2

I've been trying to check for digital signatures on .cab (Windows cabinet) files programmatically. This will likely be deployed on a linux box so I can't use WinVerifyTrust. I've been using Sigcheck to get the actual value (it will show you whether signed or not, and who signed the leaf cert) and I've also looked at Detect a digital signature without WinVerifyTrust which is pretty similar.

I've gotten Hex Editor Neo to scan for any relevant patterns, since my cab files are often too big for Offvis.

Edit: Further inspection with Neo shows the presence of certificates near the end of the file, but I'm not sure how to use this more generally.

How do you know if a cab file has been signed? What fields do you look for? Is there something similar to IMAGE_DIRECTORY_ENTRY_SECURITY in PE files? Whether you can write a class to describe its structure or just scan for particular fields using a hexdumper, I'm open to any suggestions. My plan is to eventually write a struct for it when I can get a hold on how to represent a signed cab file.

Edit: Getting back to it after a couple days, it seems CAB file signatures begin at an arbitrary distance from the end of the actually cabinets. You can see the hex bytes of the cert from a Hex Editor, or using SigCheck to verify if the file is just signed or not. But no logic suggests itself to me as for how to account for this.
Any insights?

Vishwa
  • 21
  • 4
  • It might help to know that signing is usually (always?) done after building as a separate step. MS apps like SignTool append to the file, but are also smart enough to replace existing certs. I'd try looking at the source code for a signing tool (OSSLSignCode is one for linux) to see how they find existing certs. If that failed I'd try either working backwards from the end of file, or just scanning for "this is a signature" headers in the file (like how some archive tools can find the Zip archive embedded in a self-extracting file) – Dave S Jul 25 '17 at 20:23
  • @DaveS: That's exactly what I'm doing at the moment. Modifying osslsigncode (which has no support for cab files) and also looking for patterns at the end of a file. Do you have any ideas what might be worth looking out for? SigCheck does this, but I'm not sure how sigcheck works. – Vishwa Jul 25 '17 at 20:43
  • My only idea (besides looking at existing apps) is to scan for the 3 types I know have been used (MD5, SHA-1, SHA-256). If you know the maximum size of each type, I don't expect a CAB will ever have more than 2 of them (SHA-1 + -256 together) so you can start scanning near the end of the file at length - max(sizeof(MD5), (sizeof(SHA-1) + sizeof(SHA-256))) – Dave S Jul 25 '17 at 23:12

0 Answers0