// constructor for silent WinTrustDataChoice.File check
public WinTrustData(String _fileName, bool isCatalog, String _hash, String _catalogPath, IntPtr hCatAdmin)
{
// On Win7SP1+, don't allow MD2 or MD4 signatures
if ((Environment.OSVersion.Version.Major > 6) ||
((Environment.OSVersion.Version.Major == 6) && (Environment.OSVersion.Version.Minor > 1)) ||
((Environment.OSVersion.Version.Major == 6) && (Environment.OSVersion.Version.Minor == 1) && !String.IsNullOrEmpty(Environment.OSVersion.ServicePack)))
{
ProvFlags |= WinTrustDataProvFlags.DisableMD2andMD4;
}
if (isCatalog)
{
dwUnionChoice = WinTrustDataChoice.Catalog;
WinTrustCatalogInfo wtfiData = new WinTrustCatalogInfo(_catalogPath, _hash, _fileName, hCatAdmin);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustCatalogInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
else
{
WinTrustFileInfo wtfiData = new WinTrustFileInfo(_fileName);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
}
// constructor for silent WinTrustDataChoice.File check
public WinTrustData(string _fileName)
{
WinTrustFileInfo wtfiData = new WinTrustFileInfo(_fileName);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
// call WinTrust.WinVerifyTrust() to check embedded file signature
public static bool VerifyEmbeddedSignature(string fileName)
{
WinTrustFileInfo winTrustFileInfo = null;
WinTrustData winTrustData = null;
try
{
winTrustFileInfo = new WinTrustFileInfo(fileName);
winTrustData = new WinTrustData(winTrustFileInfo);
Guid guidAction = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, guidAction, winTrustData);
bool ret = (result == WinVerifyTrustResult.Success);
return(ret);
}
finally
{
// free the locally-held unmanaged memory in the data structures
if (winTrustFileInfo != null)
{
winTrustFileInfo.Dispose();
}
if (winTrustData != null)
{
winTrustData.Dispose();
}
}
}
// constructor for silent WinTrustDataChoice.File check
public WinTrustData(String _fileName, WinTrustDataRevocationChecks revocationChecks)
{
RevocationChecks = revocationChecks;
WinTrustFileInfo wtfiData = new WinTrustFileInfo(_fileName);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
public bool SignatureExist(string fileName)
{
WinTrustFileInfo wtfi = new WinTrustFileInfo(fileName);
WinTrustData wtd = new WinTrustData(wtfi);
Guid guidAction = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
WinVerifyTrustResult result = Win32Api.WinVerifyTrust(new IntPtr(-1), guidAction, wtd);
bool ret = (result == WinVerifyTrustResult.Success);
wtfi.Dispose();
wtd.Dispose();
return(ret);
}
// constructor for silent WinTrustDataChoice.File check
public WinTrustData(WinTrustFileInfo _fileInfo)
{
// On Win7SP1+, don't allow MD2 or MD4 signatures
if ((Environment.OSVersion.Version.Major > 6) ||
((Environment.OSVersion.Version.Major == 6) && (Environment.OSVersion.Version.Minor > 1)) ||
((Environment.OSVersion.Version.Major == 6) && (Environment.OSVersion.Version.Minor == 1) && !String.IsNullOrEmpty(Environment.OSVersion.ServicePack)))
{
ProvFlags |= WinTrustDataProvFlags.DisableMD2andMD4;
}
WinTrustFileInfo wtfiData = _fileInfo;
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
private bool IsFileTrusted(string filePath)
{
if (string.IsNullOrEmpty(filePath))
{
throw new ArgumentNullException(nameof(filePath));
}
_file = File.OpenRead(filePath);
using (var fileInfo = new WinTrustFileInfo(filePath))
using (var winTrustData = new WinTrustData(fileInfo))
{
var result = WinVerifyTrust(IntPtr.Zero, WINTRUST_ACTION_GENERIC_VERIFY_V2, winTrustData);
return(result == WinVerifyTrustResult.Success);
}
}
public static bool IsAuthenticodeSigned(string path)
{
var fileInfo = new WinTrustFileInfo
{
cbStruct = (uint)Marshal.SizeOf <WinTrustFileInfo>(),
pcwszFilePath = Path.GetFullPath(path),
hFile = IntPtr.Zero,
pgKnownSubject = IntPtr.Zero
};
var data = new WinTrustData
{
cbStruct = (uint)Marshal.SizeOf <WinTrustData>(),
dwProvFlags = Convert.ToUInt32(Provider.WTD_SAFER_FLAG),
dwStateAction = Convert.ToUInt32(StateAction.WTD_STATEACTION_IGNORE),
dwUIChoice = Convert.ToUInt32(UIChoice.WTD_UI_NONE),
dwUIContext = 0,
dwUnionChoice = Convert.ToUInt32(UnionChoice.WTD_CHOICE_FILE),
fdwRevocationChecks = Convert.ToUInt32(RevocationChecks.WTD_REVOKE_NONE),
hWVTStateData = IntPtr.Zero,
pFile = Marshal.AllocHGlobal(Marshal.SizeOf <WinTrustFileInfo>()),
pPolicyCallbackData = IntPtr.Zero,
pSIPClientData = IntPtr.Zero,
pwszURLReference = IntPtr.Zero
};
// TODO: Potential memory leak. Need to invetigate
Marshal.StructureToPtr(fileInfo, data.pFile, false);
var pGuid = Marshal.AllocHGlobal(Marshal.SizeOf <Guid>());
var pData = Marshal.AllocHGlobal(Marshal.SizeOf <WinTrustData>());
Marshal.StructureToPtr(data, pData, true);
Marshal.StructureToPtr(new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2), pGuid, true);
var result = WinVerifyTrust(IntPtr.Zero, pGuid, pData);
Marshal.FreeHGlobal(pGuid);
Marshal.FreeHGlobal(pData);
return(result == 0);
}
public static uint IsSigned(string path)
{
WinTrustFileInfo fileInfo = new WinTrustFileInfo()
{
cbStruct = (uint)Marshal.SizeOf(typeof(WinTrustFileInfo)),
pcwszFilePath = Path.GetFullPath(path),
hFile = IntPtr.Zero,
pgKnownSubject = IntPtr.Zero
};
WinTrustData data = new WinTrustData()
{
cbStruct = (uint)Marshal.SizeOf(typeof(WinTrustData)),
dwProvFlags = 0,
dwStateAction = Convert.ToUInt32(StateAction.WTD_STATEACTION_IGNORE),
dwUIChoice = Convert.ToUInt32(UIChoice.WTD_UI_NONE),
dwUIContext = 0,
dwUnionChoice = Convert.ToUInt32(UnionChoice.WTD_CHOICE_FILE),
fdwRevocationChecks = Convert.ToUInt32(RevocationChecks.WTD_REVOKE_NONE),
hWVTStateData = IntPtr.Zero,
pFile = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinTrustFileInfo))),
pPolicyCallbackData = IntPtr.Zero,
pSIPClientData = IntPtr.Zero,
pwszURLReference = IntPtr.Zero
};
// Potential memory leak. Need to investigate
Marshal.StructureToPtr(fileInfo, data.pFile, false);
IntPtr pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(Guid)));
IntPtr pData = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinTrustData)));
Marshal.StructureToPtr(data, pData, true);
Marshal.StructureToPtr(WinTrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, pGuid, true);
uint result = WinTrust.WinVerifyTrust(IntPtr.Zero, pGuid, pData);
Marshal.FreeHGlobal(pGuid);
Marshal.FreeHGlobal(pData);
return(result);
}
public static WinVerifyResult VerifyEmbeddedSignature(string path)
{
WinTrustFileInfo winTrustFileInfo = null;
WinTrustData winTrustData = null;
try
{
// specify the WinVerifyTrust function/action that we want
var action = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
// instantiate our WinTrustFileInfo and WinTrustData data structures
winTrustFileInfo = new WinTrustFileInfo(path);
winTrustData = new WinTrustData(winTrustFileInfo);
// call into WinVerifyTrust
return(WinVerifyTrust(INVALID_HANDLE_VALUE, action, winTrustData));
}
finally
{
// free the locally-held unmanaged memory in the data structures
winTrustFileInfo?.Dispose();
winTrustData?.Dispose();
}
}
// constructor for silent WinTrustDataChoice.File check
internal WinTrustData(String fileName, WinTrustDataRevocationChecks checks)
{
var wtfiData = new WinTrustFileInfo(fileName);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
RevocationChecks = checks;
}
public static bool IsAuthenticodeSigned(string path)
{
WinTrustFileInfo fileInfo = new WinTrustFileInfo()
{
cbStruct = (uint)Marshal.SizeOf(typeof(WinTrustFileInfo)),
pcwszFilePath = Path.GetFullPath(path),
hFile = IntPtr.Zero,
pgKnownSubject = IntPtr.Zero
};
WinTrustData data = new WinTrustData()
{
cbStruct = (uint)Marshal.SizeOf(typeof(WinTrustData)),
dwProvFlags = Convert.ToUInt32(Provider.WTD_SAFER_FLAG),
dwStateAction = Convert.ToUInt32(StateAction.WTD_STATEACTION_IGNORE),
dwUIChoice = Convert.ToUInt32(UIChoice.WTD_UI_NONE),
dwUIContext = 0,
dwUnionChoice = Convert.ToUInt32(UnionChoice.WTD_CHOICE_FILE),
fdwRevocationChecks = Convert.ToUInt32(RevocationChecks.WTD_REVOKE_NONE),
hWVTStateData = IntPtr.Zero,
pFile = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinTrustFileInfo))),
pPolicyCallbackData = IntPtr.Zero,
pSIPClientData = IntPtr.Zero,
pwszURLReference = IntPtr.Zero
};
// TODO: Potential memory leak. Need to invetigate
Marshal.StructureToPtr(fileInfo, data.pFile, false);
IntPtr pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(Guid)));
IntPtr pData = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinTrustData)));
Marshal.StructureToPtr(data, pData, true);
Marshal.StructureToPtr(new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2), pGuid, true);
uint result = WinVerifyTrust(IntPtr.Zero, pGuid, pData);
Marshal.FreeHGlobal(pGuid);
Marshal.FreeHGlobal(pData);
return result == 0;
}
// call WinTrust.WinVerifyTrust() to check embedded file signature
public static string VerifyEmbeddedSignature(string filename)
{
WinTrustFileInfo winTrustFileInfo = null;
WinTrustData winTrustData = null;
try
{
// specify the WinVerifyTrust function/action that we want
Guid action = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
// instantiate our WinTrustFileInfo and WinTrustData data structures
winTrustFileInfo = new WinTrustFileInfo(filename);
winTrustData = new WinTrustData(filename);
// call into WinVerifyTrust
WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, action, winTrustData);
switch (result)
{
case WinVerifyTrustResult.Success:
return("Valid");
case WinVerifyTrustResult.ProviderUnknown:
return("ProviderUnknown");
case WinVerifyTrustResult.ActionUnknown:
return("ActionUnknown");
case WinVerifyTrustResult.SubjectFormUnknown:
return("SubjectFormUnknown");
case WinVerifyTrustResult.SubjectNotTrusted:
return("SubjectNotTrusted");
case WinVerifyTrustResult.FileNotSigned:
return("FileNotSigned");
case WinVerifyTrustResult.SubjectExplicitlyDistrusted:
return("SubjectExplicitlyDistrusted");
case WinVerifyTrustResult.SignatureOrFileCorrupt:
return("SignatureOrFileCorrupt");
case WinVerifyTrustResult.SubjectCertExpired:
return("SubjectCertExpired");
case WinVerifyTrustResult.SubjectCertificateRevoked:
return("SubjectCertificateRevoked");
case WinVerifyTrustResult.UntrustedRoot:
return("UntrustedRoot");
default:
// The UI was disabled in dwUIChoice or the admin policy
// has disabled user trust. lStatus contains the
// publisher or time stamp chain error.
return(result.ToString());
}
}
catch (Exception e)
{
Log.Debug("{0} error decoding signature on {1}", e.GetType().ToString(), filename);
}
return("Unknown");
}
// constructor for silent WinTrustDataChoice.File check
public WinTrustData(String _fileName) {
var wtfiData = new WinTrustFileInfo(_fileName);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof (WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
// constructor for silent WinTrustDataChoice.File check
public WinTrustData(String _fileName)
{
// On Win7SP1+, don't allow MD2 or MD4 signatures
if ((Environment.OSVersion.Version.Major > 6) ||
((Environment.OSVersion.Version.Major == 6) && (Environment.OSVersion.Version.Minor > 1)) ||
((Environment.OSVersion.Version.Major == 6) && (Environment.OSVersion.Version.Minor == 1) && !String.IsNullOrEmpty(Environment.OSVersion.ServicePack)))
{
ProvFlags |= WinTrustDataProvFlags.DisableMD2andMD4;
}
WinTrustFileInfo wtfiData = new WinTrustFileInfo(_fileName);
FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(wtfiData, FileInfoPtr, false);
}
public static string VerifyEmbeddedSignature(string filename)
{
try
{
WinTrustFileInfo winTrustFileInfo = null;
WinTrustData winTrustData = null;
// specify the WinVerifyTrust function/action that we want
Guid action = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
// instantiate our WinTrustFileInfo and WinTrustData data structures
winTrustFileInfo = new WinTrustFileInfo(filename);
winTrustData = new WinTrustData(filename);
WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, action, winTrustData);
// call into WinVerifyTrust
switch (result)
{
case WinVerifyTrustResult.Success:
return("Valid");
case WinVerifyTrustResult.ProviderUnknown:
return("ProviderUnknown");
case WinVerifyTrustResult.ActionUnknown:
return("ActionUnknown");
case WinVerifyTrustResult.SubjectFormUnknown:
return("SubjectFormUnknown");
case WinVerifyTrustResult.SubjectNotTrusted:
return("SubjectNotTrusted");
case WinVerifyTrustResult.FileNotSigned:
return("FileNotSigned");
case WinVerifyTrustResult.SubjectExplicitlyDistrusted:
return("SubjectExplicitlyDistrusted");
case WinVerifyTrustResult.SignatureOrFileCorrupt:
return("SignatureOrFileCorrupt");
case WinVerifyTrustResult.SubjectCertExpired:
return("SubjectCertExpired");
case WinVerifyTrustResult.SubjectCertificateRevoked:
return("SubjectCertificateRevoked");
case WinVerifyTrustResult.UntrustedRoot:
return("UntrustedRoot");
default:
// The UI was disabled in dwUIChoice or the admin policy
// has disabled user trust. lStatus contains the
// publisher or time stamp chain error.
return(result.ToString());
}
}
catch (Exception e) when(
e is System.AccessViolationException ||
e is Exception)
{
Dictionary <string, string> ExceptionEvent = new Dictionary <string, string>();
ExceptionEvent.Add("Exception Type", e.GetType().ToString());
AsaTelemetry.TrackEvent("VerifyEmbeddedSignatureException", ExceptionEvent);
return("FailedToFetch");
}
}
