Hacker News new | past | comments | ask | show | jobs | submit login

I wonder if they just check that WinVerifyTrust() returns OK or if they bother to also check the cert thumbprint.

Because if it's the former, it's trivial to just sign dll with any key and add it to the local trusted store (if needed).

Looks like they check to see if the cert issuer is a trusted root CA and then they check that the subject name is "Notepad++"


Yeah, that's trivial to bypass on a compromised machine without touching their binaries or hijacking system APIs.

To be fair, most things are trivial to bypass on a compromised machine. In fact what would even be the point of loading arbitrary code into Notepad++ on an already compromised machine?

The author of Notepad++ even said it, "It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC."

If CIA is already on your compromised machine and they want to target user of Notepad++, then they would just patched Notepad++ itself.

Are the permissions necessary to add a key to the local trusted store significantly less powerful than the permissions necessary to modify kernel memory?

For instance, can adding a key to the local trusted store allow someone to forge a windows update?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact