2

OSR published a Q&A session with someone from Microsoft on their blog. The topic were the changes in requirements of Windows 10 driver signing compared to earlier Windows versions.

In one statement Microsoft Program Manager James Murray said (bold part):

Peter: The new driver signing procedure indicates you have to build a CAB file to upload for signing, and you sign that CAB file with your EV Cert. Why a CAB file (and not something common like a ZIP archive)? How do you build the CAB file? Is there a particular process or tool to use?

James: CAB was chosen as CABs themselves are PE files. This simplifies the signing process somewhat, as signtool.exe has “native” support. If we had chosen a ZIP Archive (note, we’d still like to move that direction), we would have needed to provide a separate signing mechanism. Something akin to the HLK studio, a small tool with the capability to sign ZIP or OPCs.

That surprised me. I am aware of plenty of the PE/COFF details, but was never under the impression that CAB files fit in there. It doesn't seem to be about self-extracting executables containing a CAB either.

I had to open a CAB file in my hex editor to see it for myself, but somehow I was unable to see in what sense the statement would be true.

Can anyone provide details as to how/why CAB files are PE files?

0xC0000022L
  • 20,597
  • 9
  • 86
  • 152

1 Answers1

4

CAB files are not, in general, PE files - they have entirely different structures.

For instance, the CAB file structure starts with the characters 'M', 'S', 'C', 'F' to identifiy it as a Microsoft Cabinet File - while a PE file's structure typically starts with an executable MS-DOS stub.

It may be possible to create a file that is both: both formats allow a certain amount of flexibility, including reserved areas, that might allow the constraints of both formats to be satisfied at once. But in general a cabinet file will not be a valid PE file.

I expect Mr Murray knew that the signtool utility could cope with PE files and CAB files, and assumed that was because CAB files were a special case of PE files, but in fact the tool just has native support for both formats.

psmears
  • 26,070
  • 4
  • 40
  • 48