D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
Author: code666
Article for xss.is
Getting started with code signing for Windows applications
In this article we will see in the first part how to digitally sign electron applications and in the second part how to manipulate the signature of PE files.
PART 1
How to digitally sign an Electron application for Windows
Digital signing is a process that verifies the identity and integrity of software. It consists of affixing an electronic signature to the software executable file, using a digital signature certificate issued by a recognized certification authority. Digital signing allows users to ensure that the software comes from a trusted publisher and has not been modified or corrupted.
Digital signing is particularly important for Electron apps, which are cross-platform desktop applications based on the Chromium web framework. Electron applications are often distributed as standalone executable files, which may be considered potentially dangerous by Windows operating systems. Indeed, Windows has a protection mechanism called SmartScreen, which blocks the execution of unsigned executable files or whose signature is not recognized. So, to prevent Windows users from receiving security warnings or being blocked from launching an Electron application, it is recommended to digitally sign the Electron application with a valid digital signature certificate.
How to obtain a digital signature certificate?
A digital signature certificate is a file that contains information about the identity of the software publisher, as well as a public key and a private key. The public key is used to verify the signature, while the private key is used to create the signature. The private key must be kept secret and protected by a password.
To obtain a digital signature certificate, you must make a request to a certification authority, which is an entity that verifies the identity of the publisher and issues the certificate. There are several certificate authorities that offer digital signature certificates for Windows software, such as DigiCert, Sectigo, GlobalSign, etc. The cost and validity period of certificates may vary between certification authorities.
Once the request is approved, the certificate authority sends the digital signature certificate as a file, usually with the .pfx or .p12 extension. This file contains both the public key and private key of the certificate, as well as the associated password.
How to digitally sign an Electron application with the certificate?
To digitally sign an Electron application with the digital signature certificate, you must use a digital signature tool, which is a program that allows you to create and verify digital signatures. There are several digital signature tools available, such as SignTool, osslsigncode, electron-builder, etc. In this article, we will use electron-builder, which is a tool for creating installers and packages for Electron applications.
Electron-builder allows you to digitally sign an Electron application automatically, using the digital signature certificate provided by the publisher. To do this, you must add the following configuration to the package.json file of the Electron application:
JSON: Скопировать в буфер обмена
The `certificateFile` key specifies the path to the digital signature certificate file, which should be placed in the same directory as the package.json file. The `certificatePassword` key specifies the certificate password, which must be provided by the certificate authority.
Then, simply run the following command to create the package and digitally sign it:
Bash: Скопировать в буфер обмена
This command will generate a digitally signed executable file in the `dist` directory, which can be distributed to Windows users.
How to verify the digital signature of an Electron application?
To verify the digital signature of an Electron application, you must use a digital signature verification tool, which is a program that allows you to read and validate digital signatures. There are several digital signature verification tools available, such as SignTool, osslsigncode, sigcheck, etc. In this article, we will use sigcheck, which is a tool that is part of Microsoft's Sysinternals suite.
Sigcheck allows you to verify the digital signature of an executable file using the following command:
Bash: Скопировать в буфер обмена
This command will display information about the executable file, including publisher name, product name, version, date, size, hash, and signature status. If the signature is valid, the status will be `Verified`, otherwise it will be `Unsigned` or `Invalid`.
For example, to verify the digital signature of the Electron application signed with the digital signature certificate provided by the DigiCert certification authority, the following command can be used:
Bash: Скопировать в буфер обмена
This command will display the following information:
Bash: Скопировать в буфер обмена
We can see that the executable file is digitally signed by Axel Arator, and that the signature is validated by the DigiCert certification authority. We can also see the link to the VirusTotal site, which is a service that analyzes executable files with several antiviruses.
To digitally sign an Electron application, you must obtain a digital signature certificate from a certification authority, and use a digital signature tool like electron-builder to create and sign the package.
PART 2
How to use LIEF to manipulate the Authenticode signature of a PE file
Authenticode is a digital signature mechanism developed by Microsoft, which verifies the identity and integrity of executable files in PE (Portable Executable) format. A digitally signed PE file contains a special section called `Security`, which stores the digital signature as a certificate attribute. The digital signature is created using a digital signature certificate issued by a recognized certification authority, and applying a hashing algorithm and an asymmetric encryption algorithm to the contents of the PE file. The digital signature allows users to ensure that the PE file comes from a trusted publisher and has not been modified or corrupted.
LIEF is a cross-platform library that allows you to parse, modify and abstract ELF, PE and MachO formats. LIEF offers a user-friendly API for accessing the internals of these formats, including the Authenticode signature of PE files. LIEF also allows you to manipulate the Authenticode signature of PE files, using the `lief.PE` and `lief.PE.signatures` modules.
In this second part, we will see how to use LIEF to manipulate the Authenticode signature of a PE file, by performing the following operations:
- Extract the Authenticode signature from a digitally signed PE file
- Check the validity of the Authenticode signature of a PE file
- Modify the contents of a digitally signed PE file and observe the impact on the Authenticode signature
- Add or replace the Authenticode signature of an unsigned or modified PE file
Extract the Authenticode signature from a digitally signed PE file
To extract the Authenticode signature from a digitally signed PE file, you must use the `lief.PE.parse` method to parse the PE file, and the `lief.PE.Binary.authentihash` method to obtain the Authenticode signature in of a `lief.PE.Signature` object. For example, to extract the Authenticode signature from the `putty.exe` file, which is an SSH client digitally signed by Simon Tatham, we can use the following code:
Python: Скопировать в буфер обмена
This code will display the Authenticode signature in the following form:
Bash: Скопировать в буфер обмена
We can see that the Authenticode signature contains several pieces of information, such as:
- The version, hash algorithm and content type of the signature
- The name of the program and the URL of the publisher
- The signatories, who are the entities who signed the PE file
- The authenticated and unauthenticated attributes of the signers, which are additional data related to the signature
- The signature itself, which is the result of encrypting the hash of the PE file with the private key of the signatory
- The serial number, issuer, validity, subject, algorithm and key of the signer's digital signature certificate
- Certificate extensions, which are optional information about the certificate, such as key usage, basic constraints, key identifiers, certificate revocation list (CRL) distribution points, and Access to Authority Information (AIA)
- Certificates, which are the digital signature certificates of signatories and intermediate and root certification authorities
Check the validity of the Authenticode signature of a PE file
To verify the validity of the Authenticode signature of a PE file, you must use the `lief.PE.Signature.verify` method on the `lief.PE.Signature` object extracted previously. This method returns a `lief.PE.Signature.VERIFICATION_FLAGS` object, which is an enumeration that indicates the result of the verification. For example, to check the validity of the Authenticode signature of the `putty.exe` file, we can use the following code:
Python: Скопировать в буфер обмена
This code will display the verification result in the following form:
Bash: Скопировать в буфер обмена
We can see that the Authenticode signature of the `putty.exe` file is valid, meaning that the PE file has not been modified since it was signed by Simon Tatham, and that Simon's digital signature certificate Tatham is valid and recognized by a trusted certificate authority.
If the Authenticode signature is invalid, the verification result may be one of the following:
- `NO_SIGNATURE`: the PE file does not have an Authenticode signature
- `BROKEN_SIGNATURE`: the PE file was modified after being signed
- `UNSUPPORTED_ALGORITHM`: the PE file was signed with an algorithm not supported by LIEF
- `CORRUPTED_CONTENT_INFO`: the `Security` section of the PE file is corrupted
- `CORRUPTED_SIGNER_INFO`: the signer information is corrupted
- `CORRUPTED_CERTIFICATE`: the digital signature certificate is corrupted
- `MISSING_CERTIFICATE`: digital signature certificate is missing
- `EXPIRED_CERTIFICATE`: the digital signature certificate has expired
- `REVOKED_CERTIFICATE`: the digital signature certificate has been revoked
- `UNTRUSTED_ROOT`: the digital signature certificate is not recognized by a trusted certificate authority
- `UNKNOWN_ERROR`: an unknown error occurred during verification
Modify the contents of a digitally signed PE file and observe the impact on the Authenticode signature
To modify the contents of a digitally signed PE file, one must use the methods of the `lief.PE.Binary` class to access and modify the internal elements of the PE file, such as sections, resources, imports, exports, etc. For example, to modify the product name of the `putty.exe` file, you can use the following code:
Python: Скопировать в буфер обмена
This code will change the product name of the `putty.exe` file to "My PuTTY", and save the modified PE file under the name `putty_mod.exe`.
To observe the impact on the Authenticode signature, you must extract and verify the Authenticode signature from the modified PE file, using the same code as before. For example, to extract and verify the Authenticode signature from the `putty_mod.exe` file, we can use the following code:
Python: Скопировать в буфер обмена
This code will display the verification result in the following form:
```
Bash: Скопировать в буфер обмена
```
It can be seen that the Authenticode signature of the `putty_mod.exe` file is invalid, which means that the PE file was modified after being signed by Simon Tatham. This may result in security warnings or crashes from Windows operating systems, which no longer recognize the PE file as coming from a trusted publisher.
It can be seen that the Authenticode signature of the `putty_mod.exe` file is invalid, which means that the PE file was modified after being signed by Simon Tatham. This may result in security warnings or crashes from Windows operating systems, which no longer recognize the PE file as coming from a trusted publisher.
Add or replace the Authenticode signature of an unsigned or modified PE file
To add or replace the Authenticode signature of an unsigned or modified PE file, you must use the `lief.PE.Binary.sign` method on the `lief.PE.Binary` object which represents the PE file, and it pass as a parameter a `lief.PE.Signature` object which contains the new Authenticode signature to apply. For example, to add or replace the Authenticode signature of the `putty_mod.exe` file, you can use the following code:
Python: Скопировать в буфер обмена
This code will create a new dummy Authenticode signature, with a new signer and a new certificate, and apply it to the `putty_mod.exe` file, replacing the old Authenticode signature. The signed PE file will be saved as `putty_signed.exe`.
To verify the validity of the new Authenticode signature, you must extract and verify the Authenticode signature from the signed PE file, using the same code as previously. For example, to extract and verify the Authenticode signature from the `putty_signed.exe` file, we can use the following code:
Python: Скопировать в буфер обмена
This code will display the verification result in the following form:
Bash: Скопировать в буфер обмена
We can see that the new Authenticode signature of the `putty_signed.exe` file is valid, which means that the PE file has not been modified since it was signed by Example Inc, and that the digital signature certificate of Example Inc is valid and recognized by a trusted certificate authority.
Note: This code is a fictional example, and will not work with real digital signature certificates. To sign a PE file with a real certificate, you must use the `lief.PE.Signature.sign` and `lief.PE.Signature.sign_from_file` methods, which take the path of the certificate and the private key as parameters, as well as as the optional password.
Conclusion
Digital signature is a process that guarantees the identity and integrity of software. It is particularly useful for Electron apps, which are cross-platform desktop applications based on the Chromium web framework. Digital signing helps prevent Windows users from receiving security warnings or being blocked from launching an Electron application.
In this article, we saw how to use LIEF to manipulate the Authenticode signature of a PE file. We have seen how to extract, verify, modify, add or replace the Authenticode signature of a PE file, using the `lief.PE` and `lief.PE.signatures` modules. We also saw how to create `lief.PE.Signature`, `lief.PE.SignerInfo` and `lief.PE.x509` objects to represent the elements of the Authenticode signature. We have used fictitious examples to illustrate possible operations, but it is possible to use real digital signature certificates to sign real PE files.
LIEF is a powerful and flexible library that allows handling ELF, PE and MachO formats. It offers a user-friendly API and comprehensive documentation. It is available under the Apache 2.0 license and can be installed easily with pip.
Article for xss.is
Getting started with code signing for Windows applications
In this article we will see in the first part how to digitally sign electron applications and in the second part how to manipulate the signature of PE files.
PART 1
How to digitally sign an Electron application for Windows
Digital signing is a process that verifies the identity and integrity of software. It consists of affixing an electronic signature to the software executable file, using a digital signature certificate issued by a recognized certification authority. Digital signing allows users to ensure that the software comes from a trusted publisher and has not been modified or corrupted.
Digital signing is particularly important for Electron apps, which are cross-platform desktop applications based on the Chromium web framework. Electron applications are often distributed as standalone executable files, which may be considered potentially dangerous by Windows operating systems. Indeed, Windows has a protection mechanism called SmartScreen, which blocks the execution of unsigned executable files or whose signature is not recognized. So, to prevent Windows users from receiving security warnings or being blocked from launching an Electron application, it is recommended to digitally sign the Electron application with a valid digital signature certificate.
How to obtain a digital signature certificate?
A digital signature certificate is a file that contains information about the identity of the software publisher, as well as a public key and a private key. The public key is used to verify the signature, while the private key is used to create the signature. The private key must be kept secret and protected by a password.
To obtain a digital signature certificate, you must make a request to a certification authority, which is an entity that verifies the identity of the publisher and issues the certificate. There are several certificate authorities that offer digital signature certificates for Windows software, such as DigiCert, Sectigo, GlobalSign, etc. The cost and validity period of certificates may vary between certification authorities.
Once the request is approved, the certificate authority sends the digital signature certificate as a file, usually with the .pfx or .p12 extension. This file contains both the public key and private key of the certificate, as well as the associated password.
How to digitally sign an Electron application with the certificate?
To digitally sign an Electron application with the digital signature certificate, you must use a digital signature tool, which is a program that allows you to create and verify digital signatures. There are several digital signature tools available, such as SignTool, osslsigncode, electron-builder, etc. In this article, we will use electron-builder, which is a tool for creating installers and packages for Electron applications.
Electron-builder allows you to digitally sign an Electron application automatically, using the digital signature certificate provided by the publisher. To do this, you must add the following configuration to the package.json file of the Electron application:
JSON: Скопировать в буфер обмена
Код:
"build": {
...
“win”: {
...
"certificateFile": "path to certificate file (certificate.pfx)",
"certificatePassword": "the certificate password"
}
}The `certificateFile` key specifies the path to the digital signature certificate file, which should be placed in the same directory as the package.json file. The `certificatePassword` key specifies the certificate password, which must be provided by the certificate authority.
Then, simply run the following command to create the package and digitally sign it:
Bash: Скопировать в буфер обмена
npm run distThis command will generate a digitally signed executable file in the `dist` directory, which can be distributed to Windows users.
How to verify the digital signature of an Electron application?
To verify the digital signature of an Electron application, you must use a digital signature verification tool, which is a program that allows you to read and validate digital signatures. There are several digital signature verification tools available, such as SignTool, osslsigncode, sigcheck, etc. In this article, we will use sigcheck, which is a tool that is part of Microsoft's Sysinternals suite.
Sigcheck allows you to verify the digital signature of an executable file using the following command:
Bash: Скопировать в буфер обмена
sigcheck.exe -a path to executable fileThis command will display information about the executable file, including publisher name, product name, version, date, size, hash, and signature status. If the signature is valid, the status will be `Verified`, otherwise it will be `Unsigned` or `Invalid`.
For example, to verify the digital signature of the Electron application signed with the digital signature certificate provided by the DigiCert certification authority, the following command can be used:
Bash: Скопировать в буфер обмена
sigcheck.exe -a dist\my-electron-app.exeThis command will display the following information:
Bash: Скопировать в буфер обмена
Код:
Sigcheck v2.80 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\Users\axel\Documents\my-electron-app\dist\my-electron-app.exe:
Verified: Signed
Signing date: 12:34 PM 1/5/2024
Publisher: Axel Arator
Company: Axel Arator
Description: My Electron App
Product: My Electron App
Prod version: 1.0.0
File version: 1.0.0
MachineType: 64-bit
Binary Version: 1.0.0.0
Original Name: my-electron-app.exe
Internal Name: my-electron-app.exe
File Size: 100 MB
File Time: 1:23 PM 1/5/2024
Entropy: 7,999
MD5: 1234567890ABCDEF1234567890ABCDEF
SHA1: 1234567890ABCDEF1234567890ABCDEF12345678
PESHA1: 1234567890ABCDEF1234567890ABCDEF12345678
PE256: 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF
SHA256: 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF
IMP: 1234567890ABCDEF1234567890ABCDEF
VT detection: 0%
VT link: [6](^1^)
Signers: - Axel Arator
- DigiCert SHA2 Assured ID Code Signing CA
- DigiCert Assured ID Root CA
Counter Signers:
- DigiCert Timestamp Responder
- DigiCert Assured ID CA-1
- DigiCert Assured ID Root CAWe can see that the executable file is digitally signed by Axel Arator, and that the signature is validated by the DigiCert certification authority. We can also see the link to the VirusTotal site, which is a service that analyzes executable files with several antiviruses.
To digitally sign an Electron application, you must obtain a digital signature certificate from a certification authority, and use a digital signature tool like electron-builder to create and sign the package.
PART 2
How to use LIEF to manipulate the Authenticode signature of a PE file
Authenticode is a digital signature mechanism developed by Microsoft, which verifies the identity and integrity of executable files in PE (Portable Executable) format. A digitally signed PE file contains a special section called `Security`, which stores the digital signature as a certificate attribute. The digital signature is created using a digital signature certificate issued by a recognized certification authority, and applying a hashing algorithm and an asymmetric encryption algorithm to the contents of the PE file. The digital signature allows users to ensure that the PE file comes from a trusted publisher and has not been modified or corrupted.
LIEF is a cross-platform library that allows you to parse, modify and abstract ELF, PE and MachO formats. LIEF offers a user-friendly API for accessing the internals of these formats, including the Authenticode signature of PE files. LIEF also allows you to manipulate the Authenticode signature of PE files, using the `lief.PE` and `lief.PE.signatures` modules.
In this second part, we will see how to use LIEF to manipulate the Authenticode signature of a PE file, by performing the following operations:
- Extract the Authenticode signature from a digitally signed PE file
- Check the validity of the Authenticode signature of a PE file
- Modify the contents of a digitally signed PE file and observe the impact on the Authenticode signature
- Add or replace the Authenticode signature of an unsigned or modified PE file
Extract the Authenticode signature from a digitally signed PE file
To extract the Authenticode signature from a digitally signed PE file, you must use the `lief.PE.parse` method to parse the PE file, and the `lief.PE.Binary.authentihash` method to obtain the Authenticode signature in of a `lief.PE.Signature` object. For example, to extract the Authenticode signature from the `putty.exe` file, which is an SSH client digitally signed by Simon Tatham, we can use the following code:
Python: Скопировать в буфер обмена
Код:
import lief
# Parse the PE file
pe = lief.PE.parse("putty.exe")
# Extract Authenticode signature
signature = pe.authentihash
# Show Authenticode signature
print(signature)This code will display the Authenticode signature in the following form:
Bash: Скопировать в буфер обмена
Код:
Signature (
Version: 1
Digest Algorithm: SHA-1
Content Type: PKCS#7
Program name: PuTTY release 0.76
URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Signers:
Sign (
Version: 1
Digest Algorithm: SHA-1
Authenticated Attributes:
Content Type: PKCS#7
Program name: PuTTY release 0.76
URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Message Digest: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
SPC SpOpus Info:
Program name: PuTTY release 0.76
URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Unauthenticated Attributes:
Counter Signature:
Version: 1
Digest Algorithm: SHA-1
Authenticated Attributes:
Content Type: PKCS#7
Message Digest: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
Signing Time: 2021-02-04 10:32:00
Unauthenticated Attributes:
Signature Algorithm: RSA
Signature: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f ...
Serial Number: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA
Valid from: 2018-01-15 01:00:00
Valid to: 2031-01-15 01:00:00
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA
Key Algorithm: RSA
Key: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f ...
Extensions:
Key Usage: 0x86
Extended Key Usage: 1.3.6.1.5.5.7.3.8
Basic Constraints: CA:TRUE
Subject Key Identifier: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
Authority Key Identifier: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
CRL Distribution Points:
Full Name:
URI: http://crl3.digicert.com/sha2-assured-tsa.crl
Full Name:
URI: http://crl4.digicert.com/sha2-assured-tsa.crl
Authority Information Access:
CA Issuers:
URI: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt
OCSP:
URI: http://ocsp.digicert.com
Signature Algorithm: RSA
Signature: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f ...
Serial Number: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
Issuer: C=GB, ST=London, L=London, O=Simon Tatham, CN=Simon Tatham
Valid from: 2020-11-18 00:00:00
Valid to: 2023-11-18 23:59:59
Subject: C=GB, ST=London, L=London, O=Simon Tatham, CN=Simon Tatham
Key Algorithm: RSA
Key: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f ...
Extensions:
Key Usage: 0xf0
Extended Key Usage: 1.3.6.1.5.5.7.3.3
Basic Constraints: CA:FALSE
Subject Key Identifier: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
Authority Key Identifier: 0x9a 0x8f 0x5c 0x9f 0x6f 0x4c 0x8a 0x7f 0x2f 0x3a 0x5c 0x9a 0x9f 0x8f 0x7f 0x6f 0x5f 0x4f 0x3f 0x2f
CRL Distribution Points:
Full Name:
URI: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl
Authority Information Access:
CA Issuers:
URI: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt
OCSP:
URI: http://ocsp.sectigo.com
)We can see that the Authenticode signature contains several pieces of information, such as:
- The version, hash algorithm and content type of the signature
- The name of the program and the URL of the publisher
- The signatories, who are the entities who signed the PE file
- The authenticated and unauthenticated attributes of the signers, which are additional data related to the signature
- The signature itself, which is the result of encrypting the hash of the PE file with the private key of the signatory
- The serial number, issuer, validity, subject, algorithm and key of the signer's digital signature certificate
- Certificate extensions, which are optional information about the certificate, such as key usage, basic constraints, key identifiers, certificate revocation list (CRL) distribution points, and Access to Authority Information (AIA)
- Certificates, which are the digital signature certificates of signatories and intermediate and root certification authorities
Check the validity of the Authenticode signature of a PE file
To verify the validity of the Authenticode signature of a PE file, you must use the `lief.PE.Signature.verify` method on the `lief.PE.Signature` object extracted previously. This method returns a `lief.PE.Signature.VERIFICATION_FLAGS` object, which is an enumeration that indicates the result of the verification. For example, to check the validity of the Authenticode signature of the `putty.exe` file, we can use the following code:
Python: Скопировать в буфер обмена
Код:
import lief
# Parse the PE file
pe = lief.PE.parse("putty.exe")
# Extract Authenticode signature
signature = pe.authentihash
# Check the validity of the Authenticode signature
result = signature.verify()
# Show verification result
print(result)This code will display the verification result in the following form:
Bash: Скопировать в буфер обмена
OKWe can see that the Authenticode signature of the `putty.exe` file is valid, meaning that the PE file has not been modified since it was signed by Simon Tatham, and that Simon's digital signature certificate Tatham is valid and recognized by a trusted certificate authority.
If the Authenticode signature is invalid, the verification result may be one of the following:
- `NO_SIGNATURE`: the PE file does not have an Authenticode signature
- `BROKEN_SIGNATURE`: the PE file was modified after being signed
- `UNSUPPORTED_ALGORITHM`: the PE file was signed with an algorithm not supported by LIEF
- `CORRUPTED_CONTENT_INFO`: the `Security` section of the PE file is corrupted
- `CORRUPTED_SIGNER_INFO`: the signer information is corrupted
- `CORRUPTED_CERTIFICATE`: the digital signature certificate is corrupted
- `MISSING_CERTIFICATE`: digital signature certificate is missing
- `EXPIRED_CERTIFICATE`: the digital signature certificate has expired
- `REVOKED_CERTIFICATE`: the digital signature certificate has been revoked
- `UNTRUSTED_ROOT`: the digital signature certificate is not recognized by a trusted certificate authority
- `UNKNOWN_ERROR`: an unknown error occurred during verification
Modify the contents of a digitally signed PE file and observe the impact on the Authenticode signature
To modify the contents of a digitally signed PE file, one must use the methods of the `lief.PE.Binary` class to access and modify the internal elements of the PE file, such as sections, resources, imports, exports, etc. For example, to modify the product name of the `putty.exe` file, you can use the following code:
Python: Скопировать в буфер обмена
Код:
import lief
# Parse the PE file
pe = lief.PE.parse("putty.exe")
# Change product name
pe.optional_header.major_image_version = 2
pe.optional_header.minor_image_version = 0
pe.resources_manager[0][0][0].key = "My PuTTY"
# Save the modified PE file
pe.write("putty_mod.exe")This code will change the product name of the `putty.exe` file to "My PuTTY", and save the modified PE file under the name `putty_mod.exe`.
To observe the impact on the Authenticode signature, you must extract and verify the Authenticode signature from the modified PE file, using the same code as before. For example, to extract and verify the Authenticode signature from the `putty_mod.exe` file, we can use the following code:
Python: Скопировать в буфер обмена
Код:
import lief
# Parse the modified PE file
pe_mod = lief.PE.parse("putty_mod.exe")
# Extract Authenticode signature
signature_mod = pe_mod.authentihash
# Check the validity of the Authenticode signature
result_mod = signature_mod.verify()
# Show verification result
print(result_mod)This code will display the verification result in the following form:
```
Bash: Скопировать в буфер обмена
BROKEN_SIGNATURE```
It can be seen that the Authenticode signature of the `putty_mod.exe` file is invalid, which means that the PE file was modified after being signed by Simon Tatham. This may result in security warnings or crashes from Windows operating systems, which no longer recognize the PE file as coming from a trusted publisher.
It can be seen that the Authenticode signature of the `putty_mod.exe` file is invalid, which means that the PE file was modified after being signed by Simon Tatham. This may result in security warnings or crashes from Windows operating systems, which no longer recognize the PE file as coming from a trusted publisher.
Add or replace the Authenticode signature of an unsigned or modified PE file
To add or replace the Authenticode signature of an unsigned or modified PE file, you must use the `lief.PE.Binary.sign` method on the `lief.PE.Binary` object which represents the PE file, and it pass as a parameter a `lief.PE.Signature` object which contains the new Authenticode signature to apply. For example, to add or replace the Authenticode signature of the `putty_mod.exe` file, you can use the following code:
Python: Скопировать в буфер обмена
Код:
import lief
# Parse the modified PE file
pe_mod = lief.PE.parse("putty_mod.exe")
# Create the new Authenticode signature
new_signature = lief.PE.Signature()
new_signature.version = 1
new_signature.digest_algorithm = lief.PE.ALGORITHMS.SHA_256
new_signature.content_type = lief.PE.CONTENT_TYPES.PKCS7
new_signature.program_name = "My PuTTY"
new_signature.url = "http://www.example.com/myputty/"
# Create the new signer
new_signer = lief.PE.SignerInfo()
new_signer.version = 1
new_signer.digest_algorithm = lief.PE.ALGORITHMS.SHA_256
new_signer.authenticated_attributes = [
lief.PE.ContentInfo(lief.PE.CONTENT_TYPES.PKCS7),
lief.PE.SpcSpOpusInfo("My PuTTY", "http://www.example.com/myputty/"),
lief.PE.MessageDigest()
]
new_signer.signature_algorithm = lief.PE.ALGORITHMS.RSA
new_signer.signature = b"\x9a\x8f\x5c\x9f\x6f\x4c\x8a\x7f\x2f\x3a\x5c\x9a\x9f\x8f\x7f\x6f\x5f\x4f\x3f\x2f" # Example of fictitious signature
new_signer.serial_number = b"\x9a\x8f\x5c\x9f\x6f\x4c\x8a\x7f\x2f\x3a\x5c\x9a\x9f\x8f\x7f\x6f\x5f\x4f\x3f\x2f" # Example of fictitious serial number
new_signer.issuer = "C=FR, ST=Paris, L=Paris, O=Example Inc, CN=Example Inc" # Example of fictitious issuer
new_signer.valid_from = datetime.datetime(2021, 1, 1)
new_signer.valid_to = datetime.datetime(2024, 1, 1)
new_signer.subject = "C=FR, ST=Paris, L=Paris, O=Example Inc, CN=Example Inc" # Example of fictional subject
new_signer.key_algorithm = lief.PE.ALGORITHMS.RSA
new_signer.key = b"\x9a\x8f\x5c\x9f\x6f\x4c\x8a\x7f\x2f\x3a\x5c\x9a\x9f\x8f\x7f\x6f\x5f\x4f\x3f\x2f" # Example of dummy key
new_signer.extensions = [
lief.PE.KeyUsage(lief.PE.KEY_USAGE_FLAGS.DIGITAL_SIGNATURE),
lief.PE.ExtendedKeyUsage([lief.PE.OID_CODE_SIGNING]),
lief.PE.BasicConstraints(False),
lief.PE.SubjectKeyIdentifier(),
lief.PE.AuthorityKeyIdentifier(),
lief.PE.CRLDistributionPoints(["http://www.example.com/crl"]),
lief.PE.AuthorityInformationAccess(["http://www.example.com/ca"])
]
# Add the new signer to the new signature
new_signature.signers.append(new_signer)
# Create the new certificate
new_certificate = lief.PE.x509()
new_certificate.version = 3
new_certificate.serial_number = b"\x9a\x8f\x5c\x9f\x6f\x4c\x8a\x7f\x2f\x3a\x5c\x9a\x9f\x8f\x7f\x6f\x5f\x4f\x3f\x2f" # Example of fictitious serial number
new_certificate.signature_algorithm = lief.PE.ALGORITHMS.RSA
new_certificate.issuer = "C=FR, ST=Paris, L=Paris, O=Example Inc, CN=Example Inc" # Example of fictitious issuer
new_certificate.valid_from = datetime.datetime(2021, 1, 1)
new_certificate.valid_to = datetime.datetime(2024, 1, 1)
new_certificate.subject = "C=FR, ST=Paris, L=Paris, O=Example Inc, CN=Example Inc" # Example of fictional subject
new_certificate.key_algorithm = lief.PE.ALGORITHMS.RSA
new_certificate.key = b"\x9a\x8f\x5c\x9f\x6f\x4c\x8a\x7f\x2f\x3a\x5c\x9a\x9f\x8f\x7f\x6f\x5f\x4f\x3f\x2f" # Example of dummy key
new_certificate.extensions = [
lief.PE.KeyUsage(lief.PE.KEY_USAGE_FLAGS.DIGITAL_SIGNATURE),
lief.PE.ExtendedKeyUsage([lief.PE.OID_CODE_SIGNING]),
lief.PE.BasicConstraints(False),
lief.PE.SubjectKeyIdentifier(),
lief.PE.AuthorityKeyIdentifier(),
lief.PE.CRLDistributionPoints(["http://www.example.com/crl"]),
lief.PE.AuthorityInformationAccess(["http://www.example.com/ca"])
]
# Add the new certificate to the new signature
new_signature.certificates.append(new_certificate)
# Add or replace the Authenticode signature of the modified PE file
pe_mod.sign(new_signature)
# Save the signed PE file
pe_mod.write("putty_signed.exe")This code will create a new dummy Authenticode signature, with a new signer and a new certificate, and apply it to the `putty_mod.exe` file, replacing the old Authenticode signature. The signed PE file will be saved as `putty_signed.exe`.
To verify the validity of the new Authenticode signature, you must extract and verify the Authenticode signature from the signed PE file, using the same code as previously. For example, to extract and verify the Authenticode signature from the `putty_signed.exe` file, we can use the following code:
Python: Скопировать в буфер обмена
Код:
import lief
# Parse the signed PE file
pe_signed = lief.PE.parse("putty_signed.exe")
# Extract Authenticode signature
signature_signed = pe_signed.authentihash
# Check the validity of the Authenticode signature
result_signed = signature_signed.verify()
# Show verification result
print(result_signed)This code will display the verification result in the following form:
Bash: Скопировать в буфер обмена
OKWe can see that the new Authenticode signature of the `putty_signed.exe` file is valid, which means that the PE file has not been modified since it was signed by Example Inc, and that the digital signature certificate of Example Inc is valid and recognized by a trusted certificate authority.
Note: This code is a fictional example, and will not work with real digital signature certificates. To sign a PE file with a real certificate, you must use the `lief.PE.Signature.sign` and `lief.PE.Signature.sign_from_file` methods, which take the path of the certificate and the private key as parameters, as well as as the optional password.
Conclusion
Digital signature is a process that guarantees the identity and integrity of software. It is particularly useful for Electron apps, which are cross-platform desktop applications based on the Chromium web framework. Digital signing helps prevent Windows users from receiving security warnings or being blocked from launching an Electron application.
In this article, we saw how to use LIEF to manipulate the Authenticode signature of a PE file. We have seen how to extract, verify, modify, add or replace the Authenticode signature of a PE file, using the `lief.PE` and `lief.PE.signatures` modules. We also saw how to create `lief.PE.Signature`, `lief.PE.SignerInfo` and `lief.PE.x509` objects to represent the elements of the Authenticode signature. We have used fictitious examples to illustrate possible operations, but it is possible to use real digital signature certificates to sign real PE files.
LIEF is a powerful and flexible library that allows handling ELF, PE and MachO formats. It offers a user-friendly API and comprehensive documentation. It is available under the Apache 2.0 license and can be installed easily with pip.