26

Re: The list of loaded DLL units

Hello, ononim, you wrote: O>. They are signed through the directory. Therefore I also specified the Author: ononim Date: 03.11 19:44 yes I saw your message, but is remembered specially checked once all system  dll and at me it turned out, what not all from them are signed.

27

Re: The list of loaded DLL units

O>>. They are signed through the directory. Therefore I also specified the Author: ononim Date: 03.11 19:44 R> yes I saw your message, but is remembered specially checked once all system  dll and at me it turned out, what not all from them are signed. Normally all are signed. Is even  sigverif.exe which checks signatures of all system files. But it by the way like since whists on a default began to check only the driver that is strange. But generally on pure system unsigned exe/dll should not be.

28

Re: The list of loaded DLL units

Hello, ononim, you wrote: O> it is normal all are signed. Is even  sigverif.exe which checks signatures of all system files. But it by the way like since whists on a default began to check only the driver that is strange. But generally on pure system unsigned exe/dll should not be. Checked up for the sake of interest. On 7x86 SP1 RU not signed there were following files in a folder system32: systemcpl.dll user32.dll winver.exe On 8.1x86 as you also told, all dll and exe in a folder system32 are signed. If to take global folder Windows not signed files much more on both systems, truth almost all of them are in "Windows\assembly \".

29

Re: The list of loaded DLL units

O>> it is normal all are signed. Is even  sigverif.exe which checks signatures of all system files. But it by the way like since whists on a default began to check only the driver that is strange. But generally on pure system unsigned exe/dll should not be. R> Checked up for the sake of interest. R> on 7x86 SP1 RU not signed there were following files in a folder system32: R> R>systemcpl.dll R>user32.dll R>winver.exe R> It is strange. Or consequences of infection with a virus (even cured - antiviruses not completely recover a file), or jambs . R> On 8.1x86 as you also told, all dll and exe in a folder system32 are signed. R> if to take global folder Windows, not signed files much more on both systems, truth almost all of them are in "Windows\assembly \". Can at them directories in other place are stored. SPECIFIC details about/assembly I will not recall, and Windows near at hand  are not present.

30

Re: The list of loaded DLL units

Hello, ononim, you wrote: O> And VerifyCatalogSignature does not work? Aha, tried, for example: CodeSigning.exe-c c:\Windows\System32\tquery.dll CodeSigning.exe-c c:\Windows\System32\imageres.dll and in both cases Hash was not found in any catalogs. Truth I on Win7 sp1 x64 looked, and there an example like as with Win8 because of usage CryptCATAdminAcquireContext2 () and CryptCATAdminCalcHashFromFileHandle2 (). Though conflicts at start any with Wintrust.dll was not. Now simply Win8 near at hand is not present. I will try in  on Win8.1 and I will try to change calls on CryptCATAdminAcquireContext () and CryptCATAdminCalcHashFromFileHandle (). They like as with XP. Can because of it...

31

Re: The list of loaded DLL units

Hello, - prus - you wrote: P> I Will try in  on Win8.1 and I will try to change calls on CryptCATAdminAcquireContext () and CryptCATAdminCalcHashFromFileHandle (). They like as with XP. Can because of it... Replaced calls CryptCATAdminAcquireContext2-> CryptCATAdminAcquireContext, CryptCATAdminAcquireContext2-> CryptCATAdminAcquireContext, CryptCATAdminCalcHashFromFileHandle2-> CryptCATAdminCalcHashFromFileHandle. Tried on Vista SP2 x64, Win7 SP1 x64, Win8.1 x64. Like HASH was found in catalog..., i.e. finds for binary units, but on Vista the same tquery.dll for some reason does not find the signature. All did not begin to check while.