运行 signtool.exe verify/a/v C:\Windows\notepad.exe
我可以看到 notepad.exe 的签名在 C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat
。 signtool 如何知道此 pe 文件的签名所在的位置?
我正在尝试在 python 中复制此 signtool 行为。获得目录文件后,我可以使用下面的代码获取证书信息,但我看不到 Windows 如何将文件链接到目录。
import win32com.client
catpath = "C:\\Windows\\system32\\CatRoot\\{F----E}\\nt5.cat"
signedCode = win32com.client.Dispatch('capicom.signedcode')
signedCode.FileName=catpath
signedCode.Verify()
certs = signedCode.Certificates
for cert in certs:
print cert.Archived
print cert.IssuerName
print cert.SerialNumber
print cert.SubjectName
print cert.Thumbprint
print cert.ValidFromDate
print cert.ValidToDate
print cert.Version
但我如何获取可执行文件所在的安全目录文件?
最佳答案
Disclaimer: the followings is a rough guess based on testing as the exact process is undocumented.
Windows scans through every cat file in System32\CatRoot\{F7--EE}, add them to the system catalog database and roughly sort them by each entry's file hash/tag value.
(revealed by CatRoot2\dberr.txt which contains the log for the database process)
The database is the file System32\CatRoot2\{F7--EE}\catdb.
Inside catdb, a file hash is followed by its cat file name in CatRoot\{F7--EE}.
Note the hash excludes PE checksum & Certificate Table Entry.
The hash can be obtained from SignTool verify /v or this.
关于python - Windows 如何将 pe 文件链接到它在目录文件中的签名?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16818281/