导航

Digital signature

Posted on 2013-12-10 23:35  littledot  阅读(651)  评论(0编辑  收藏  举报

Executables (PE files) can have a digital signature, Microsoft calls this signature AuthentiCode. There are 2 different ways to sign a PE file: by adding a digital signature to the PE file (embedded digital signature) or by adding a hash of the PE file to a security catalog file (filetype .CAT).

The Properties dialog of a file hosts a Digital Signatures tab when the PE file has an embedded digital signature, like this Windows patch from Microsoft:

patch-properties.png

But when a file is signed via a security catalog file, the Digital Signatures tab is not displayed. Notepad is a good example:

notepad-properties.png

To check the digital signature of this category of files, one uses Microsoft’s signtool or Mark’s sigcheck utility:

notepad-signcheck.png

These tools will calculate the hash of the file, look it up in the appropriate security catalog file and check the signature of the security catalog file. One can find security catalog files in directory C:\windows\system32\catroot:

sp2-cat-tab1.png

sp2-cat-tab2.png

For an embedded digital signature, the location of the signature is at the end of the signed file. Look for DATA_DIR Security in IMAGE_DATA_DIRECTORIES of the optional PE header. It has a pointer (4 bytes) to the signature and the length (4 bytes) of the signature. The pointer is just the offset in the binary file. When these bytes are all zero (0×00), the PE file has no embedded digital signature.
Here is the PE header of another Windows patch:

pe_header.png

In this patch, the signature entry can be found at offset 0xF4E00 in the file and is 0×2428 bytes long:

der-signature.png

The first 4 bytes of the signature entry is the size, the following 4 bytes is a constant (0×00020200), and the rest is the PKCS7 signature. This signature can be extracted with a binary editor and parsed with openssl:

openssl.png

Finally, I wrote a small Python program to manipulate embedded digital signatures. Features of disitool:

      • delete a signature: disitool.py delete signed-file unsigned-file
      • copy a signature: disitool.py copy signed-source-file unsigned-file signed-file
      • extract a signature: disitool.py extract signed-file signature
      • add a signature: disitool.py add signature unsigned-file signed-file
        http://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/