Skip to content

2.15 用signtool校验PE签名

https://scz.617.cn/windows/202111171326.txt

A: scz@nsfocus 2021-11-17 13:26

Using SignTool to Verify a File Signature https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-verify-a-file-signature

用VS 2019/Win10 SDK中的signtool

/pa Use the "Default Authenticode" Verification Policy. /kp Perform the verification with the kernel-mode driver signing policy. /v Print verbose success and status messages. This may also provide slightly more information on error. If you want to see information about the signer, you should use this option.

$ Z:\Green\CLI\signtool.exe verify /v /pa "Z:\Green\Windows Kits\10\x64\Debuggers\x64\livekd.exe"

Verifying: Z:\Green\Windows Kits\10\x64\Debuggers\x64\livekd.exe

Signature Index: 0 (Primary Signature) Hash of file (sha256): B8D8C888FA6F87ED50790955D1CD591D4048A1060EFD25A3891E5A9F038CF2BA

Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2011 Issued by: Microsoft Root Certificate Authority 2011 Expires: Sun Mar 23 06:13:04 2036 SHA1 hash: 8F43288AD272F3103B6FB1428485EA3014C0BCFE

    Issued to: Microsoft Code Signing PCA 2011
    Issued by: Microsoft Root Certificate Authority 2011
    Expires:   Thu Jul 09 05:09:09 2026
    SHA1 hash: F252E794FE438E35ACE6E53762C0A234A2C52135

        Issued to: Microsoft Corporation
        Issued by: Microsoft Code Signing PCA 2011
        Expires:   Thu Mar 04 02:39:47 2021
        SHA1 hash: 2485A7AFA98E178CB8F30C9838346B514AEA4769

The signature is timestamped: Tue Apr 28 00:03:45 2020 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 06:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Time-Stamp PCA 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Wed Jul 02 05:46:55 2025
    SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

        Issued to: Microsoft Time-Stamp Service
        Issued by: Microsoft Time-Stamp PCA 2010
        Expires:   Fri Feb 12 05:40:35 2021
        SHA1 hash: CDD79BD7202F6B69092769857C375E49F14931DC

Successfully verified: Z:\Green\Windows Kits\10\x64\Debuggers\x64\livekd.exe

Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0

$ Z:\Green\CLI\signtool.exe verify /v /kp C:\Windows\System32\drivers\LiveKdD.SYS

Verifying: C:\Windows\System32\drivers\LiveKdD.SYS

Signature Index: 0 (Primary Signature) Hash of file (sha256): D19B9EF73FC8F99E4AD4415947395B7B6BDBD1E06D0A6ED9385ED1AA2AA34265

Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 06:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Windows Third Party Component CA 2012
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Mon Apr 19 07:58:38 2027
    SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73

        Issued to: Microsoft Windows Hardware Compatibility Publisher
        Issued by: Microsoft Windows Third Party Component CA 2012
        Expires:   Thu Mar 04 03:12:18 2021
        SHA1 hash: 710405DC192AA15007C8912D33394A706478ED92

The signature is timestamped: Mon Apr 27 23:58:40 2020 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 06:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Time-Stamp PCA 2010
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Wed Jul 02 05:46:55 2025
    SHA1 hash: 2AA752FE64C49ABE82913C463529CF10FF2F04EE

        Issued to: Microsoft Time-Stamp Service
        Issued by: Microsoft Time-Stamp PCA 2010
        Expires:   Wed Mar 17 09:14:57 2021
        SHA1 hash: 9703E5342ABE527E7851FC4B7BFC0A4B55DCE27A

Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority 2010 Issued by: Microsoft Root Certificate Authority 2010 Expires: Sun Jun 24 06:04:01 2035 SHA1 hash: 3B1EFD3A66EA28B16697394703A72CA340A05BD5

    Issued to: Microsoft Windows Third Party Component CA 2012
    Issued by: Microsoft Root Certificate Authority 2010
    Expires:   Mon Apr 19 07:58:38 2027
    SHA1 hash: 77A10EBF07542725218CD83A01B521C57BC67F73

        Issued to: Microsoft Windows Hardware Compatibility Publisher
        Issued by: Microsoft Windows Third Party Component CA 2012
        Expires:   Thu Mar 04 03:12:18 2021
        SHA1 hash: 710405DC192AA15007C8912D33394A706478ED92

Successfully verified: C:\Windows\System32\drivers\LiveKdD.SYS

Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0

D: 张云海

PE有个"签名时间",还有个"证书有效期"。

"证书有效期"有起始、终止时间,证书会过期,证书本身有各种校验。

"签名时间"是用证书对PE进行签名的时间,只要"签名时间"位于"证书有效期"内即可, "签名时间"没有过期一说。

证书过期后就不能用来对PE签名,但证书有效期内产生的PE签名始终有效。很容易出 现这种现象,证书已过期,但签名始终有效。比如

            证书有效期          签名时间

livekd.exe 2020.3.5-2021.3.4 2020.4.28 LiveKdD.SYS 2020.3.5-2021.3.4 2020.4.27