peterg70
January 13th, 2004, 20:49
I have a DLL that is used as part of webpage (ASP code). This DLL now shows a Expired Now please purchase information. So I thought bring out trusty debugger and have a look see.
The following Information I have found out.
1) the DLL is called when required by the webpage via Inetinfo (Personal Webserver). No significant registry checks are conducted.
2) Filemon shows no weird activity License file etc
3) DLL is digitally signed by Verisign. Sign Algo md5RSA RSA (512bits)
It has a 'Valid from' and 'Valid to' date
Also a 'Signing Time'
4) DLL is written In Visual Basic 6.0 (PEid)
5) Found expiration Date after installing today is 1 March So more than 30 Days. (moving Date forward Produces 'Please Register Me Option'. Moving Date back clears the Please Register Me.)
So question is what method of attack is going to work.
Can the Dll use the Digital Signature Date Information to check for expiration.
Can the Digital Signature be removed.
What information is entered into the registry when you regsvr32 the DLL.
Is an installation date stored anywhere in the system???
How do you patch a digitally signed DLL?? (no loaders to path memory)
Actually debugging is also interesting. What method of investigation will lead me down the path
Peterg70
Edit: Does anyone have a listing of the Functions contained inside the MSVBVM60.DLL file. Something Like an API reference file. Name,ShortDescr,Arguements,Return
The following Information I have found out.
1) the DLL is called when required by the webpage via Inetinfo (Personal Webserver). No significant registry checks are conducted.
2) Filemon shows no weird activity License file etc
3) DLL is digitally signed by Verisign. Sign Algo md5RSA RSA (512bits)
It has a 'Valid from' and 'Valid to' date
Also a 'Signing Time'
4) DLL is written In Visual Basic 6.0 (PEid)
5) Found expiration Date after installing today is 1 March So more than 30 Days. (moving Date forward Produces 'Please Register Me Option'. Moving Date back clears the Please Register Me.)
So question is what method of attack is going to work.
Can the Dll use the Digital Signature Date Information to check for expiration.
Can the Digital Signature be removed.
What information is entered into the registry when you regsvr32 the DLL.
Is an installation date stored anywhere in the system???
How do you patch a digitally signed DLL?? (no loaders to path memory)
Actually debugging is also interesting. What method of investigation will lead me down the path
Peterg70
Edit: Does anyone have a listing of the Functions contained inside the MSVBVM60.DLL file. Something Like an API reference file. Name,ShortDescr,Arguements,Return