13 - PE Authenticode

This tutorial explains how to process and verify PE authenticode with LIEF

By Romain Thomas - @rh0main


Introduction

PE authenticode is the signature scheme used by Windows to sign and verify the integrity of PE executables. The signature is associated with the data directory CERTIFICATE_TABLE that is not always tied to a section (it implies that the signature is not necessarily mapped in memory). This signature is wrapped in a PKCS #7 container with custom object types as defined in the official documentation [1].

This signature is not new in PE files and since the beginning of LIEF, we aimed to parse it. Before the version v0.11.0, the implementation was somehow incomplete and inaccurate but since the version v0.11.0 and thanks to the sponsoring of the CERT Gouvernemental of Luxembourg, we refactored the design of the authenticode parser [2] and we implemented functions to verify the signature.

Exploring PKCS #7 Signature

LIEF API tries to expose most of the internal components of the PKCS #7 container associated with the Aunthenticode. First, we can access the PE’s signature through the lief.PE.Binary.signatures attribute [3]:

import lief
pe = lief.parse("avast_free_antivirus_setup_online.exe")
print(len(pe.signatures))

signature = pe.signatures[0]

Although we usually find only one signature, PE executables can embed multiple signatures thanks to the /as command of signtool.exe. This is why the signatures attribute returns an iterator over the signatures parsed by LIEF.

The signature variable is actually a lief.PE.Signature object which basically mirrors the PKCS #7 container plus some method to verify its integrity.

Within this object, we can access the following attributes:

The __str__() functions of these objects are overloaded so that we can pretty-print the content of these objects easily:

# Print certificates information
for crt in signature.certificates:
  print(crt)

# Print the authentihash value embedded in the signature
print(signature.content_info.digest.hex())

# Print signer information
print(signature.signers[0])
cert. version     : 3
serial number     : 04:09:18:1B:5F:D5:BB:66:75:53:43:B5:6F:95:50:08
issuer name       : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
subject name      : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
issued  on        : 2013-10-22 12:00:00
expires on        : 2028-10-22 12:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage         : Digital Signature, Key Cert Sign, CRL Sign
ext key usage     : Code Signing

cert. version     : 3
serial number     : 09:70:EF:4B:AD:5C:C4:4A:1C:2B:C3:D9:64:01:67:4C
issuer name       : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
subject name      : C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE stapler cistodc, CN=Avast Software s.r.o.
issued  on        : 2020-04-02 00:00:00
expires on        : 2023-03-09 12:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
key usage         : Digital Signature
ext key usage     : Code Signing

a738da4446a4e78ab647db7e53427eb07961c994317f4c59d7edbea5cc786d80
SHA_256/RSA - C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA - 4 auth attr - 1 unauth attr

Regarding the PE files, the authentihash is computed through the function lief.PE.Binary.authentihash() which takes a lief.PE.ALGORITHMS enum as parameter to define which hash algorithm must be used to compute the digest.

For instance, to compute the SHA-256 value of the authenticode, we just have to pass lief.PE.ALGORITHMS.SHA_256:

print(pe.authentihash(lief.PE.ALGORITHMS.SHA_256).hex())
a738da4446a4e78ab647db7e53427eb07961c994317f4c59d7edbea5cc786d80

Note

To compare the lief.PE.Binary.authentihash() value with the signed one (i.e. lief.PE.ContentInfo.digest) we must use the same hash algorithm as defined by lief.PE.Signature.digest_algorithm

We also expose in the Python API, shortcut attributes to compute the authentihash values for:

Hash Algorithm

Binary’s Attribute

MD5

authentihash_md5

SHA1

authentihash_sha1

SHA-256

authentihash_sha256

SHA-512

authentihash_sha512

LIEF also exposes the original raw signature blob through the property lief.PE.Signature.raw_der which enables to export the signature:

from pathlib import Path

Path("/tmp/extracted.p7b").write_bytes(signature.raw_der)

Then, we can use openssl to process its content:

$ openssl pkcs7 -inform der -print -in /tmp/extracted.p7b -noout -text
...
     sig_alg:
       algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
       parameter: NULL
     signature:  (0 unused bits)
       0000 - 31 c3 a7 f3 70 e3 2c 49-15 bd f4 09 6c 27 4e   1...p.,I....l'N
       000f - 00 a9 23 df cb ea 7f 99-55 cb 24 88 75 e8 c4   ..#.....U.$.u..
       001e - de 48 4f 70 dd 2a 27 5c-df be 36 f6 84 0d ad   .HOp.*'\..6....
       002d - 35 5e 65 f7 af 55 01 7a-2d 01 18 a0 d6 98 a4   5^e..U.z-......
       003c - d1 bd 19 e9 a4 03 f4 a3-4d 12 6e 72 5f 6b 3a   ........M.nr_k:
       004b - b8 de 45 f1 63 80 b0 47-42 f6 38 b8 e7 5b dd   ..E.c..GB.8..[.
       005a - cf f2 f8 c2 61 4b 2c 19-b7 7d 78 8f 2e 0c b0   ....aK,..}x....
       0069 - 7c f2 d9 8e 9f 65 4e 21-63 19 6a 5b 0c 91 12   |....eN!c.j[...
       0078 - 44 29 fe 91 d5 6f 5d 9c-4d 7b a1 74 c6 69 d9   D)...o].M{.t.i.
       0087 - e7 23 26 54 35 5c 38 33-c5 a7 92 0d 70 a5 2a   .#&T5\83....p.*
       0096 - 33 77 4a fc 86 b0 fa 59-2f 24 f6 a1 45 b2 09   3wJ....Y/$..E..
       00a5 - 75 2d a1 81 68 e4 67 11-46 e3 fb bf 0c c5 d5   u-..h.g.F......
       00b4 - d7 7b 7b 35 fb d6 e8 4a-c9 13 82 82 a7 0c 3e   .{{5...J......>
       00c3 - 6f 61 e0 37 15 e0 37 5d-b8 22 14 ad 54 58 0e   oa.7..7]."..TX.
       00d2 - 95 6c 2b b1 d2 c7 6c 86-a1 9f fa d8 37 ca f7   .l+...l.....7..
       00e1 - 56 75 b0 9d df 7c 46 43-20 87 8a a3 81 47 82   Vu...|FC ....G.
       00f0 - 99 57 87 12 46 96 02 7c-a7 77 b9 42 4d c8 05   .W..F..|.w.BM..
       00ff - 0a                                             .
 crl:
   <ABSENT>
 signer_info:
     version: 1
     issuer_and_serial:
       issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
       serial: 12549442701880659695003200114191853388
     digest_alg:
       algorithm: sha256 (2.16.840.1.101.3.4.2.1)
       parameter: NULL
     auth_attr:
         object: contentType (1.2.840.113549.1.9.3)
         set:
           OBJECT:undefined (1.3.6.1.4.1.311.2.1.4)

         object: undefined (1.3.6.1.4.1.311.2.1.11)

The authenticode_reader.py script located in the examples/ directory can also be used to inspect the signature:

$ python authenticode_reader.py --all avast_free_antivirus_setup_online.exe
Signature version : 1
Digest Algorithm  : ALGORITHMS.SHA_256
Content Info:
  Content Type    : 1.3.6.1.4.1.311.2.1.4 (SPC_INDIRECT_DATA_CONTENT)
  Digest Algorithm: ALGORITHMS.SHA_256
  Digest          : a738da4446a4e78ab647db7e53427eb07961c994317f4c59d7edbea5cc786d80
Certificates
  Version            : 3
  Issuer             : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
  Subject            : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
  Serial Number      : 0409181b5fd5bb66755343b56f955008
  Signature Algorithm: SHA256_WITH_RSA_ENCRYPTION
  Valid from         : 2013/10/22 - 12:00:00
  Valid to           : 2028/10/22 - 12:00:00
  Key usage          : CRL_SIGN - KEY_CERT_SIGN - DIGITAL_SIGNATURE
  Ext key usage      : CODE_SIGNING
  RSA key size       : 2048
  ===========================================
  Version            : 3
  Issuer             : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
  Subject            : C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE stapler cistodc, CN=Avast Software s.r.o.
  Serial Number      : 0970ef4bad5cc44a1c2bc3d96401674c
  Signature Algorithm: SHA256_WITH_RSA_ENCRYPTION
  Valid from         : 2020/04/02 - 00:00:00
  Valid to           : 2023/03/09 - 12:00:00
  Key usage          : DIGITAL_SIGNATURE
  Ext key usage      : CODE_SIGNING
  RSA key size       : 2048
  ===========================================
Signer(s)
  Version             : 1
  Serial Number       : 0970ef4bad5cc44a1c2bc3d96401674c
  Issuer              : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
  Digest Algorithm    : ALGORITHMS.SHA_256
  Encryption Algorithm: ALGORITHMS.RSA
  Encrypted Digest    : 758db1f480eb25bada6c ...
  Authenticated attributes:
     Content Type OID: 1.3.6.1.4.1.311.2.1.4 (SPC_INDIRECT_DATA_CONTENT)
     MS Statement type OID: 1.3.6.1.4.1.311.2.1.21 (INDIVIDUAL_CODE_SIGNING)
     Info: http://www.avast.com
     PKCS9 Message Digest: 3983816a7d1c62962540ec66fa8790fa45d1063cb23e933677de459f0b73c577
  Un-authenticated attributes:
     Generic Type 1.3.6.1.4.1.311.3.3.1 (MS_COUNTER_SIGN)

Verifying the Signature

Besides the fact that LIEF can parse PE’s authenticode signature, LIEF can also verify the integrity of the authentihash thanks to the method: lief.PE.Binary.verify_signature() which outputs lief.PE.Signature.VERIFICATION_FLAGS.OK if the signature is valid or another enum (see: lief.PE.Signature.VERIFICATION_FLAGS) when it is invalid:

pe = lief.parse("avast_free_antivirus_setup_online.exe")
print(pe.verify_signature()) # lief.PE.Signature.VERIFICATION_FLAGS.OK

We can also verify a PE binary with a detached signature by providing a signature object to verify_signature():

pe = lief.parse("avast_free_antivirus_setup_online.exe")

detached_sig = lief.PE.Signature.parse("/tmp/detached.p7b")
print(pe.verify_signature(detached_sig))

The verification process does not rely on an external component (i.e. neither openssl or WinTrust API) but we try to reproduce the same checks as described in the RFC(s) and the official documentation of the Authenticode [4].

These checks include:

  1. Check the integrity of the signature (lief.PE.Signature.check()):

    1. There is ONE and only ONE SignerInfo

    2. Digest algorithms are consistent (Signature.digest_algorithm == ContentInfo.digest_algorithm == SignerInfo.digest_algorithm)

    3. If the SignerInfo has authenticated attributes, check their integrity. Otherwise, check the integrity of the ContentInfo against the Signer’s certificate.

    4. If they are authenticated attributes, check that there is a lief.PE.PKCS9MessageDigest attribute for which the digest matches the hash of the ContentInfo

    5. If there is a counter signature in the un-authenticated attributes, verify its integrity and check that it wraps a valid timestamping.

    6. Check the expiration of the certificates according to the potential timestamping

  2. If the signature is valid, check that lief.PE.ContentInfo.digest matches the computed authentihash()

These checks are the default behavior of the verify_signature(). Nevertheless, you could pass lief.PE.Signature.VERIFICATION_CHECKS flags to customize its behavior:

Hash Only:

By using VERIFICATION_CHECKS.HASH_ONLY, it only performs step B) (i.e. check the authentihash values regardless of the signature integrity)

pe.verify_signature(lief.PE.Signature.VERIFICATION_CHECKS.HASH_ONLY)
Lifetime Signing:

By using VERIFICATION_CHECKS.LIFETIME_SIGNING, timestamped signatures can expire if their certificate expired. It has the same meaning as WTD_LIFETIME_SIGNING_FLAG

pe.verify_signature(lief.PE.Signature.VERIFICATION_CHECKS.LIFETIME_SIGNING)
signature.check(lief.PE.Signature.VERIFICATION_CHECKS.LIFETIME_SIGNING)
Skip Cerificate Check Time:

By using VERIFICATION_CHECKS.SKIP_CERT_TIME, LIEF doesn’t raise an error if the certificate(s) expired.

# Returns lief.PE.Signature.VERIFICATION_FLAGS.OK even though
# the certificates expired
pe.verify_signature(lief.PE.Signature.VERIFICATION_CHECKS.SKIP_CERT_TIME)
signature.check(lief.PE.Signature.VERIFICATION_CHECKS.SKIP_CERT_TIME)

Note

To verify the integrity of a Signature object, you can use lief.PE.Signature.check()

Certificate Chain of Trust

Last but not least, we can also verify the certificates chain thanks to:

  1. lief.PE.x509.verify()

  2. lief.PE.x509.is_trusted_by()

verify() aims to verify a signed certificate from its CA. Given a CA x509 certificate, CA.verify(signed) verifies that the signed parameter has been signed by CA.

On the other hand, is_trusted_by() can be used to check that a given x509 certificate is verified against a list of certificates:

CA_BUNDLE = lief.PE.x509.parse("ms_bundle.pem")
signer = signature.signers[0]
print(signer.cert.is_trusted_by(CA_BUNDLE))
cert1 = lief.PE.x509.parse("ca1.crt")
cert2 = lief.PE.x509.parse("ca2.crt")

print(signer.cert.is_trusted_by([cert1, cert2]))

Limitations

Regarding the PKCS #7 structure itself, LIEF is able to parse and process most of its elements. Nevertheless, the lief.PE.SignerInfo structure can embed attributes (authenticated or not) for which the ASN.1 structure can be public or not. As of LIEF v0.11.0 we do not support yet the following OIDs:

OID

Description

1.3.6.1.4.1.311.3.3.1

Ms-CounterSign (undocumented)

1.2.840.113549.1.9.16.2.12

S/MIME Signing certificate (id-aa-signingCertificate)

1.3.6.1.4.1.311.2.6.1

SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID

1.3.6.1.4.1.311.10.3.28

szOID_PLATFORM_MANIFEST_BINARY_ID

These not-supported attributes are wrapped within the lief.PE.GenericType that exposes the raw ASN.1 blob with the property raw_content.

Conclusion

Under the hood, most of the work is done by mbedtls which provides the following primitive used by LIEF:

  • ASN.1 decoder

  • x509 certificate processing (parsing AND verification)

  • Hash algorithms

  • Public key algorithms

For the fun, we can also cross-compile a small C++ snippet for iOS:

#include <LIEF/PE.hpp>

int main(int argc, char** argv) {
  std::unique_ptr<LIEF::PE::Binary> pe = LIEF::PE::Parser::parse(argv[1])
  if (pe->verify_signature() == LIEF::PE::Signature::VERIFICATION_FLAGS.OK) {
    std::cout << "Signature ok!" << "\n";
    return 0;
  }
  std::cout << "Error!" << "\n";
  return 1;
}

So that we can verify the integrity of a PE executable on an iPhone:

iPhone:~ root# file PE32_x86-64_binary_avast-free-antivirus-setup-online.exe
PE32_x86-64_binary_avast-free-antivirus-setup-online.exe: PE32 executable (GUI) Intel 80386, for MS Windows
iPhone:~ root# file ./pe_authenticode_check
./pe_authenticode_check: Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE|HAS_TLV_DESCRIPTORS>
iPhone:~ root# ./pe_authenticode_check PE32_x86-64_binary_avast-free-antivirus-setup-online.exe
Signature ok!
iPhone:~ root#

Whilst this example is quite useless, it emphasizes the purpose of this project:

  • Provide a cross-platform and cross-format library

  • Expose a high-level API (Python) as well as a (more or less) low-level API (C++)

  • Few dependencies so that the static version of LIEF does not need external libraries [5].

$ otool -L pe_authenticode_check

/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1770.255.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 904.4.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.60.1)

To complete these functionalities of LIEF, you might also be interested in the following projects that deal with Authenticode:

Project

URL

signify

https://github.com/ralphje/signify

winsign

https://github.com/mozilla-releng/winsign

uthenticode

https://github.com/trailofbits/uthenticode

AuthenticodeLint

https://github.com/vcsjones/AuthenticodeLint

osslsigncode

https://github.com/mtrojnar/osslsigncode

Finally, you can find additional information about the Authenticode in Trail of Bits blog post [6]. If you are interested in Authenticode tricks used by Dropbox, you can take a look at Microsoft website [7] and if you are interested in understanding how the integrity of the PKCS #7 works, you can look at Manual verify PKCS#7 signed data with OpenSSL [8]

References

API