TransWikia.com

Programmatically getting an executable's Certificate Details

Super User Asked by Claudiu Dragan on November 27, 2020

It is possible to somehow programmatically export a file’s digital certificate’s subject if the certificate itself is not installed on the workstation but is only used to sign that specific file?

I need to somehow extract that information from a file and check if it’s correct. Preferably using Python/CMD/PowerShell

What I need

EDIT:

Sorry for the lack of details.

I’m currently using this python script (which I modified to run on Python 3.6): http://www.zedwood.com/article/python-openssl-x509-parse-certificate to parse a .cer file that I extracted from the original executable file with this little tool I’ve found (which I also modified to work with Python 3): https://blog.didierstevens.com/programs/disitool/ but only after I convert it from a DER-encoded binary to a base-64 with the Windows certutil.

The problem with the disitool script, though, is that it literally CUTS a ‘signature’ bytearray from the executable itself using the pefile python module, which makes the extracted .cer file invalid, as per the python error that I keep getting when trying to load the certificate with the OpenSSL.crypto module:

 [('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error'), ('asn1 encoding routines', 'asn1_template_noexp_d2i', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')] 

But parsing a good extracted certificate (with the first script I posted above) works, as you can see here:

Parsing works just fine]

So, I just need a way to extract the certificate from an executable, I guess. Or, if you’ve found my solution too complicated, If you have any idea how I could get that “Redmond” text from the certificate’s Subject field, I’m very open to ideas 🙂

2 Answers

In Powershell:

Get-AuthenticodeSignature C:PathTOFile.exe

So, using your example of explorer.exe this would get Redmond:

(Get-AuthenticodeSignature C:Windowsexplorer.exe).SignerCertificate.subject.split(',')[2].split('=')[1]

Since you asked for elaboration, Get-AuthenticodeSignature returns a System.Management.Automation.Signature object. You can find this out a few ways. Personally I prefer to assign it to a variable so I can play around with the returned object further. Once you have it assigned to a variable you can learn things about it. Get-Member should be one of your go to cmdlets in Powershell. In this case:

$foo = Get-AuthenticodeSignature C:Windowsexplorer.exe
Get-Member -InputObject $foo
   TypeName: System.Management.Automation.Signature

Name                   MemberType Definition
----                   ---------- ----------
Equals                 Method     bool Equals(System.Object obj)
GetHashCode            Method     int GetHashCode()
GetType                Method     type GetType()
ToString               Method     string ToString()
IsOSBinary             Property   bool IsOSBinary {get;}
Path                   Property   string Path {get;}
SignatureType          Property   System.Management.Automation.SignatureType SignatureType {get;}
SignerCertificate      Property   System.Security.Cryptography.X509Certificates.X509Certificate2 SignerCertificate {...
Status                 Property   System.Management.Automation.SignatureStatus Status {get;}
StatusMessage          Property   string StatusMessage {get;}
TimeStamperCertificate Property   System.Security.Cryptography.X509Certificates.X509Certificate2 TimeStamperCertific...

So you can see that the object has some methods and some properties (I know, all objects do). In this case the methods are all the standard ones that are inherited from System.Object. The properties though are interesting. The SignerCertificate looks like what you wanted so let's see what that looks like:

$foo.SignerCertificate


Thumbprint                                Subject
----------                                -------
419E77AED546A1A6CF4DC23C1F977542FE289CF7  CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

The thumbrint is obviously important because it is what identifies the cert but you had asked about the Redmond that is in the subject. So now we know how to get to that as a string:

$foo.SignerCertificate.Subject

So it is just straight string parsing from here.

One more tidbit that I will throw in since it seems you may be learning Powershell. Another cmdlet that you should try regularly is Get-Command. In this case I did not even know that the Get-AuthenticodeSignature cmdlet existed before you asked the question. So I did this:

Get-Command *signature*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Update-MpSignature                                 1.0        Defender
Cmdlet          Get-AuthenticodeSignature                          3.0.0.0    Microsoft.PowerShell.Security
Cmdlet          Save-VolumeSignatureCatalog                        1.0.0.0    ShieldedVMDataFile
Cmdlet          Set-AuthenticodeSignature                          3.0.0.0    Microsoft.PowerShell.Security

Correct answer by EBGreen on November 27, 2020

in powershell: you can have comma in CN, then whis worked for me:

(Get-AuthenticodeSignature C:Windowsexplorer.exe).SignerCertificate.subject.split('=')[1].split('"=')[1]

Answered by Jan on November 27, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP