Can I check integrity of the caller process?

As described in this question , you can perform checks in OnOpenFile/OnCreateFile callbacks / event handlers. Authenticode signature of the process' main EXE file and all its DLLs can be verified using /n software's PKIBlackbox.

Such check should be performed from OnOpenFileC/OnCreateFileC, but to improve performance you need to cache validation results.

For example, you need to calculate CRC32 of the EXE file and remember it together with validation result. On next checks, you don't perform full validation but only compare the CRC32. If the CRC differs, then you don't need full certificate re-validation.

Ready to get started?

Learn more about Callback Technologies or download a free trial.

Download Now