#signature #certificate #openssl #command-line-tool #portable-executable #blue-team

no-std bin+lib pe-sign

pe-sign is a cross-platform tool developed in Rust, designed for parsing and verifying digital signatures in PE files. It provides a simple command-line interface that supports extracting certificates, verifying digital signatures, calculating Authenticode digests, and printing certificate information.

10 releases

0.1.9 Oct 31, 2024
0.1.8 Oct 10, 2024
0.1.5 Sep 13, 2024

#114 in Authentication

Download history 437/week @ 2024-09-09 75/week @ 2024-09-16 30/week @ 2024-09-23 6/week @ 2024-09-30 545/week @ 2024-10-07 44/week @ 2024-10-14 122/week @ 2024-10-28 9/week @ 2024-11-04

189 downloads per month

Custom license

180KB
4K SLoC

pe-sign

language Crates.io Version License dependency status docs.rs Crates.io Size Crates.io Total Downloads

README | 中文文档

pe-sign is a cross-platform tool developed in Rust, designed for parsing and verifying digital signatures in PE files. It provides a simple command-line interface that supports extracting certificates, verifying digital signatures, calculating Authenticode digests, and printing certificate information. It can be used as a standalone command-line tool or integrated into your Rust project as a dependency.

This project is based on the pe-sign command-line tool from repository windows_pe_signature_research, with the OpenSSL dependency removed.

Features

  • Extract Certificates: Extract certificates from PE files.
  • Verify Signatures: Check the validity of a PE file's digital signature.
  • Calculate Authenticode Digest: Compute the Authenticode digest of a PE file.
  • Print Certificate Information: Display detailed information about certificates in PE files.
  • Print Signer Information: Show detailed signer information from PE files.

CLI Tool

Installation

Download the binary for your platform from the Releases page. On Linux and macOS, you can place it in the /bin directory or add it to the PATH environment variable. On Windows, you can place it in C:\Windows\System32 or add it to the PATH environment variable.

Alternatively, if you have Cargo installed, you can easily install it by running cargo install pe-sign -F build-binary.

Usage

pe-sign (0.1.9) - REinject
A tool for parsing and verifing PE file signatures

Repository: https://github.com/0xlane/pe-sign

Commands:
  extract  Extract the certificate of a PE file
  verify   Check the digital signature of a PE file for validity
  calc     Calculate the authticode digest of a PE file
  print    Print the certificate information of a PE file.
  help     Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help
  -V, --version  Print version

Extracting the Signature Certificate

Extract the certificate of a PE file

Usage: pesign.exe extract [OPTIONS] <FILE>

Arguments:
  <FILE>

Options:
  -o, --output <FILE>  Write to file instead of stdout
      --pem            Extract and convert certificate to pem format
      --embed          Extract embedded certificate
  -h, --help           Print help

You can also output the results using pipes and redirection in addition to the -o option. Example:

pesign.exe extract test.exe --pem > pkcs7.cer
pesign.exe extract test.exe --pem | openssl pkcs7 -inform PEM --print_certs -noout -text

Note: When using pipes or redirection in PowerShell, must include the --pem flag. Otherwise, the output DER binary data will be interpreted as a string by PowerShell.

Printing Certificate Information

The command-line tool provides an OpenSSL-like --print_certs feature, which outputs a similar format to OpenSSL:

Print the certificate information of a PE file.

Usage: pesign.exe print [OPTIONS] <FILE>

Arguments:
  <FILE>

Options:
      --signer-info  Print the signer info of a PE file.
  -a, --all          Include nested signature.
  -h, --help         Print help

Example:

PS C:\dev\pe-sign> pesign.exe print .\ProcessHacker.exe
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA-1
        Not Before: 2013-10-30 08:00:00 +08:00
        Not After : 2017-01-04 20:00:00 +08:00
        Subject: C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu
        Subject Public Key Info:
            Algorithm: RSA
            Public-Key: (2048 bit)
            Modulus:
                00:cc:2e:a1:52:49:09:cc:22:ef:34:43:dc:41:a6:98:a0:1f:0f:69:
                1a:33:b2:92:a5:73:26:4e:1d:b9:e2:ab:c4:46:e1:3e:f9:24:c2:f6:
                ...
                ...
            Exponent: 65537 (0x10001)
        Extensions:
            Authority Key Identifier:
                97:48:03:eb:15:08:6b:b9:b2:58:23:cc:94:2e:f1:c6:65:d2:64:8e
            Subject Key Identifier:
                2c:b8:9a:96:b2:c1:b1:a0:7d:a4:90:20:19:b8:be:05:58:df:2c:78
            Key Usage:
                Digital Signature
            Extended Key Usage:
                Code Signing
            CRL Distribution Points:
                Full Name:
                    URI:http://crl3.digicert.com/ha-cs-2011a.crl
                Full Name:
                    URI:http://crl4.digicert.com/ha-cs-2011a.crl
            Certificate Policies: <Unsupported>
            Authority Information Access:
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt
            Basic Constraints:
                ca:FALSE
    Signature Algorithm: Sha1WithRSA
    Signature Value:
            88:f1:59:8a:6a:8a:6c:49:04:64:67:70:02:14:76:57:3d:57:c2:f9:
            cb:88:78:6e:82:3a:63:12:f7:c9:0b:57:8b:13:16:b0:69:d7:67:0f:
            ...
            ...

...
...

Additionally, use the --signer-info option to print signer information. Example:

PS C:\dev\pe-sign> pesign.exe print .\ProcessHacker.exe --signer-info
Signer Info:
    Signer Identifier:
        Issuer And Serial Number:
            Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA-1
            Serial Number:
                0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
    Authenticated Attributes:
        1.3.6.1.4.1.311.2.1.12:
            30:00
        1.2.840.113549.1.9.3:
            06:0a:2b:06:01:04:01:82:37:02:01:04
        1.3.6.1.4.1.311.2.1.11:
            30:0c:06:0a:2b:06:01:04:01:82:37:02:01:15
        1.2.840.113549.1.9.4:
            04:14:f4:23:ed:d4:63:5b:6b:ea:f3:c8:ca:9c:de:5d:db:5f:8b:1a:
            ba:20
    Unauthenticated Attributes:
        Counter Signature (1.2.840.113549.1.9.6):
            30:82:01:f8:02:01:01:30:76:30:62:31:0b:30:09:06:03:55:04:06:
            13:02:55:53:31:15:30:13:06:03:55:04:0a:13:0c:44:69:67:69:43:
            ...
            ...
        1.3.6.1.4.1.311.2.4.1:
            30:82:1c:23:06:09:2a:86:48:86:f7:0d:01:07:02:a0:82:1c:14:30:
            82:1c:10:02:01:01:31:0f:30:0d:06:09:60:86:48:01:65:03:04:02:
            ...
            ...
    Countersigner Info:
        Signer Info:
            Signer Identifier:
                Issuer And Serial Number:
                    Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA-1
                    Serial Number:
                        03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
            Authenticated Attributes:
                1.2.840.113549.1.9.3:
                    06:09:2a:86:48:86:f7:0d:01:07:01
                Signing Time (1.2.840.113549.1.9.5):
                    2016-03-29 09:35:02 +08:00
                1.2.840.113549.1.9.4:
                    04:14:d4:11:7e:ce:3a:3f:29:91:7d:e3:f0:55:fe:32:a2:11:b0:c9:
                    c5:ac
            Digest Algorithm: Sha1
            Encrypted Digest:
                02:d1:d6:d2:ec:f6:cb:7a:4b:a4:29:01:ab:77:48:e9:d5:bf:0f:6c:
                bd:b7:d6:86:11:24:e8:cf:ba:32:ab:12:40:be:31:e7:d6:16:c5:52:
                ...
                ...
    Digest Algorithm: Sha1
    Encrypted Digest:
        46:3d:97:37:67:9d:12:4e:80:cf:a1:df:98:10:8d:a8:39:3e:5e:db:
        28:c3:28:c9:d7:a7:48:22:2d:a8:4c:1e:40:e9:72:63:fd:04:7a:e9:
        ...
        ...

Verifying the Signature

The tool also verifies the validity of PE file signatures:

Check the digital signature of a PE file for validity

Usage: pesign.exe verify [OPTIONS] <FILE>

Arguments:
  <FILE>

Options:
      --no-check-time   Ignore certificate validity time
      --ca-file <FILE>  Trusted certificates file
      --embed           Verify embedded certificate
  -h, --help            Print help

Use the --no-check-time option to skip the time validity check. And use the --ca-file option to specify a PEM-formatted trusted CA certificate file. If not specified, it will use the default built-in ca certificates for verification.

Library Integration

You can also integrate pe-sign into your project as a dependency. Add it using the following command:

cargo add pe-sign

Then use pesign and parse PE file sigature to PeSign struct in main.rs:

use pesign::PeSign;

fn main() {
    if let Some(pesign) = PeSign::from_pe_path("test.exe").unwrap() {
        // Add your program logic.
    } else {
        println!("The file is no signed!!");
    }
}

For more details, please refer to the crate documentation.

Contribution

If you find any issues or have suggestions for new features, feel free to submit an Issue or create a Pull Request.

Repository

You can view the project's source code here: pe-sign GitHub Repository.

License

This project is open-source under the MIT License. For more details, see the LICENSE file.

Dependencies

~9–21MB
~290K SLoC