我有大量 EXE 文件,需要找出哪些文件具有数字签名。有谁知道是否有一种方法可以在不访问 WinVerifyTrust 的情况下进行检查(它们都在 Unix 服务器上)。
我似乎找不到任何有关数字签名实际位于 EXE 内部位置的信息。如果我能找到它在哪里,我也许可以打开该文件并 fseek 到要测试的位置。我不需要对证书进行“真实”验证,我只想查看是否存在数字签名(或者更重要的是,不存在),而无需使用 WinVerifyTrust。
I have a large number of EXE files and need to figure out which ones have digital signatures. Does anyone know if there is a way to check without access to WinVerifyTrust (they're all on a Unix server).
I can't seem to find any information on where the digital signature actually is inside the EXE. If I could find out where it is I might be able to open the file and fseek to a location to test. I don't need to do "real" verification on the certificate, I just want to see if a digital signature is present (or, more importantly, NOT present) without having to use WinVerifyTrust.
发布评论
评论(3)
如上所述,IMAGE_DIRECTORY_ENTRY_SECURITY 目录的单独存在是检测 PE 文件内是否存在签名的明确指标。如果您有大量文件需要测试并想要过滤这些文件,则只需测试此标准目录是否存在即可。你不需要图书馆来做到这一点。
As mentioned above, the solely presence of the IMAGE_DIRECTORY_ENTRY_SECURITY directory is a clear indicator to detect the presence of a signature inside a PE file. If you have a large amount of files to test and want to filter these, just testing the presence of this standard directory is valid. You don't need a library to do this.
我试图在同样的情况下解决这个问题。
我推荐osslsigncode。
这是使用 openssl 实现的 windowsauthenticode。
https://github.com/develar/osslsigncode
下面是 osslsigncode 的代码块摘录。
如果osslsigncode中siglen为0,则判断没有签名。
如果您只是想检查签名,则不需要库。
但是,请参阅 osslsigncode 寻求帮助。
I tried to solve the problem in the same situation.
I recommend osslsigncode.
This is an implementation of windows authenticode with openssl.
https://github.com/develar/osslsigncode
Below is a code block excerpt from osslsigncode.
If siglen is 0 in osslsigncode, it determines that there is no signature.
If you just want to check the signature, you don't need a library.
However, see osslsigncode for help.
您可以使用 Mono.Security.dll AuthenticodeBase [1] [1] 中的代码找到此信息
https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Authenticode/AuthenticodeBase.cs
你最好的提示(如果是authenticode签名存在)是:
如果 dirSecuritySize 大于 8,则存在签名条目(有效或无效)。
You can find this information using code from Mono.Security.dll AuthenticodeBase [1]
[1] https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Authenticode/AuthenticodeBase.cs
Your best hint (if an authenticode signature is present) is:
if dirSecuritySize is larger than 8 then there's an signature entry (valid or not).