Jump to content

Recommended Posts

Posted (edited)

This script makes use of WinTrust.dll and Crypt32.dll to:

- verify the integrity of a file with its embedded signature or a given catalog (based on the work of progandy http://www.autoit.de/index.php?page=Thread&postID=68477#post68477)

- determine the serial number, owner and issuer of the certificate used by the signature (developed by Kasty, based on C++ examples from MSDN)

It allows to specify paths in any codepage (inspect .au3 file for more information).

Example 1:

$filePath = ".signed.exe"$
signed = False
If _WinVerifyTrust($filePath) = $ERROR_SUCCESS Then $signed = True
ConsoleWrite($filepath & " is correctly signed = " & $signed & @LF)
$certInfo = _GetSignatureInfo($filepath)
ConsoleWrite("Serial Number: " & $certInfo[0] & @LF)
ConsoleWrite("Owner: " & $certInfo[1] & @LF)
ConsoleWrite("Issuer: " & $certInfo[2] & @LF)

Example 2:

If _WinVerifyTrust("test.zip", "test.cat", "File1") = $ERROR_SUCCESS Then $signed = True

See other post below for more information on how to make catalogs to sign non-PE files.

Regards.

_WinTrust.au3

Edited by kasty
Posted (edited)

kasty,

please, can you explain your modifications in detail. I can see some changes but what their are for?

Greets,

-supersonic.

Edited by supersonic
Posted (edited)

In the first version that I posted, I added support for file paths given in arbitrary codepages (i.e. UTF-8). I also cleaned up a little, removing some redundant functions. Now I'm posting a new version that adds support for files indirectly signed via catalogs (this was not in the original code). I use it to sign ZIP files, because they are not accepted directly by SignTool. If you want to sign such a file, you would do:

1) Create a test.cdf file with the following contents:

[CatalogHeader]
Name=test.cat
PublicVersion=0x0000001
EncodingType=0x00010001
CATATTR1=0x10010001:OSAttr:2:6.0
[CatalogFiles]
File1=test.zip

2) Build a catalog with Makecat:

makecat -v test.cdf

3) Sign the catalog:

SignTool sign /n "your_certificate_name" /i "issuer_name" test.cat

4) Check the signature with AutoIt:

If _WinVerifyTrust("test.zip", "test.cat", "File1") = $ERROR_SUCCESS Then $signed = True

In addition to that, I changed the original code to return the value from the WinVerifyTrust function. This allows you to check the reason why a given file is not correctly signed.

Please find the new version in the attachment, and tell me if it works for you. I tested it in Windows 7.

_WinTrust.au3

Edited by kasty
Posted

This new version allows retrieval of information about the certificate used to sign a file (serial number, owner and issuer). Tested in Windows 7 and Windows XP SP3.

$filePath = ".\signed.exe"
$signed = False
If _WinVerifyTrust($filePath) = $ERROR_SUCCESS Then $signed = True
ConsoleWrite($filepath & " is correctly signed = " & $signed & @LF)
$certInfo = _GetSignatureInfo($filepath)
ConsoleWrite("Serial Number: " & $certInfo[0] & @LF)
ConsoleWrite("Owner: " & $certInfo[1] & @LF)
ConsoleWrite("Issuer: " & $certInfo[2] & @LF)

_WinTrust.au3

Posted (edited)

kasty,

please, can you explain the benefit if using '_WinAPI_MultiByteToWideChar()' instead of '$wszSourceFile = DllStructCreate("wchar[" & StringLen($SourceFile)+1 & "]")' as in ProyAndy's version?

Can you give a practical example?

Greets,

-supersonic.

Edited by supersonic
Posted (edited)

Supersonic,

as far as I know, _WinAPI_MultiByteToWideChar() performs a codepage conversion (i.e. UTF-8 to MS Unicode representation, 2 bytes per character). DllStructCreate just allocates memory for your string.

Anyway, if you feel more comfortable, use ProyAndy's original version, or modify mine. I don't think I'll update this code in some time, as it already suits my needs.

Regards.

Edited by kasty
  • 2 years later...
Posted (edited)

So when I compile as x86, this works with no issues

If I compile as x64, it does not work.

adding winapi get last error, I found out that calling CertFindCertificateInStore returns error c0000005 which is the code for an access violation.

I highly suspect that it has to with cert_info Structure, but I can not figure out why it does not work compiled as x64.

Any ideas?

_WinTrust (3).au3

Edited by step887
Posted (edited)

I did a bit of investigation, but I am not sure where to do from here 

On 32 bit:

Code Line 306  Local $iSize = 1408 

Code lines 321-324 

DllStructGetData($CMSG_SIGNER_INFO, "Issuer_cbData") =183 

DllStructGetData($CMSG_SIGNER_INFO, "Issuer_pbData"))= 0x02DFEFA8

DllStructGetData($CMSG_SIGNER_INFO, "SerialNumber_cbData") = 16

DllStructGetData($CMSG_SIGNER_INFO, "SerialNumber_pbData") = 0x06543FA8

On 64 bit:

Local $iSize = 1568
DllStructGetData($CMSG_SIGNER_INFO, "Issuer_cbData") =0

DllStructGetData($CMSG_SIGNER_INFO, "Issuer_pbData"))= 00000000000000B7

DllStructGetData($CMSG_SIGNER_INFO, "SerialNumber_cbData") = 64509688

DllStructGetData($CMSG_SIGNER_INFO, "SerialNumber_pbData") = 0x0000000000000010

Edit

So I figure it out.. 

it had to do with $tagCERT_INFO  and $tagCMSG_SIGNER_INFO, if running under x64 it needed UINT64 instead of DWORD

So I had to remove the const and replace DWORD with UINT64 if running under x64

Attached is the change 

_WinTrust (3).au3

Edited by step887
  • 1 year later...
  • 1 year later...
Posted

Added to AutoIt Wiki UDF List :
https://www.autoitscript.com/wiki/User_Defined_Functions

 

 

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

  Reveal hidden contents

Signature last update: 2023-04-24

Posted (edited)
  On 11/23/2017 at 8:37 PM, mLipok said:

Added to AutoIt Wiki UDF List

Expand  

This UDF called my attention, tried it. Could not run it. Found a better version at https://www.autoitscript.com/forum/topic/161553-help-with-converting-c-to-autoit-a-dllcall-failes/?do=findComment&comment=1186579

PS: OP code, worked for me, the expanded later work, is the one I found to be better at the above link.

Edited by argumentum

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

  • 2 years later...
Posted

Hello, everybody.

In the course of determining the certificate information of a signed file I came across this article. The _WinTrust.au3 mentioned here works very well, but only the less meaningful parameters like serial number, CN are determined. 

I have already done some tests, but so far I have not been able to determine the fingerprint of a certificate using the UDF. Is this theoretically possible via the UDF?

Thanks in advance & greetings,
Tupac

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...