Didier Stevens

Friday 11 January 2008

The Case of the Missing Digital Signatures Tab

Filed under: Encryption — Didier Stevens @ 9:07

The title of this post is inspired by Mark Russinovich‘s posts. I explain why there is a category of executables with a digital signature that don’t show a “Digital Signatures” tab in the properties dialog, and I release a tool to manipulate digital signatures.

Executables (PE files) can have a digital signature, Microsoft calls this signature AuthentiCode. There are 2 different ways to sign a PE file: by adding a digital signature to the PE file (embedded digital signature) or by adding a hash of the PE file to a security catalog file (filetype .CAT).

The Properties dialog of a file hosts a Digital Signatures tab when the PE file has an embedded digital signature, like this Windows patch from Microsoft:


But when a file is signed via a security catalog file, the Digital Signatures tab is not displayed. Notepad is a good example:


To check the digital signature of this category of files, one uses Microsoft’s signtool or Mark’s sigcheck utility:


These tools will calculate the hash of the file, look it up in the appropriate security catalog file and check the signature of the security catalog file. One can find security catalog files in directory C:\windows\system32\catroot:



For an embedded digital signature, the location of the signature is at the end of the signed file. Look for DATA_DIR Security in IMAGE_DATA_DIRECTORIES of the optional PE header. It has a pointer (4 bytes) to the signature and the length (4 bytes) of the signature. The pointer is just the offset in the binary file. When these bytes are all zero (0x00), the PE file has no embedded digital signature.
Here is the PE header of another Windows patch:


In this patch, the signature entry can be found at offset 0xF4E00 in the file and is 0x2428 bytes long:


The first 4 bytes of the signature entry is the size, the following 4 bytes is a constant (0x00020200), and the rest is the PKCS7 signature. This signature can be extracted with a binary editor and parsed with openssl:


Finally, I wrote a small Python program to manipulate embedded digital signatures. Features of disitool:

  • delete a signature: disitool.py delete signed-file unsigned-file
  • copy a signature: disitool.py copy signed-source-file unsigned-file signed-file
  • extract a signature: disitool.py extract signed-file signature
  • add a signature: disitool.py add signature unsigned-file signed-file

Blog at WordPress.com.