USER32
000000013F83DFB8 DeferWindowPos USER32
000000013F83DFC0 FillRect USER32
000000013F83DFC8 CheckMenuItem USER32
000000013F83DFD0 DrawTextW USER32
000000013F83DFD8 EnableMenuItem USER32
000000013F83DFE0 InsertMenuW USER32
000000013F83DFE8 UpdateWindow USER32
000000013F83DFF0 LockWindowUpdate USER32
000000013F83DFF8 GetSysColor USER32
000000013F83E000 DestroyIcon USER32
000000013F83E008 LoadIconW USER32
000000013F83E010 SystemParametersInfoW USER32
000000013F83E018 GetDesktopWindow USER32
000000013F83E020 GetUpdateRgn USER32
000000013F83E028 OffsetRect USER32
000000013F83E030 SetRect USER32
000000013F83E038 GetWindowDC USER32
000000013F83E040 UnhookWindowsHookEx USER32
000000013F83E048 RemoveMenu USER32
000000013F83E050 PostMessageW USER32
000000013F83E058 AppendMenuW USER32
000000013F83E060 CreatePopupMenu USER32
000000013F83E068 GetSubMenu USER32
000000013F83E070 SetWindowsHookExW USER32
000000013F83E078 DeleteMenu USER32
000000013F83E080 SetMenuItemInfoW USER32
000000013F83E088 GetMenuItemCount USER32
000000013F83E090 LoadMenuW USER32
000000013F83E098 CallNextHookEx USER32
000000013F83E0A0 IsWindowVisible USER32
000000013F83E0A8 SetRectEmpty USER32
000000013F83E0B0 RegisterWindowMessageW USER32
000000013F83E0B8 ReleaseCapture USER32
000000013F83E0C0 SetCapture USER32
000000013F83E0C8 SetCursor USER32
000000013F83E0D0 PtInRect USER32
000000013F83E0D8 IsRectEmpty USER32
000000013F83E0E0 GetFocus USER32
000000013F83E0E8 RegisterClassW USER32
000000013F83E0F0 GetClassInfoW USER32
000000013F83E0F8 DestroyCursor USER32
000000013F83E100 LoadCursorW USER32
000000013F83E108 GetParent USER32
000000013F83E110 InvalidateRect USER32
000000013F83E118 GetWindowLongW USER32
000000013F83E120 SetWindowLongW USER32
000000013F83E128 GetAsyncKeyState USER32
000000013F83E130 ScreenToClient USER32
000000013F83E138 GetCursorPos USER32
000000013F83E140 LoadStringW USER32
000000013F83E148 ReleaseDC USER32
000000013F83E150 GetDC USER32
000000013F83E158 SetWindowPos USER32
000000013F83E160 InflateRect USER32
000000013F83E168 IsWindow USER32
000000013F83E170 wsprintfW USER32
000000013F83E178 SetTimer USER32
000000013F83E180 GetWindowRect USER32
000000013F83E188 GetClientRect USER32
000000013F83E190 RedrawWindow USER32
000000013F83E198 EnableWindow USER32
000000013F83E1A0 MessageBoxW USER32
000000013F83E1A8 SendMessageW USER32
000000013F83E1B0 IsIconic USER32
000000013F83E1B8 SetForegroundWindow USER32
000000013F83E1C0 GetMessagePos USER32
000000013F83E1C8 ModifyMenuW USER32
000000013F83E1D0 GetMenuState USER32
000000013F83E1D8 EnumDisplayMonitors USER32
000000013F83E1E0 OpenClipboard USER32
000000013F83E1E8 CloseClipboard USER32
000000013F83E1F0 SetClipboardData USER32
000000013F83E1F8 EmptyClipboard USER32
000000013F83E208 GetWindowTheme UxTheme
000000013F83E210 DrawThemeParentBackground UxTheme
000000013F83E218 GetThemeColor UxTheme
000000013F83E220 GetCurrentThemeName UxTheme
000000013F83E228 IsAppThemed UxTheme
000000013F83E230 IsThemeBackgroundPartiallyTransparent UxTheme
000000013F83E238 DrawThemeText UxTheme
000000013F83E240 GetThemeSysColor UxTheme
000000013F83E250 PlaySoundW WINMM
000000013F83E260 ClosePrinter WINSPOOL
000000013F83E268 DocumentPropertiesW WINSPOOL
000000013F83E270 OpenPrinterW WINSPOOL
000000013F83E280 115 WSAStartup WS2_32
000000013F83E288 52 gethostbyname WS2_32
000000013F83E290 18 select WS2_32
000000013F83E298 151 __WSAFDIsSet WS2_32
000000013F83E2A0 4 connect WS2_32
000000013F83E2A8 10 ioctlsocket WS2_32
000000013F83E2B0 7 getsockopt WS2_32
000000013F83E2B8 19 send WS2_32
000000013F83E2C0 16 recv WS2_32
000000013F83E2C8 3 closesocket WS2_32
000000013F83E2D0 23 socket WS2_32
000000013F83E2D8 21 setsockopt WS2_32
000000013F83E2E0 51 gethostbyaddr WS2_32
000000013F83E2E8 56 getservbyport WS2_32
000000013F83E2F0 15 ntohs WS2_32
000000013F83E2F8 12 inet_ntoa WS2_32
000000013F83E300 8 htonl WS2_32
000000013F83E308 55 getservbyname WS2_32
000000013F83E310 9 htons WS2_32
000000013F83E318 111 WSAGetLastError WS2_32
000000013F83E320 11 inet_addr WS2_32
000000013F83E330 OleCreateMenuDescriptor ole32
000000013F83E338 OleDestroyMenuDescriptor ole32
000000013F83E340 OleTranslateAccelerator ole32
000000013F83E348 IsAccelerator ole32
000000013F83E350 OleGetClipboard ole32
000000013F83E358 CoLockObjectExternal ole32
000000013F83E360 RegisterDragDrop ole32
000000013F83E368 RevokeDragDrop ole32
000000013F83E370 OleLockRunning ole32
000000013F83E378 DoDragDrop ole32
000000013F83E380 CoRegisterMessageFilter ole32
000000013F83E388 OleIsCurrentClipboard ole32
000000013F83E390 OleFlushClipboard ole32
000000013F83E398 CoRevokeClassObject ole32
000000013F83E3A0 CreateStreamOnHGlobal ole32
000000013F83E3A8 OleUninitialize ole32
000000013F83E3B0 OleInitialize ole32
000000013F83E3B8 CoFreeUnusedLibraries ole32
000000013F83E3C0 CreateILockBytesOnHGlobal ole32
000000013F83E3C8 StgOpenStorageOnILockBytes ole32
000000013F83E3D0 StgCreateDocfileOnILockBytes ole32
000000013F83E3D8 CoGetClassObject ole32
000000013F83E3E0 CoDisconnectObject ole32
000000013F83E3E8 CLSIDFromProgID ole32
000000013F83E3F0 CLSIDFromString ole32
000000013F83E3F8 CoCreateGuid ole32
000000013F83E400 ReleaseStgMedium ole32
000000013F83E408 CoTaskMemFree ole32
000000013F83E410 CoTaskMemAlloc ole32
000000013F83E418 OleDuplicateData ole32
000000013F9314A0 GdipGetImagePaletteSize gdiplus
000000013F9314A8 GdipSetInterpolationMode gdiplus
000000013F9314B0 GdiplusShutdown gdiplus
000000013F9314B8 GdipAlloc gdiplus
000000013F9314C0 GdipFree gdiplus
000000013F9314C8 GdiplusStartup gdiplus
000000013F9314D0 GdipCloneImage gdiplus
000000013F9314D8 GdipDisposeImage gdiplus
000000013F9314E0 GdipGetImageGraphicsContext gdiplus
000000013F9314E8 GdipGetImageWidth gdiplus
000000013F9314F0 GdipGetImageHeight gdiplus
000000013F9314F8 GdipGetImagePixelFormat gdiplus
000000013F931500 GdipGetImagePalette gdiplus
000000013F931508 GdipDrawImageRectI gdiplus
000000013F931510 GdipCreateBitmapFromStream gdiplus
000000013F931518 GdipCreateBitmapFromScan0 gdiplus
000000013F931520 GdipBitmapLockBits gdiplus
000000013F931528 GdipBitmapUnlockBits gdiplus
000000013F931530 GdipDeleteGraphics gdiplus
000000013F931538 GdipDrawImageI gdiplus
000000013F931540 GdipCreateBitmapFromHBITMAP gdiplus
000000013F931548 GdipCreateFromHDC gdiplus
000000013F931558 OleUIBusyW oledlg
I hope the listing isn't too long. Any other thoughts about this are welcome.
 #28491  by raiden
 Thu May 12, 2016 8:39 am
Hi,

I have no idea about ESET internals, but you should have checked dynamic imports as well. Process Explorer dynamically uses the same API (WinVerifyTrust) to check the integrity of an executable file.
 #28499  by evelyette
 Sat May 14, 2016 5:08 pm
Hi,

I've used the following program (obtained from https://msdn.microsoft.com/en-us/librar ... s.85).aspx), which calls the WinVerifyTrust manually.
Code: Select all
//-------------------------------------------------------------------
// Copyright (C) Microsoft.  All rights reserved.
// Example of verifying the embedded signature of a PE file by using 
// the WinVerifyTrust function.

#define _UNICODE 1
#define UNICODE 1

#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>

// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")

BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
	LONG lStatus;
	DWORD dwLastError;

	// Initialize the WINTRUST_FILE_INFO structure.

	WINTRUST_FILE_INFO FileData;
	memset(&FileData, 0, sizeof(FileData));
	FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
	FileData.pcwszFilePath = pwszSourceFile;
	FileData.hFile = NULL;
	FileData.pgKnownSubject = NULL;

	/*
	WVTPolicyGUID specifies the policy to apply on the file
	WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:

	1) The certificate used to sign the file chains up to a root
	certificate located in the trusted root certificate store. This
	implies that the identity of the publisher has been verified by
	a certification authority.

	2) In cases where user interface is displayed (which this example
	does not do), WinVerifyTrust will check for whether the
	end entity certificate is stored in the trusted publisher store,
	implying that the user trusts content from this publisher.

	3) The end entity certificate has sufficient permission to sign
	code, as indicated by the presence of a code signing EKU or no
	EKU.
	*/

	GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
	WINTRUST_DATA WinTrustData;

	// Initialize the WinVerifyTrust input data structure.

	// Default all fields to 0.
	memset(&WinTrustData, 0, sizeof(WinTrustData));

	WinTrustData.cbStruct = sizeof(WinTrustData);

	// Use default code signing EKU.
	WinTrustData.pPolicyCallbackData = NULL;

	// No data to pass to SIP.
	WinTrustData.pSIPClientData = NULL;

	// Disable WVT UI.
	WinTrustData.dwUIChoice = WTD_UI_NONE;

	// No revocation checking.
	WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;

	// Verify an embedded signature on a file.
	WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;

	// Verify action.
	WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;

	// Verification sets this value.
	WinTrustData.hWVTStateData = NULL;

	// Not used.
	WinTrustData.pwszURLReference = NULL;

	// This is not applicable if there is no UI because it changes 
	// the UI to accommodate running applications instead of 
	// installing applications.
	WinTrustData.dwUIContext = 0;

	// Set pFile.
	WinTrustData.pFile = &FileData;

	// WinVerifyTrust verifies signatures as specified by the GUID 
	// and Wintrust_Data.
	lStatus = WinVerifyTrust(
		NULL,
		&WVTPolicyGUID,
		&WinTrustData);

	switch (lStatus)
	{
	case ERROR_SUCCESS:
		/*
		Signed file:
		- Hash that represents the subject is trusted.

		- Trusted publisher without any verification errors.

		- UI was disabled in dwUIChoice. No publisher or
		time stamp chain errors.

		- UI was enabled in dwUIChoice and the user clicked
		"Yes" when asked to install and run the signed
		subject.
		*/
		wprintf_s(L"The file \"%s\" is signed and the signature "
			L"was verified.\n",
			pwszSourceFile);
		break;

	case TRUST_E_NOSIGNATURE:
		// The file was not signed or had a signature 
		// that was not valid.

		// Get the reason for no signature.
		dwLastError = GetLastError();
		if (TRUST_E_NOSIGNATURE == dwLastError ||
			TRUST_E_SUBJECT_FORM_UNKNOWN == dwLastError ||
			TRUST_E_PROVIDER_UNKNOWN == dwLastError)
		{
			// The file was not signed.
			wprintf_s(L"The file \"%s\" is not signed.\n",
				pwszSourceFile);
		}
		else
		{
			// The signature was not valid or there was an error 
			// opening the file.
			wprintf_s(L"An unknown error occurred trying to "
				L"verify the signature of the \"%s\" file.\n",
				pwszSourceFile);
		}

		break;

	case TRUST_E_EXPLICIT_DISTRUST:
		// The hash that represents the subject or the publisher 
		// is not allowed by the admin or user.
		wprintf_s(L"The signature is present, but specifically "
			L"disallowed.\n");
		break;

	case TRUST_E_SUBJECT_NOT_TRUSTED:
		// The user clicked "No" when asked to install and run.
		wprintf_s(L"The signature is present, but not "
			L"trusted.\n");
		break;

	case CRYPT_E_SECURITY_SETTINGS:
		/*
		The hash that represents the subject or the publisher
		was not explicitly trusted by the admin and the
		admin policy has disabled user trust. No signature,
		publisher or time stamp errors.
		*/
		wprintf_s(L"CRYPT_E_SECURITY_SETTINGS - The hash "
			L"representing the subject or the publisher wasn't "
			L"explicitly trusted by the admin and admin policy "
			L"has disabled user trust. No signature, publisher "
			L"or timestamp errors.\n");
		break;

	default:
		// The UI was disabled in dwUIChoice or the admin policy 
		// has disabled user trust. lStatus contains the 
		// publisher or time stamp chain error.
		wprintf_s(L"Error is: 0x%x.\n",
			lStatus);
		break;
	}

	// Any hWVTStateData must be released by a call with close.
	WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;

	lStatus = WinVerifyTrust(
		NULL,
		&WVTPolicyGUID,
		&WinTrustData);

	return true;
}

int _tmain(int argc, _TCHAR* argv[])
{
	if (argc > 1)
	{
		VerifyEmbeddedSignature(argv[1]);
	}

	return 0;
}

I've called the program manually on a [*]trusted original kernel32.dll and an [*]untrusted custom tital.dll, but only obtained the same information as presented below - both files are not signed, but that is not what I'm looking for. I'm looking for how Windows and programs like IE.exe differentiate between a trusted copy of kernel32.dll and a custom DLL titan.dll, which was copied there by system administrator.
C:\Users\user\Desktop>winverifytrust.exe C:\Windows\System32\kernel32.dll
The file "C:\Windows\System32\kernel32.dll" is not signed.

C:\Users\user\Desktop>winverifytrust.exe C:\Windows\System32\titan.dll
The file "C:\Windows\System32\tital.dll" is not signed.
Additionally, for comparison, I'm adding the descriptions of both files, which can be seen below:

First, the trusted kernel32.dll:
temp2.png
temp2.png (21.17 KiB) Viewed 784 times
Then, the untrusted titan.dll:
temp1.png
temp1.png (16.93 KiB) Viewed 784 times
If anybody knows about how the file integrity of the files is checked, I would be more than interested in knowing any details about that. Are the sfc.exe (and other tools like ESET, IE, etc) checking for the description fields of a DLL, like file description, type, file version, product name, product version, copyright, etc? There are two use-cases I'm interested in:

1. Additional DLL or SYS in System32: an application puts an additional DLL or a driver SYS into the kernel32 directory. How does sfc.exe/sysinspector determine the file is genuine or not?

2. Replaced DLL or SYS in System32: an application replaces a DLL or driver SYS in the kernel32 directory (requires administrative privileges). Are there any additional checks being done by the sfc.exe/sysinspector in order to determine if the file is genuine or not? Are there any additional registry entries stored in registry or any files on the filesystem, which contain SHA1 of the previous original DLL, which is being checked by such tools and reported if hash doesn't match?

Any details are welcome.
 #28500  by raiden
 Sat May 14, 2016 7:36 pm
First off, the MSDN code handles embedded digital signatures only, not security catalog signatures. It can't differentiate between not signed and signed by catalog executable.

I have added some extra piece of code to the MSDN example to make it work. I had to add some definitions because visual studio 2005 doesn't have the required headers. The code is dirty and is coded in hurry (sorry).

BTW, the original code isn't mine. All credits goes to the sysinternals gang.

anyway hope it helps.

Include File (stdafx.h):
Code: Select all
#pragma once

#ifndef _WIN32_WINNT		// Allow use of features specific to Windows XP or later.                   
#define _WIN32_WINNT 0x0501	// Change this to the appropriate value to target other versions of Windows.
#endif						

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <tchar.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>

typedef HANDLE HCATADMIN;
typedef HANDLE HCATINFO;

typedef struct CRYPTCATATTRIBUTE_
{
    DWORD cbStruct;
    LPWSTR pwszReferenceTag;
    DWORD dwAttrTypeAndAction;
    DWORD cbValue;
    BYTE *pbValue;
    DWORD dwReserved;
} CRYPTCATATTRIBUTE;

typedef struct CRYPTCATMEMBER_
{
    DWORD cbStruct;
    LPWSTR pwszReferenceTag;
    LPWSTR pwszFileName;
    GUID gSubjectType;
    DWORD fdwMemberFlags;
    struct SIP_INDIRECT_DATA_* pIndirectData;
    DWORD dwCertVersion;
    DWORD dwReserved;
    HANDLE hReserved;
    CRYPT_ATTR_BLOB sEncodedIndirectData;
    CRYPT_ATTR_BLOB sEncodedMemberInfo;
} CRYPTCATMEMBER;

typedef struct CATALOG_INFO_
{
    DWORD cbStruct;
    WCHAR wszCatalogFile[MAX_PATH];
} CATALOG_INFO;

typedef struct CRYPTCATCDF_
{
    DWORD cbStruct;
    HANDLE hFile;
    DWORD dwCurFilePos;
    DWORD dwLastMemberOffset;
    BOOL fEOF;
    LPWSTR pwszResultDir;
    HANDLE hCATStore;
} CRYPTCATCDF;

typedef void (WINAPI *PFN_CDF_PARSE_ERROR_CALLBACK)(DWORD, DWORD, WCHAR *);

typedef BOOL (WINAPI *_CryptCATAdminAcquireContext)(HCATADMIN*,const GUID*,DWORD);
typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle) (HANDLE,DWORD*,BYTE*,DWORD);
typedef HCATINFO (WINAPI *_CryptCATAdminEnumCatalogFromHash) (HCATADMIN,BYTE*,DWORD,DWORD,HCATINFO*);
typedef BOOL (WINAPI *_CryptCATAdminReleaseCatalogContext) (HCATADMIN,HCATINFO,DWORD);
typedef BOOL (WINAPI *_CryptCATCatalogInfoFromContext) (HCATINFO, CATALOG_INFO *, DWORD);
typedef BOOL (WINAPI *_CryptCATAdminReleaseContext) (
   HCATADMIN hCatAdmin,
   DWORD     dwFlags
);
Main File:
Code: Select all
#include "stdafx.h"

//-------------------------------------------------------------------
// Copyright (C) Microsoft.  All rights reserved.
// Example of verifying the embedded signature of a PE file by using 
// the WinVerifyTrust function.

// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")

BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
    LONG lStatus;
    GUID WintrustVerifyGuid = WINTRUST_ACTION_GENERIC_VERIFY_V2;
    GUID DriverActionGuid = DRIVER_ACTION_VERIFY;
    HANDLE hFile;
    DWORD dwHash;
    BYTE bHash[100];
    HCATINFO hCatInfo;
    HCATADMIN hCatAdmin;

    WINTRUST_DATA wd = { 0 };
    WINTRUST_FILE_INFO wfi = { 0 };
    WINTRUST_CATALOG_INFO wci = { 0 };

    ////set up structs to verify files with cert signatures
    memset(&wfi, 0, sizeof(wfi));
    wfi.cbStruct               = sizeof( WINTRUST_FILE_INFO );
    wfi.pcwszFilePath          = pwszSourceFile;
    wfi.hFile                  = NULL;
    wfi.pgKnownSubject         = NULL;

    memset(&wd, 0, sizeof(wd));
    wd.cbStruct                = sizeof( WINTRUST_DATA );
    wd.dwUnionChoice           = WTD_CHOICE_FILE;
    wd.pFile                   = &wfi;
    wd.dwUIChoice              = WTD_UI_NONE;
    wd.fdwRevocationChecks     = WTD_REVOKE_NONE;
    wd.dwStateAction           = 0;
    wd.dwProvFlags             = WTD_SAFER_FLAG;
    wd.hWVTStateData           = NULL;
    wd.pwszURLReference        = NULL;
    wd.pPolicyCallbackData    = NULL;
    wd.pSIPClientData        = NULL;
    wd.dwUIContext            = 0;

    lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd );

    ////if failed, try to verify using catalog files
    if (lStatus != ERROR_SUCCESS)
    {
        //open the file
        hFile = CreateFileW(pwszSourceFile, GENERIC_READ,  FILE_SHARE_READ, NULL,  OPEN_EXISTING,  FILE_ATTRIBUTE_NORMAL, NULL);
        if (hFile == INVALID_HANDLE_VALUE)
            return FALSE;

		HMODULE hWintrust = GetModuleHandle( TEXT( "wintrust.dll" ) );
		_CryptCATAdminCalcHashFromFileHandle CryptCATAdminCalcHashFromFileHandle = (_CryptCATAdminCalcHashFromFileHandle) GetProcAddress( hWintrust, "CryptCATAdminCalcHashFromFileHandle" );

        dwHash = sizeof(bHash);
        if (!CryptCATAdminCalcHashFromFileHandle(hFile, &dwHash, bHash, 0))
        {
            CloseHandle(hFile);
            return FALSE;
        }

        //Create a string form of the hash (used later in pszMemberTag)
        LPWSTR pszMemberTag = new WCHAR[dwHash * 2 + 1];
        for ( DWORD dw = 0; dw < dwHash; ++dw )
        {
            wsprintfW( &pszMemberTag[dw * 2], L"%02X", bHash[dw] );
        }

		_CryptCATAdminAcquireContext CryptCATAdminAcquireContext = (_CryptCATAdminAcquireContext) GetProcAddress( hWintrust, "CryptCATAdminAcquireContext" );

        if (!CryptCATAdminAcquireContext(&hCatAdmin, &DriverActionGuid, 0))
        {
            CloseHandle(hFile);
            return FALSE;
        }

		_CryptCATAdminEnumCatalogFromHash CryptCATAdminEnumCatalogFromHash = (_CryptCATAdminEnumCatalogFromHash) GetProcAddress( hWintrust, "CryptCATAdminEnumCatalogFromHash" );

        //find the catalog which contains the hash
        hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin, bHash, dwHash, 0, NULL);

        if ( hCatInfo )
        {
			_CryptCATCatalogInfoFromContext CryptCATCatalogInfoFromContext = (_CryptCATCatalogInfoFromContext) GetProcAddress( hWintrust, "CryptCATCatalogInfoFromContext" );
            CATALOG_INFO ci = { 0 };
            CryptCATCatalogInfoFromContext( hCatInfo, &ci, 0 );

            memset(&wci, 0, sizeof(wci));
            wci.cbStruct                 = sizeof( WINTRUST_CATALOG_INFO );
            wci.pcwszCatalogFilePath     = ci.wszCatalogFile;
            wci.pcwszMemberFilePath      = pwszSourceFile;
            wci.pcwszMemberTag           = pszMemberTag;

            memset(&wd, 0, sizeof(wd));
            wd.cbStruct                    = sizeof( WINTRUST_DATA );
            wd.dwUnionChoice               = WTD_CHOICE_CATALOG;
            wd.pCatalog                    = &wci;
            wd.dwUIChoice                  = WTD_UI_NONE;
            wd.fdwRevocationChecks         = WTD_STATEACTION_VERIFY;
            wd.dwProvFlags                 = 0;
            wd.hWVTStateData               = NULL;
            wd.pwszURLReference            = NULL;
            wd.pPolicyCallbackData        = NULL;
            wd.pSIPClientData            = NULL;
            wd.dwUIContext                = 0;

            lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd );
			_CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseCatalogContext = (_CryptCATAdminReleaseCatalogContext) GetProcAddress( hWintrust, "CryptCATAdminReleaseCatalogContext" );

            CryptCATAdminReleaseCatalogContext( hCatAdmin, hCatInfo, 0 );
        }

		_CryptCATAdminReleaseContext CryptCATAdminReleaseContext = (_CryptCATAdminReleaseContext) GetProcAddress( hWintrust, "CryptCATAdminReleaseContext" );

        CryptCATAdminReleaseContext( hCatAdmin, 0 );
        delete[] pszMemberTag;
        CloseHandle(hFile);
    }

    if (lStatus != ERROR_SUCCESS)
        return false;
    else
        return true;
}

int _tmain(int argc, _TCHAR* argv[])
{
    if(argc > 1)
    {
        if( VerifyEmbeddedSignature(argv[1]) )
			_tprintf( TEXT( "\nVerified ...\n" ) );
		else
			_tprintf( TEXT( "\nVerification failed ...\n" ) );
    }

    return 0;
}
 #28503  by evelyette
 Sun May 15, 2016 7:37 am
I've set a breakpoint on WinVerifyTrust in WinDbg, which can be seen on the picture below, but the breakpoint wasn't hit when starting ESET SysInspector or sfc.exe, so I'm assuming that function isn't being used to check the integrity of files.
winverify.png
winverify.png (2.11 KiB) Viewed 776 times
I've also run the sfc.exe command like this, where there are three use-cases:
  • Original Untampered File: the file kernel32.dll is the original file and there is nothing wrong with it, so the integrity passes.
  • File not in Store: if we run sfc.exe on a non-existent file nonexistent.dll, a message will be displayed that windows resource protection cannot perform the requested operation.
  • Replaced Tampered File: if administrator has replaced the file that is in store with a new file, Windows resource protection will find integrity violations and save the details into CBS.log.
winverify1.png
winverify1.png (7.33 KiB) Viewed 776 times
The details are included into the CBS.log, which contains the following - note that there are some hashes being verified in the store.
2016-05-15 09:28:32, Info CSI 00000155 [SR] Beginning Verify and Repair transaction
2016-05-15 09:28:32, Info CSI 00000156 Hashes for file member \??\C:\Windows\System32\loghours.dll do not match actual file [l:24{12}]"loghours.dll" :
Found: {l:32 b:3R0SwHabqO6QywaLD5LoyoybfqNwhvdMZ6oOM9lT16o=} Expected: {l:32 b:qYvtQSJ3j0i4CGCj/b4ZeqfAUMR7f94Ad0zrp1EJw9Y=}
2016-05-15 09:28:32, Info CSI 00000157 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"loghours.dll" from store
2016-05-15 09:28:32, Info CSI 00000158 Repair results created:
POQ 34 starts:
0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\be3b78627baed101a90000001406cc06._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\be3b78627baed101aa0000001406cc06.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
2: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\cc627f627baed101ab0000001406cc06.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
3: Hard Link File: Source = [l:240{120}]"\SystemRoot\WinSxS\amd64_microsoft-windows-scheduleui_31bf3856ad364e35_6.1.7600.16385_none_d0b7a7aa2b6c0a20\loghours.dll", Destination = [l:72{36}]"\??\C:\Windows\System32\loghours.dll"

POQ 34 ends.
2016-05-15 09:28:32, Info CSI 00000159 [SR] Verify complete
This is also the check with sigcheck.exe , which clearly differentiates the libraries.
C:\Users\user\Desktop>sigcheck -a c:\windows\system32\kernel32.dll

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\kernel32.dll:
Verified: Signed
Signing date: 4:29 13.2.2016
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Windows NT BASE API Client DLL
Product: Microsoft« Windows« Operating System
Prod version: 6.1.7601.23349
File version: 6.1.7601.23349 (win7sp1_ldr.160210-0600)
MachineType: 64-bit
Binary Version: 6.1.7601.23349
Original Name: kernel32
Internal Name: kernel32
Copyright: ⌐ Microsoft Corporation. All rights reserved.
Comments: n/a
Entropy: 6.246

C:\Users\user\Desktop>sigcheck -a c:\windows\system32\loghours.dll

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\loghours.dll:
Verified: Unsigned
Link date: 14:49 11.5.2016
Publisher: n/a
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: 64-bit
Binary Version: n/a
Original Name: n/a
Internal Name: n/a
Copyright: n/a
Comments: n/a
Entropy: 5.294
I'm interested to find out the details about:

1. Which files are protected inside the system32 and which aren't (for which the integrity protections exist). Note that all DLLs inside system32 are not in the store, like rasser.dll (whereever the DLL comes from).
2. How is the integrity of the files, which are in the store checked in order to determine whether they have been tampered with? I'm interested in the exact win32 API being used to check the existence of signatures as well as where the signatures are being stored and how do existing tools modify the signatures - like windows updater?

I would like to determine the internals of the integrity protections.
 #28520  by evelyette
 Tue May 17, 2016 10:41 pm
One more thing. When starting IE in protected mode - provided by ESET, we can attach to iexplore.exe with WinDbg, but IE will fail to load any DLL. WinDbg will display a number of messages like this, where it wants to load the titan.dll, which is available in the system32 folder, but WinDbg fails to load it. Notice a number of tries to load the DLL, but none of them is successful, so the titan.dll is not loaded. The titan.dll is a custom DLL placed there by the administrator and is not loaded only in protected IE mode, while it loads fine when starting IE normally.
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
The continuous tries to load the titan.dll are there because of the interaction with the IE process, which requires that DLL, but fails to load it. I've instructed WinDbg to break upon loading a DLL as seen below:
0:023> g
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\ESET\ESET Smart Security\eOppBrowser.dll -
00000000`0001014a c3 ret
At that point, the call stack is the following:
# Child-SP RetAddr : Args to Child : Call Site
00 00000000`04a2dd18 000007fe`f20bc8b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00100021 : 0x1014a
01 00000000`04a2dd20 000007fe`f20bbdef : 00000000`000004ec 00000000`00199930 ffffffff`ffffffff 000007fe`f20bd2c6 : eOppBrowser!eplg_opp_init+0x1894
02 00000000`04a2ddb0 00000000`7738678c : 00000000`001959b8 00000000`00000000 00000000`00000000 000007fe`f20bc58d : eOppBrowser!eplg_opp_init+0xdcf
03 00000000`04a2de20 00000000`773863e1 : 00000000`00000424 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpMapViewOfSection+0x136
04 00000000`04a2ded0 00000000`77375da3 : 00000000`00000000 00000000`04a2e390 00000000`c0150008 00000000`00000000 : ntdll!LdrpFindOrMapDll+0x231
05 00000000`04a2e020 00000000`77375fcf : 00000000`00000000 00000000`00000000 00000000`002b2460 000007fe`fd139a82 : ntdll!LdrpLoadDll+0x2f3
06 00000000`04a2e220 000007fe`f20bbf7b : 00000000`00000000 00000000`00000000 00000000`002cc230 00000000`04a2e330 : ntdll!LdrLoadDll+0xed
07 00000000`04a2e290 000007fe`f20bbf37 : 00000000`04a2e341 00000000`00000000 00000000`002cc230 00000000`00000003 : eOppBrowser!eplg_opp_init+0xf5b
08 00000000`04a2e2d0 000007fe`fd140176 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000044 : eOppBrowser!eplg_opp_init+0xf17
09 00000000`04a2e310 000007fe`fd12c7a1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : KERNELBASE!LoadLibraryExW+0x2a3
0a 00000000`04a2e390 000007fe`fc7205b6 : 00000000`00000000 00000000`002c9af0 00000000`00000000 000007fe`fc700000 : KERNELBASE!LoadLibraryExA+0x51
...
The eOppBrowser!eplg_opp_init+0x1894 instruction is on the call stack - I've attached the eOppBrowser.dll to this thread. Any throughts about why WinDbg is unable to load the DLL when started in protected mode provided by the ESET? The password for the zip is KernelMode.
Attachments
(174.4 KiB) Downloaded 28 times
 #28531  by Vrtule
 Wed May 18, 2016 6:23 pm
Hello,

If I read your last post correctly, IE, when run under ESET's protected mode, is unable to load a custom DLL. Or does this happen only in case WinDbg is attached to the process? It seems to me that the problem lies within ESET's DLL (it may be a bug or feature, who knows). It would be best to reverse the relevant part of the DLL (the NtMapViewOfSection hook routine).
 #28532  by evelyette
 Wed May 18, 2016 8:09 pm
Hi,

I've enabled loader snaps and the following is displayed in WinDbg; note that when IE is running under ESET's protected mode, the IE is unable to load the DLL, regardless of whether a debugger is attached or not.
0810:0704 @ 53652843 - LdrpResolveFileName - ENTER: DLL name: C:\Windows\system32\titan.dll
0810:0704 @ 53652843 - LdrpResolveFileName - RETURN: Status: 0x00000000
0810:0704 @ 53652843 - LdrpResolveDllName - ENTER: DLL name: C:\Windows\system32\titan.dll
0810:0704 @ 53652859 - LdrpResolveDllName - RETURN: Status: 0x00000000
0810:0704 @ 53652859 - LdrpSearchPath - RETURN: Status: 0x00000000
0810:0704 @ 53652859 - LdrpMapViewOfSection - ENTER: DLL name: C:\Windows\system32\titan.dll
ModLoad: 000007fe`efb10000 000007fe`efc5b000 C:\Windows\system32\titan.dll
0810:0704 @ 53652859 - LdrpMapViewOfSection - RETURN: Status: 0xc0000022
0810:0704 @ 53652859 - LdrpFindOrMapDll - RETURN: Status: 0xc0000022
0810:0704 @ 53652859 - LdrpLoadDll - RETURN: Status: 0xc0000022
0810:0704 @ 53652875 - LdrLoadDll - RETURN: Status: 0xc0000022
I've seen this is an access denied error code, which happens when the process has been denied access to the object - the DLL in this case. This makes sense since the process is started in protected mode, but now we need to investigate what's happening behind the curtains. Note that the DLL has been signed with a self-signed certificate, which could be a likely cause of this, but where is the exact function actually checking this and then denying loading the DLL? I would like to investigate this further in order to determine what's happening and if the self-signed certificate is a culprit for this, after which I need to determine whether signing a DLL with a valid certificate (signed with proper CA) will resolve the issue or not.

The !token command reports the following:
0:033> !token
Thread is not impersonating. Using process token...
TS Session ID: 0x1
User: S-1-5-21-1975552498-1196766895-2187975934-1000
User Groups:
00 S-1-5-21-1975552498-1196766895-2187975934-513
Attributes - Mandatory Default Enabled
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-114
Attributes - Mandatory Default Enabled
03 S-1-5-21-1975552498-1196766895-2187975934-1001
Attributes - Mandatory Default Enabled
04 S-1-5-32-544
Attributes - Mandatory Default Enabled Owner
05 S-1-5-32-559
Attributes - Mandatory Default Enabled
06 S-1-5-32-545
Attributes - Mandatory Default Enabled
07 S-1-5-4
Attributes - Mandatory Default Enabled
08 S-1-2-1
Attributes - Mandatory Default Enabled
09 S-1-5-11
Attributes - Mandatory Default Enabled
10 S-1-5-15
Attributes - Mandatory Default Enabled
11 S-1-5-113
Attributes - Mandatory Default Enabled
12 S-1-5-5-0-102540
Attributes - Mandatory Default Enabled LogonId
13 S-1-2-0
Attributes - Mandatory Default Enabled
14 S-1-5-64-10
Attributes - Mandatory Default Enabled
15 S-1-16-8192
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-1975552498-1196766895-2187975934-513
Privs:
00 0x000000005 SeIncreaseQuotaPrivilege Attributes -
01 0x000000008 SeSecurityPrivilege Attributes -
02 0x000000009 SeTakeOwnershipPrivilege Attributes -
03 0x00000000a SeLoadDriverPrivilege Attributes -
04 0x00000000b SeSystemProfilePrivilege Attributes -
05 0x00000000c SeSystemtimePrivilege Attributes -
06 0x00000000d SeProfileSingleProcessPrivilege Attributes -
07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
08 0x00000000f SeCreatePagefilePrivilege Attributes -
09 0x000000011 SeBackupPrivilege Attributes -
10 0x000000012 SeRestorePrivilege Attributes -
11 0x000000013 SeShutdownPrivilege Attributes -
12 0x000000014 SeDebugPrivilege Attributes -
13 0x000000016 SeSystemEnvironmentPrivilege Attributes -
14 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
15 0x000000018 SeRemoteShutdownPrivilege Attributes -
16 0x000000019 SeUndockPrivilege Attributes -
17 0x00000001c SeManageVolumePrivilege Attributes -
18 0x00000001d SeImpersonatePrivilege Attributes -
19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
20 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
21 0x000000022 SeTimeZonePrivilege Attributes -
22 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -
Auth ID: 0:190af
Impersonation Level: Anonymous
TokenType: Primary
Is restricted token: no.
SandBoxInert: 0
Elevation Type: 1 (Default)
Mandatory Policy: TOKEN_MANDATORY_POLICY_VALID_MASK
Integrity Level: S-1-16-8192
Token Virtualized: Disabled
UIAccess: 0