0

I need to parse a PE file to extract all signature details in it:

- Version
- Issuer
- Serial number
- Digest algorithm
- Digest encryption algorithm
- Authenticated attributes
    + Content Type
    + 1.3.6.1.4.1.311.2.1.11
    + Message Digest
    + 1.3.6.1.4.1.311.2.1.12
- Unauthenticated attributes
    + 1.3.6.1.4.1.311.3.3.1

But I didn't find any solution yet. I think all the solution that I found can't extract complete information that I need.

I used AnalyzePESig. I think it was the most complete tools that I found.But the out put of this tools is as follow:

- Issuer
- Serial number
- Digest algorithm
- Digest encryption algorithm

and I can't find :

- Authenticated attributes
    + Content Type
    + 1.3.6.1.4.1.311.2.1.11
    + Message Digest
    + 1.3.6.1.4.1.311.2.1.12
- Unauthenticated attributes
    + 1.3.6.1.4.1.311.3.3.1

I also used osslsigncode, Disitool,signtool and Mark’s sigcheck

could you please help me to find an appropriate solution ?

S. Ensiye Kiyamousavi
  • 153
  • 8
  • Are you asking how to extract signing information from Authenticode-signed executables? Powershell's [Get-AuthenticodeSignature](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-authenticodesignature?view=powershell-6) returns the signature information. You can use that command programmatically, or you can copy the implementation from the [SignatureHelper](https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/security/Authenticode.cs#L272) file – Panagiotis Kanavos Sep 04 '19 at 07:26
  • If you check similar SO questions [like this one](https://stackoverflow.com/questions/6596327/how-to-check-if-a-file-is-signed-in-c/6597017#6597017) you'll see that they use P/Invoke and the Catalog APIs or the WinVerifyTrust function. Powershell's SignatureHelper file does the same. – Panagiotis Kanavos Sep 04 '19 at 07:28
  • @PanagiotisKanavos "Get-AuthenticodeSignature" just say does it have a valid signature or not ... I need to extract all digital signature details – S. Ensiye Kiyamousavi Sep 04 '19 at 09:24
  • That's not what the docs or the source code shows. `Get-AuthenticodeSignature` returns signature information. It may not be all the information needed in your specific case. You can return more information by copying and modifying the source code. – Panagiotis Kanavos Sep 04 '19 at 09:34
  • If you check SignatureHelper's code you'll see it loads the certificate using the same method as [this possibly duplicate question](https://stackoverflow.com/questions/48525856/reading-digital-certificate-from-the-file). After that, it uses the X509Certificate2 class to extract more info. – Panagiotis Kanavos Sep 04 '19 at 09:40

0 Answers0