10 releases
| new 0.1.9 | Oct 31, 2024 |
|---|---|
| 0.1.8 | Oct 10, 2024 |
| 0.1.5 | Sep 13, 2024 |
#125 in Authentication
612 downloads per month
180KB
4K
SLoC
pe-sign
pe-sign is a cross-platform tool developed in Rust, designed for parsing and verifying digital signatures in PE files. It provides a simple command-line interface that supports extracting certificates, verifying digital signatures, calculating Authenticode digests, and printing certificate information. It can be used as a standalone command-line tool or integrated into your Rust project as a dependency.
This project is based on the pe-sign command-line tool from repository windows_pe_signature_research, with the OpenSSL dependency removed.
Features
- Extract Certificates: Extract certificates from PE files.
- Verify Signatures: Check the validity of a PE file's digital signature.
- Calculate Authenticode Digest: Compute the Authenticode digest of a PE file.
- Print Certificate Information: Display detailed information about certificates in PE files.
- Print Signer Information: Show detailed signer information from PE files.
CLI Tool
Installation
Download the binary for your platform from the Releases page. On Linux and macOS, you can place it in the /bin directory or add it to the PATH environment variable. On Windows, you can place it in C:\Windows\System32 or add it to the PATH environment variable.
Alternatively, if you have Cargo installed, you can easily install it by running cargo install pe-sign -F build-binary.
Usage
pe-sign (0.1.9) - REinject
A tool for parsing and verifing PE file signatures
Repository: https://github.com/0xlane/pe-sign
Commands:
extract Extract the certificate of a PE file
verify Check the digital signature of a PE file for validity
calc Calculate the authticode digest of a PE file
print Print the certificate information of a PE file.
help Print this message or the help of the given subcommand(s)
Options:
-h, --help Print help
-V, --version Print version
Extracting the Signature Certificate
Extract the certificate of a PE file
Usage: pesign.exe extract [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
-o, --output <FILE> Write to file instead of stdout
--pem Extract and convert certificate to pem format
--embed Extract embedded certificate
-h, --help Print help
You can also output the results using pipes and redirection in addition to the -o option. Example:
pesign.exe extract test.exe --pem > pkcs7.cer
pesign.exe extract test.exe --pem | openssl pkcs7 -inform PEM --print_certs -noout -text
Note: When using pipes or redirection in PowerShell, must include the --pem flag. Otherwise, the output DER binary data will be interpreted as a string by PowerShell.
Printing Certificate Information
The command-line tool provides an OpenSSL-like --print_certs feature, which outputs a similar format to OpenSSL:
Print the certificate information of a PE file.
Usage: pesign.exe print [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
--signer-info Print the signer info of a PE file.
-a, --all Include nested signature.
-h, --help Print help
Example:
PS C:\dev\pe-sign> pesign.exe print .\ProcessHacker.exe
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA-1
Not Before: 2013-10-30 08:00:00 +08:00
Not After : 2017-01-04 20:00:00 +08:00
Subject: C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu
Subject Public Key Info:
Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
00:cc:2e:a1:52:49:09:cc:22:ef:34:43:dc:41:a6:98:a0:1f:0f:69:
1a:33:b2:92:a5:73:26:4e:1d:b9:e2:ab:c4:46:e1:3e:f9:24:c2:f6:
...
...
Exponent: 65537 (0x10001)
Extensions:
Authority Key Identifier:
97:48:03:eb:15:08:6b:b9:b2:58:23:cc:94:2e:f1:c6:65:d2:64:8e
Subject Key Identifier:
2c:b8:9a:96:b2:c1:b1:a0:7d:a4:90:20:19:b8:be:05:58:df:2c:78
Key Usage:
Digital Signature
Extended Key Usage:
Code Signing
CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ha-cs-2011a.crl
Full Name:
URI:http://crl4.digicert.com/ha-cs-2011a.crl
Certificate Policies: <Unsupported>
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt
Basic Constraints:
ca:FALSE
Signature Algorithm: Sha1WithRSA
Signature Value:
88:f1:59:8a:6a:8a:6c:49:04:64:67:70:02:14:76:57:3d:57:c2:f9:
cb:88:78:6e:82:3a:63:12:f7:c9:0b:57:8b:13:16:b0:69:d7:67:0f:
...
...
...
...
Additionally, use the --signer-info option to print signer information. Example:
PS C:\dev\pe-sign> pesign.exe print .\ProcessHacker.exe --signer-info
Signer Info:
Signer Identifier:
Issuer And Serial Number:
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA-1
Serial Number:
0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
Authenticated Attributes:
1.3.6.1.4.1.311.2.1.12:
30:00
1.2.840.113549.1.9.3:
06:0a:2b:06:01:04:01:82:37:02:01:04
1.3.6.1.4.1.311.2.1.11:
30:0c:06:0a:2b:06:01:04:01:82:37:02:01:15
1.2.840.113549.1.9.4:
04:14:f4:23:ed:d4:63:5b:6b:ea:f3:c8:ca:9c:de:5d:db:5f:8b:1a:
ba:20
Unauthenticated Attributes:
Counter Signature (1.2.840.113549.1.9.6):
30:82:01:f8:02:01:01:30:76:30:62:31:0b:30:09:06:03:55:04:06:
13:02:55:53:31:15:30:13:06:03:55:04:0a:13:0c:44:69:67:69:43:
...
...
1.3.6.1.4.1.311.2.4.1:
30:82:1c:23:06:09:2a:86:48:86:f7:0d:01:07:02:a0:82:1c:14:30:
82:1c:10:02:01:01:31:0f:30:0d:06:09:60:86:48:01:65:03:04:02:
...
...
Countersigner Info:
Signer Info:
Signer Identifier:
Issuer And Serial Number:
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA-1
Serial Number:
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Authenticated Attributes:
1.2.840.113549.1.9.3:
06:09:2a:86:48:86:f7:0d:01:07:01
Signing Time (1.2.840.113549.1.9.5):
2016-03-29 09:35:02 +08:00
1.2.840.113549.1.9.4:
04:14:d4:11:7e:ce:3a:3f:29:91:7d:e3:f0:55:fe:32:a2:11:b0:c9:
c5:ac
Digest Algorithm: Sha1
Encrypted Digest:
02:d1:d6:d2:ec:f6:cb:7a:4b:a4:29:01:ab:77:48:e9:d5:bf:0f:6c:
bd:b7:d6:86:11:24:e8:cf:ba:32:ab:12:40:be:31:e7:d6:16:c5:52:
...
...
Digest Algorithm: Sha1
Encrypted Digest:
46:3d:97:37:67:9d:12:4e:80:cf:a1:df:98:10:8d:a8:39:3e:5e:db:
28:c3:28:c9:d7:a7:48:22:2d:a8:4c:1e:40:e9:72:63:fd:04:7a:e9:
...
...
Verifying the Signature
The tool also verifies the validity of PE file signatures:
Check the digital signature of a PE file for validity
Usage: pesign.exe verify [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
--no-check-time Ignore certificate validity time
--ca-file <FILE> Trusted certificates file
--embed Verify embedded certificate
-h, --help Print help
Use the --no-check-time option to skip the time validity check. And use the --ca-file option to specify a PEM-formatted trusted CA certificate file. If not specified, it will use the default built-in ca certificates for verification.
Library Integration
You can also integrate pe-sign into your project as a dependency. Add it using the following command:
cargo add pe-sign
Then use pesign and parse PE file sigature to PeSign struct in main.rs:
use pesign::PeSign;
fn main() {
if let Some(pesign) = PeSign::from_pe_path("test.exe").unwrap() {
// Add your program logic.
} else {
println!("The file is no signed!!");
}
}
For more details, please refer to the crate documentation.
Contribution
If you find any issues or have suggestions for new features, feel free to submit an Issue or create a Pull Request.
Repository
You can view the project's source code here: pe-sign GitHub Repository.
License
This project is open-source under the MIT License. For more details, see the LICENSE file.
Dependencies
~8–20MB
~295K SLoC