Didier Stevens

Authenticode Tools

I wrote an article on my Authenticode tools for (IN)SECURE Magazine: Issue 39 page 60.

AnalyzePESig is a tool to check signatures in PE files, just like Sysinternals’ sigcheck. But with a couple of differences.

First, when a signature is not valid, AnalyzePESig will tell you why and still display information about the invalid signature and related certificates. Second, AnalyzePESig displays more information and third, it is open source.

Here is a short explanation of the fields in the output produced by AnalyzePESig:

Filename
Self-explanatory.

Extension
Self-explanatory.

MD5
Self-explanatory.

Entropy
The entropy of the bytes of the file.
Use this as an indicator for compressed or encrypted content (high entropy).
This value is between 0.0 and 8.0.

Filesize
Self-explanatory.

Creation time
Self-explanatory.

Last write time
Self-explanatory.

Last access time
Self-explanatory.

Owner name
The username of the owner of the file specified in the security descriptor.

File attributes
The WORD itself for the file attributes.

File attributes
A text representation of some of the file attributes. Like A for the Archive flag, …

Characteristics
The Characteristics of the PE file.

Characteristics
A text representation of some of the flags of the Characteristics. exec for executable image flag, dll for dll flag.

Magic
The Magic value of the PE file.

Magic decode
The decoded Magic value of the PE file.

Subsystem
The Subsystem value of the PE file.

Size of code
The size of the PE file.

Address of entry point
The address of the entry point of the PE file.

Compile time
The compile time of the PE file.

RVA15
The relative virtual address stored in Data Directory 15. This value is different from zero for .NET assemblies.

CLR version
The version of the CLR.

Sections
The name of the sections found in the PE file.

Signature size 1
The size of the signature as specified in the Data Directory.

Signature size 2
The size of the signature as found in the PE file.

Signature Revision
The revision number of the signature (should be 200).

Signature Certificate Type
The certificate type of the signature (should be 2).

Bytes after signature
Extra bytes found after the signature in the Data Directory (should be 0).

Result PKCS7 parser
The result of the PKCS7 parser. 1 for success, 0 for failure.

PKCS7 size
The size of the PKCS7 data as returned by the PKCS7 parser.

Bytes after PKCS7 signature
The number of bytes found after the PKCS7 data. This data is padded to a size which is a multiple of 8. So the number of bytes after the PKCS7 signature should be between 0 and 7.

Bytes after PKCS7 signature not zero
Padding is done will 0x00 bytes. Finding bytes after the PKCS7 signature which are not 0x00 is not normal.

PKCS7 signingtime
The code signing time as found in the PKCS7 signature.

DEROIDHash
The DEROIDHash is a sha-256 hash of the DER structure and OID numbers of a PKCS7 signature. Signatures with the same structure and OID numbers share the same DEROIDhash.

Valid signature
1 if the file has a valid signature, 0 if not.

Error code
If the signature is not valid, this error code will provide more details.

From catalog file
1 if the file is signed using a catalog file.

Catalogs
The number of catalog files for this file.

Catalog Filename
The name of the last catalog file listed for this file.

Issuer Name
The issuer of the certificate for the digital signature.

Subject Name
The subject of the certificate for the digital signature.

Subject thumprint
Self-explanatory.

Signature Timestamp
The date and time the file was signed.

Countersignature Timestamp
If present, the date and time of the counter signature.

Extensions
The OID numbers of all extensions present in the certificate for the digital signature.

Root Subject Name
The subject of the root certificate.

Root Thumbprint
The thumprint of the root certificate.

Signature Hash Algorithm
The hash algorithm used for the signature of the file.

Not before and not after
The validity period of the certificate for the digital signature.

Subject Name Chain
The subject of each certificate in the chain.

Signature Hash Algorithm Chain
The hash algorithm used for each certificate in the chain.

Serial Chain
The serial number of each certificate in the chain.

Thumbprint Chain
The thumbprint of each certificate in the chain.

Keylength Chain
The keylenght for each certificate in the chain.

Issuer Unique Id Chain
The number of bytes of the issuer unique id for each certificate in the chain.
This should be zero. It is not for the Flame certificate.

Subject Unique Id Chain
The number of bytes of the subject unique id for each certificate in the chain.
This should be zero. It is not for the Flame certificate.

Extensions Chain
The OID numbers of all extensions present in each certificate in the chain.

File Description
The file description found in the version info of the file.

Company Name
The company name found in the version info of the file.

File version
Self-explanatory.

Product version
Self-explanatory.

Icons
The number of icons in the PE file.

 

AnalyzePESig_V0_0_0_5.zip (https)
MD5: EC65D3F269445B7E876F232CE5C57A16
SHA256: 897EE65C741D2FEEF23C512FE43D9E477F9CAB0B338078703F8D860257D0C437

ListModules takes a snapshot of all processes and then analyses all loaded modules (.exe, .dll, …), producing output very similar to AnalyzePESig.

You are best to run ListModules 64-bit on a 64-bit system, and to run it with the administrator account or elevate.

ListModules_V0_0_0_4.zip (https)
MD5: 36D05A56C06493A3EB1BAD6F9F5BB2E5
SHA256: FDB262E043F86EA4F147D50B2DD48707C63E0751B655AB3AF9577C1E54017CE6

26 Comments »

  1. […] added a new page to document my Authenticode Tools like […]

    Pingback by Authenticode Tools Page « Didier Stevens — Tuesday 4 December 2012 @ 13:53

  2. […] is a new tool to analyze PE files, like my AnalyzePESig tool. In stead of analyzing all files you point it to, it takes a snapshot of all processes, and […]

    Pingback by ListModules V0.0.0.1 « Didier Stevens — Thursday 20 December 2012 @ 0:00

  3. […] Soon I’ll release new versions of my Authenticode Tools. […]

    Pingback by A Bit More Than A Signature | Didier Stevens — Tuesday 13 August 2013 @ 19:07

  4. […] is the effect illustrated with my AnalyzePESig […]

    Pingback by MS13-098: Fixing Authenticode | Didier Stevens — Wednesday 11 December 2013 @ 23:17

  5. Trying to download AnalyzePESig_V0_0_0_3.zip gives me 404 Not Found…

    Comment by Sergey Vlasov — Friday 13 December 2013 @ 12:56

  6. @Sergey Sorry, forgot to upload, fixed now.

    Comment by Didier Stevens — Friday 13 December 2013 @ 12:59

  7. […] in the video, it gets a bit more technical by using tools (AnalyzePESig and sigcheck) to check […]

    Pingback by Video: Checking the Digital Signature of Windows Executables | Didier Stevens — Monday 6 January 2014 @ 4:09

  8. Wonder tools. Thank you!

    Comment by Anonymous — Tuesday 7 January 2014 @ 20:36

  9. Really appreciate the tool listmodules. Could you add in a flag/option to send the output to a specified destination/folder?

    Comment by Jacov — Sunday 30 March 2014 @ 3:50

  10. @Jacov Did you try output redirection (> result.txt) ?

    Comment by Didier Stevens — Sunday 30 March 2014 @ 10:02

  11. Yes, I can redirect but I do not want to create the CSV file as redirection then creates 2 files.

    Comment by Jacov — Sunday 30 March 2014 @ 16:15

  12. @Jacov I see, I’ll add it to my todo list.

    Comment by Didier Stevens — Friday 4 April 2014 @ 15:44

  13. Not sure yet why, but when running your tool under the context of the Local System account in a windows 7 64-bit environment, the tool hangs. When I run it under the context of my own credentials (I have local admin rights), it completes successfully. Note that I am running it under the System account by creating a scheduled task in Windows. Not sure if you have ever tested this, but any insight you may have as to why it is hanging would be appreciated. I have tried this with other tools like those from sysinternals and it seems to work ok.

    Comment by Jacov — Thursday 10 April 2014 @ 21:04

  14. Is it me or doesn’t v3 work with .msi files anymore?

    Comment by Anonymous — Sunday 11 May 2014 @ 10:15

  15. Actually, I didn’t design AnalyzePESig to work with .msi files. In versions 0.0.1 and 0.0.2, it was a side-effect. But in version 0.0.3, I added many PE file checks,
    and .msi is not a PE file.

    Comment by Didier Stevens — Monday 12 May 2014 @ 21:04

  16. Thanks for your reply (#15) Mr. Stevens, now I understand the messages about invalid signatures as well -> they’re simply not PE files 😉
    I’ll also keep 0.0.2 then, the “side-effect” is -and works- great!

    Comment by Anonymous — Thursday 15 May 2014 @ 15:56

  17. I’ll try to make analysis of .msi possible again.

    Comment by Didier Stevens — Friday 16 May 2014 @ 13:05

  18. When enumerating process modules, the flag TH32CS_SNAPMODULE32 should be set like so:

    hSnapshotModules = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, sPE32.th32ProcessID);

    Otherwise, 32-bit modules loaded into 64-bit processes will be missing from the list.

    Comment by Jacob Gajek — Saturday 10 January 2015 @ 8:53

  19. @Jacob Thanks for pointing this out.
    I did some further testing, and the real issue is this: if you do not use flag TH32CS_SNAPMODULE32 in a 64-bit process when querying a 32-bit process, then you don’t get the 32-bit modules of the 32-bit process.
    I fixed this, and will try to release the code this weekend.

    Comment by Didier Stevens — Saturday 10 January 2015 @ 19:21

  20. You’re right, I misread the MSDN documentation. It’s the calling process that is 64-bit, and the TH32CS_SNAPMODULE32 flag pertains to 32-bit processes and their 32-bit modules.

    Comment by Jacob Gajek — Sunday 11 January 2015 @ 3:01

  21. This is excellent. I went looking for something like this because I was trying to see if using /td SHA256 with signtool.exe when timestamping had any actual effect. AnalyzePESig shows me the signature getting larger by 16 bytes, so at least something is happening.

    Comment by johndallman — Tuesday 3 November 2015 @ 17:24

  22. […] I released new versions of my AnalyzePESig and ListModules authenticode tools. […]

    Pingback by Update: Authenticode Tools | Didier Stevens — Monday 30 November 2015 @ 0:00

  23. Please excuse me, Didier Stevens.
    Due to newly added secondary SHA-2 signatures, i.e. to Google Chrome installer and many others, could you please add display and analysis of signatures beyond the 1st?
    Thank you.

    Comment by IL — Tuesday 26 January 2016 @ 8:08

  24. this is on my todo list

    Comment by Didier Stevens — Tuesday 26 January 2016 @ 10:29

  25. For: “The certificate type of the signature (should be 2).” is this class (IE Class 2 cert vice class 3?)

    Comment by Jack — Wednesday 4 January 2017 @ 1:17

  26. No, it’s not part of the certificate.

    Comment by Didier Stevens — Monday 9 January 2017 @ 20:04


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: