Are Windows DLLs signed by Microsoft? Can I detect if they've been tampered with by a third party?

Question

I'm implementing a locking and copy protection system for my software. I've shut every hole that would allow someone to break my lock (well, that's a little too optimistic, I know!) but the last thing is this:

I hear crackers can change Windows DLLs like Kernel32.dll in a way that the API I use returns a value which is specified by the cracker. I need to prevent this.

At first I thought I could make a hash value for every DLL I use, and check that hash against the calculated hash of the client DLL to see if the file is changed. That won't work since there are many different versions of the DLL for different versions of Windows, and every hotfix and Service Pack provided by Microsoft could change the file.

Then I realized I could check the signature of the file to make sure it has a valid Microsoft signature. Now there are 2 questions:

1. Does Microsoft sign Windows DLLs? How can I find some info on this signature?
2. Is a Public key provided to validate the signature? How do I use this key to validate the file?

Any walkthroughs are greatly appreciated. My app is written using Visual Basic.NET.

Thanks guys.

Answer 1

MS does sign some system binaries, depending on the version of Windows and the binary. For example, if you check kernel32.dll on Windows XP:

C:\Windows\system32>sigcheck kernel32.dll
Sigcheck v1.5
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\system32\kernel32.dll:

Verified: Signed
Signing date: 02:07 14/04/2008
Publisher: Microsoft Corporation
Description: Windows NT BASE API Client DLL
Product: Microsoft« Windows« Operating System
Version: 5.1.2600.3119
File version: 5.1.2600.3119 (xpsp_sp2_grd.070416-1301) 

You can also use sigcheck to do stuff like find all unsigned binaries in a specific folder, e.g.

sigcheck -u -e c:\windows\system32 

I believe that the answer to your second question is "no", although MS does use root certificates for some validation purposes. It doesn't publish public keys in its Windows system binaries because the key pairs can and do change.

But fundamentally if you don't trust the OS, then you're fubar anyway.

Just face it, your app will be cracked. My advice would be to spend only 1% of your effort on slowing down the cracking process, and 99% on creating something that's worth cracking.