Didier Stevens

Friday 11 January 2008

The Case of the Missing Digital Signatures Tab

Filed under: Encryption — Didier Stevens @ 9:07

The title of this post is inspired by Mark Russinovich‘s posts. I explain why there is a category of executables with a digital signature that don’t show a “Digital Signatures” tab in the properties dialog, and I release a tool to manipulate digital signatures.

Executables (PE files) can have a digital signature, Microsoft calls this signature AuthentiCode. There are 2 different ways to sign a PE file: by adding a digital signature to the PE file (embedded digital signature) or by adding a hash of the PE file to a security catalog file (filetype .CAT).

The Properties dialog of a file hosts a Digital Signatures tab when the PE file has an embedded digital signature, like this Windows patch from Microsoft:

patch-properties.png

But when a file is signed via a security catalog file, the Digital Signatures tab is not displayed. Notepad is a good example:

notepad-properties.png

To check the digital signature of this category of files, one uses Microsoft’s signtool or Mark’s sigcheck utility:

notepad-signcheck.png

These tools will calculate the hash of the file, look it up in the appropriate security catalog file and check the signature of the security catalog file. One can find security catalog files in directory C:\windows\system32\catroot:

sp2-cat-tab1.png

sp2-cat-tab2.png

For an embedded digital signature, the location of the signature is at the end of the signed file. Look for DATA_DIR Security in IMAGE_DATA_DIRECTORIES of the optional PE header. It has a pointer (4 bytes) to the signature and the length (4 bytes) of the signature. The pointer is just the offset in the binary file. When these bytes are all zero (0×00), the PE file has no embedded digital signature.
Here is the PE header of another Windows patch:

pe_header.png

In this patch, the signature entry can be found at offset 0xF4E00 in the file and is 0×2428 bytes long:

der-signature.png

The first 4 bytes of the signature entry is the size, the following 4 bytes is a constant (0×00020200), and the rest is the PKCS7 signature. This signature can be extracted with a binary editor and parsed with openssl:

openssl.png

Finally, I wrote a small Python program to manipulate embedded digital signatures. Features of disitool:

  • delete a signature: disitool.py delete signed-file unsigned-file
  • copy a signature: disitool.py copy signed-source-file unsigned-file signed-file
  • extract a signature: disitool.py extract signed-file signature
  • add a signature: disitool.py add signature unsigned-file signed-file

5 Comments »

  1. This was very interesting. I have one question and maybe its because I didn’t quite understand much about digital signatures. But could a hacker somehow use those hidden digital signatures to put something malicious on your system?

    BTW, I check your blog almost daily.

    There is one thing that I would really appreciate. Could you display an excerpt on the main page of your blog so I don’t have to go through an entire post just to find out if I missed something (skipped a day because I wasn’t at my computer or maybe you had two posts in a particular day).

    Also, it might be easier to read the text on your images if you’d reduce them to the width of your blog post. For me the images are overlapping the text on the right side.

    Thanks for such a good blog.

    Comment by Charlene — Friday 11 January 2008 @ 16:11

  2. The Wikipedia link about Code Signing at the beginning of the post gives an excellent intro about digital signing code:

    Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a checksum.

    The only way I can see that a malware author could use digital signatures to execute code on your system, is when he finds a vulnerability in the code that deals with signatures, and finds en exploit to execute remotely. But then he would also have to social engineer you into checking the digital signature, because I don’t think the signature is parsed automatically.
    There are only 2 vulnerabilities that I see related to AuthentiCode. There was one that allowed the bypass of the AuthentiCode check in IE, and there was one in the ASN1 parsing.

    I don’t have much flexibility with the layout of my blog, as I don’t host my own WordPress software on my own server. This blog is hosted by WordPress.com

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:39

  3. [...] and MD5 Collisions Filed under: Encryption, Hacking — Didier Stevens @ 15:11 Back when I researched Microsoft’s code signing mechanism (Authenticode), I noticed it still supported MD5, but that the signtool uses SHA1 by [...]

    Pingback by Playing With Authenticode and MD5 Collisions « Didier Stevens — Saturday 17 January 2009 @ 15:12

  4. Thank you very much, I’ve been trying to understand where the heck the signatures went!

    Comment by egilam — Thursday 22 January 2009 @ 13:11

  5. […] I found another file in this _restore folder: A0000615.cat. This is a catalog file that Microsoft uses to sign Windows executables. With Sysinternals’ sigcheck tool and this catalog file, I was able to confirm that this is a […]

    Pingback by Forensic Use of CAT Files | Didier Stevens — Monday 3 March 2014 @ 0:17


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 221 other followers

%d bloggers like this: