I have a large number of EXE files and need to figure out which ones have digital signatures. Does anyone know if there is a way to check without access to WinVerifyTrust (they're all on a Unix server).
I can't seem to find any information on where the digital signature actually is inside the EXE. If I could find out where it is I might be able to open the file and fseek to a location to test. I don't need to do "real" verification on the certificate, I just want to see if a digital signature is present (or, more importantly, NOT present) without having to use WinVerifyTrust.
As mentioned above, the solely presence of the IMAGE_DIRECTORY_ENTRY_SECURITY directory is a clear indicator to detect the presence of a signature inside a PE file. If you have a large amount of files to test and want to filter these, just testing the presence of this standard directory is valid. You don't need a library to do this.
You can find this information using code from Mono.Security.dll AuthenticodeBase [1]
Your best hint (if an authenticode signature is present) is:
// 2.2. Locate IMAGE_DIRECTORY_ENTRY_SECURITY (offset and size)
dirSecurityOffset = BitConverterLE.ToInt32 (fileblock, peOffset + 152);
dirSecuritySize = BitConverterLE.ToInt32 (fileblock, peOffset + 156);
if dirSecuritySize is larger than 8 then there's an signature entry (valid or not).
I tried to solve the problem in the same situation.
I recommend osslsigncode.
This is an implementation of windows authenticode with openssl.
https://github.com/develar/osslsigncode
Below is a code block excerpt from osslsigncode.
siglen = GET_UINT32_LE(indata + peheader + 152 + pe32plus*16 + 4);
If siglen is 0 in osslsigncode, it determines that there is no signature.
If you just want to check the signature, you don't need a library.
However, see osslsigncode for help.
来源:https://stackoverflow.com/questions/6475132/detect-a-digital-signature-without-winverifytrust