nick_name
December 2nd, 2010, 01:47
I am playing with a VC8 executable on 64bit Windows 7 which started showing me the following error after patching:
After a little digging deeper, I found out the executable comes with the following "assembly manifest" [1] resource:
Reading through the references [1],[2] made it clear that UAC (User Access Control) will not allow running modified binary with invalid digital signature (which is a consequence of the patching). One can disable UAC completely or change the manifest in the executable.
UAC reads the following part in the manifest to impose access control that got into the error.
"uiAccess=true" provides two tier of security:
To get rid of the "referral was returned" error ...
There could be many other sane way around. Nonetheless, option-2 doesn't require changing the PE header and size, so creating patch with DUP-2 remains a few click away.
UAC is somewhat new to me since I skipped Vista completely and made a migration to Windows 7 from XP. But, it was good to know some useful features hidden inside UAC. Hope the information helps someone. Happy reversing.
[-?-] Wondering if anyone has attempted restoring corrupted digital signature to a valid signature on windows executables ?
[1] http://msdn.microsoft.com/en-us/library/aa374219%28v=VS.85%29.aspx
[2] http://social.msdn.microsoft.com/forums/en-US/windowssecurity/thread/4d2e1358-af95-4f4f-b239-68ec7e2525a9/
Quote:
| "a referral was returned from the server" |
After a little digging deeper, I found out the executable comes with the following "assembly manifest" [1] resource:
Code:
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*">
</assemblyIdentity>
</dependentAssembly>
</dependency>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="wc.sqlceca35" version="1.0.0.0">
</assemblyIdentity>
</dependentAssembly>
</dependency>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="wc.sqlceoledb35" version="1.0.0.0">
</assemblyIdentity>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="true">
</requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings>
<ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings>
</application>
</assembly>
Reading through the references [1],[2] made it clear that UAC (User Access Control) will not allow running modified binary with invalid digital signature (which is a consequence of the patching). One can disable UAC completely or change the manifest in the executable.
UAC reads the following part in the manifest to impose access control that got into the error.
Code:
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="true">
</requestedExecutionLevel>
</requestedPrivileges>
</security>
"uiAccess=true" provides two tier of security:
executable has to have a valid digital signature. (which most possibly means having to buy a certificate from Microsoft to perform the signing operation.)
executable has to be stored securely (e.g.; Program Files) otherwise the flag is ignored.
To get rid of the "referral was returned" error ...
one could to change `uiAccess="false"` (eg. with PE explorer)
replace each letter of `uiAccess="true"` with space (0x20)
There could be many other sane way around. Nonetheless, option-2 doesn't require changing the PE header and size, so creating patch with DUP-2 remains a few click away.
UAC is somewhat new to me since I skipped Vista completely and made a migration to Windows 7 from XP. But, it was good to know some useful features hidden inside UAC. Hope the information helps someone. Happy reversing.
[-?-] Wondering if anyone has attempted restoring corrupted digital signature to a valid signature on windows executables ?
[1] http://msdn.microsoft.com/en-us/library/aa374219%28v=VS.85%29.aspx
[2] http://social.msdn.microsoft.com/forums/en-US/windowssecurity/thread/4d2e1358-af95-4f4f-b239-68ec7e2525a9/
