Detect a digital signature without WinVerifyTrust

Question

I have a large number of EXE files and need to figure out which ones have digital signatures. Does anyone know if there is a way to check without access to WinVerifyTrust (they're all on a Unix server).

I can't seem to find any information on where the digital signature actually is inside the EXE. If I could find out where it is I might be able to open the file and fseek to a location to test. I don't need to do "real" verification on the certificate, I just want to see if a digital signature is present (or, more importantly, NOT present) without having to use WinVerifyTrust.

Answer 1

You can find this information using code from Mono.Security.dll AuthenticodeBase [1]

[1] https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Authenticode/AuthenticodeBase.cs

Your best hint (if an authenticode signature is present) is:

 // 2.2. Locate IMAGE_DIRECTORY_ENTRY_SECURITY (offset and size)
 dirSecurityOffset = BitConverterLE.ToInt32 (fileblock, peOffset + 152);
 dirSecuritySize = BitConverterLE.ToInt32 (fileblock, peOffset + 156);

if dirSecuritySize is larger than 8 then there's an signature entry (valid or not).

Answer 2

As mentioned above, the solely presence of the IMAGE_DIRECTORY_ENTRY_SECURITY directory is a clear indicator to detect the presence of a signature inside a PE file. If you have a large amount of files to test and want to filter these, just testing the presence of this standard directory is valid. You don't need a library to do this.

Answer 3

I tried to solve the problem in the same situation. I recommend osslsigncode. This is an implementation of windows authenticode with openssl.
https://github.com/develar/osslsigncode

Below is a code block excerpt from osslsigncode.

siglen = GET_UINT32_LE(indata + peheader + 152 + pe32plus*16 + 4);

If siglen is 0 in osslsigncode, it determines that there is no signature.

If you just want to check the signature, you don't need a library.
However, see osslsigncode for help.