3

I have a large number of EXE files and need to figure out which ones have digital signatures. Does anyone know if there is a way to check without access to WinVerifyTrust (they're all on a Unix server).

I can't seem to find any information on where the digital signature actually is inside the EXE. If I could find out where it is I might be able to open the file and fseek to a location to test. I don't need to do "real" verification on the certificate, I just want to see if a digital signature is present (or, more importantly, NOT present) without having to use WinVerifyTrust.

poupou
  • 43,413
  • 6
  • 77
  • 174
Mitchell V
  • 837
  • 1
  • 7
  • 13
  • I havent tested this, but you might be able to do so with mono and the `chktrust` utility. – datasage Jun 25 '11 at 02:48
  • Thanks, I thought about that but I'd rather have some way of looking into the file directly rather than fully validating the certificate. It's something that will have to be run on a schedule for thousands of files at a time and I'm afraid chktrust (or even using WinVerifyTrust) would be too slow. If I could figure out where the digital signature should be inside the EXE, it seems like that would be fastest. Thanks! – Mitchell V Jun 25 '11 at 14:02

3 Answers3

1

As mentioned above, the solely presence of the IMAGE_DIRECTORY_ENTRY_SECURITY directory is a clear indicator to detect the presence of a signature inside a PE file. If you have a large amount of files to test and want to filter these, just testing the presence of this standard directory is valid. You don't need a library to do this.

mox
  • 6,084
  • 2
  • 23
  • 35
  • this is how PeStudio (http://www.winitor.com) detects this indicator when handling a PE image. – mox Dec 31 '12 at 18:39
1

I tried to solve the problem in the same situation. I recommend osslsigncode. This is an implementation of windows authenticode with openssl.
https://github.com/develar/osslsigncode

Below is a code block excerpt from osslsigncode.

siglen = GET_UINT32_LE(indata + peheader + 152 + pe32plus*16 + 4);

If siglen is 0 in osslsigncode, it determines that there is no signature.

If you just want to check the signature, you don't need a library.
However, see osslsigncode for help.

bemaru
  • 101
  • 1
  • 7
0

You can find this information using code from Mono.Security.dll AuthenticodeBase [1]

[1] https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Authenticode/AuthenticodeBase.cs

Your best hint (if an authenticode signature is present) is:

 // 2.2. Locate IMAGE_DIRECTORY_ENTRY_SECURITY (offset and size)
 dirSecurityOffset = BitConverterLE.ToInt32 (fileblock, peOffset + 152);
 dirSecuritySize = BitConverterLE.ToInt32 (fileblock, peOffset + 156);

if dirSecuritySize is larger than 8 then there's an signature entry (valid or not).

poupou
  • 43,413
  • 6
  • 77
  • 174