Surrogate binary: extraction location and Authenticode signing #1342
Description
The surrogate binary is currently extracted to current_exe().parent() and is unsigned. This creates two related concerns.
Problem 1: Extraction location
Extracting to the executable directory requires write permissions, which may not be available in all deployments (read-only container images, restricted Program Files installs). Alternative locations (%TEMP%, %LOCALAPPDATA%) each have tradeoffs — particularly AV products flagging "write exe to temp → execute" as a malware dropper pattern.
Problem 2: Authenticode signing
The surrogate binary is currently unsigned. Signing it would:
- Eliminate AV false positives regardless of extraction location
- Enable extraction to temp or other locations without AV interference
- Allow WDAC/AppLocker policies to trust it
Options for extraction location
| Location | Write perms | AV risk | Notes |
|---|---|---|---|
| Exe dir (current) | Needs write access | Low | Expected location for supporting binaries |
%LOCALAPPDATA%\hyperlight\ |
Always writable | Medium | Less suspicious than temp |
%TEMP% |
Always writable | High | AV red flag — top malware dropper pattern |