pe-sign 是一个用 Rust 语言开发的跨平台工具,专为解析和验证 PE 文件中的数字签名而设计。它既可以作为独立的命令行工具使用,也可以作为依赖库集成到任何 Rust 项目中。支持提取证书、验证签名、计算 Authenticode 签名摘要以及打印证书详细信息。
该项目基于对仓库 windows_pe_signature_research 中的 pe-sign 命令行工具改造所得,去除了 openssl 依赖。
- 提取证书: 从 PE 文件中提取证书。
- 验证签名: 检查 PE 文件的数字签名是否有效。
- 计算 Authenticode 摘要: 计算 PE 文件的 Authenticode 摘要。
- 打印证书信息: 显示 PE 文件中证书的详细信息。
- 打印签名者信息: 显示 PE 文件签名都的详细信息。
直接下载 Release 中对应平台的二进制文件使用,Linux、Mac 系统可直接放入 /bin 目录下或 PATH 全局变量中,Windows 可放入 C:\Windows\System32 目录下或 PATH 全局变量中。
另外,如果你已经安装 Cargo,则通过 cargo install pe-sign -F build-binary 命令安装更为方便。
pe-sign (0.1.10) - REinject
A tool for parsing and verifing PE file signatures
Repository: https://github.com/0xlane/pe-sign
Commands:
extract Extract the certificate of a PE file
verify Check the digital signature of a PE file for validity
calc Calculate the authticode digest of a PE file
print Print the certificate information of a PE file.
help Print this message or the help of the given subcommand(s)
Options:
-h, --help Print help
-V, --version Print versionExtract the certificate of a PE file
Usage: pesign.exe extract [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
-o, --output <FILE> Write to file instead of stdout
--pem Extract and convert certificate to pem format
--embed Extract embedded certificate
-h, --help Print help除了使用 -o 选项,还支持管道、重定向方式输出,示例:
pesign.exe extract test.exe --pem > pkcs7.cer
pesign.exe extract test.exe --pem | openssl pkcs7 -inform PEM --print_certs -noout -text需要注意的是,在 powrershell 中使用管道、重定向时请添加 --pem 参数,否则输出的 DER 二进制数据会被 powershell 看作字符串转义。
命令行工具提供了类似 openssl 的 --print_certs 功能,与 openssl 输出格式基本一致:
Print the certificate information of a PE file.
Usage: pesign.exe print [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
--signer-info Print the signer info of a PE file.
-a, --all Include nested signature.
-h, --help Print help示例:
PS C:\dev\pe-sign> pesign.exe print .\ProcessHacker.exe
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA-1
Not Before: 2013-10-30 08:00:00 +08:00
Not After : 2017-01-04 20:00:00 +08:00
Subject: C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu
Subject Public Key Info:
Algorithm: RSA
Public-Key: (2048 bit)
Modulus:
00:cc:2e:a1:52:49:09:cc:22:ef:34:43:dc:41:a6:98:a0:1f:0f:69:
1a:33:b2:92:a5:73:26:4e:1d:b9:e2:ab:c4:46:e1:3e:f9:24:c2:f6:
...
...
Exponent: 65537 (0x10001)
Extensions:
Authority Key Identifier:
97:48:03:eb:15:08:6b:b9:b2:58:23:cc:94:2e:f1:c6:65:d2:64:8e
Subject Key Identifier:
2c:b8:9a:96:b2:c1:b1:a0:7d:a4:90:20:19:b8:be:05:58:df:2c:78
Key Usage:
Digital Signature
Extended Key Usage:
Code Signing
CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/ha-cs-2011a.crl
Full Name:
URI:http://crl4.digicert.com/ha-cs-2011a.crl
Certificate Policies: <Unsupported>
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt
Basic Constraints:
ca:FALSE
Signature Algorithm: Sha1WithRSA
Signature Value:
88:f1:59:8a:6a:8a:6c:49:04:64:67:70:02:14:76:57:3d:57:c2:f9:
cb:88:78:6e:82:3a:63:12:f7:c9:0b:57:8b:13:16:b0:69:d7:67:0f:
...
...
...
...另外,还可以使用 --signer-info 选项打印签名者信息,示例:
PS C:\dev\pe-sign> pesign.exe print .\ProcessHacker.exe --signer-info
Signer Info:
Signer Identifier:
Issuer And Serial Number:
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA-1
Serial Number:
0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
Authenticated Attributes:
1.3.6.1.4.1.311.2.1.12:
30:00
1.2.840.113549.1.9.3:
06:0a:2b:06:01:04:01:82:37:02:01:04
1.3.6.1.4.1.311.2.1.11:
30:0c:06:0a:2b:06:01:04:01:82:37:02:01:15
1.2.840.113549.1.9.4:
04:14:f4:23:ed:d4:63:5b:6b:ea:f3:c8:ca:9c:de:5d:db:5f:8b:1a:
ba:20
Unauthenticated Attributes:
Counter Signature (1.2.840.113549.1.9.6):
30:82:01:f8:02:01:01:30:76:30:62:31:0b:30:09:06:03:55:04:06:
13:02:55:53:31:15:30:13:06:03:55:04:0a:13:0c:44:69:67:69:43:
...
...
1.3.6.1.4.1.311.2.4.1:
30:82:1c:23:06:09:2a:86:48:86:f7:0d:01:07:02:a0:82:1c:14:30:
82:1c:10:02:01:01:31:0f:30:0d:06:09:60:86:48:01:65:03:04:02:
...
...
Countersigner Info:
Signer Info:
Signer Identifier:
Issuer And Serial Number:
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA-1
Serial Number:
03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Authenticated Attributes:
1.2.840.113549.1.9.3:
06:09:2a:86:48:86:f7:0d:01:07:01
Signing Time (1.2.840.113549.1.9.5):
2016-03-29 09:35:02 +08:00
1.2.840.113549.1.9.4:
04:14:d4:11:7e:ce:3a:3f:29:91:7d:e3:f0:55:fe:32:a2:11:b0:c9:
c5:ac
Digest Algorithm: Sha1
Encrypted Digest:
02:d1:d6:d2:ec:f6:cb:7a:4b:a4:29:01:ab:77:48:e9:d5:bf:0f:6c:
bd:b7:d6:86:11:24:e8:cf:ba:32:ab:12:40:be:31:e7:d6:16:c5:52:
...
...
Digest Algorithm: Sha1
Encrypted Digest:
46:3d:97:37:67:9d:12:4e:80:cf:a1:df:98:10:8d:a8:39:3e:5e:db:
28:c3:28:c9:d7:a7:48:22:2d:a8:4c:1e:40:e9:72:63:fd:04:7a:e9:
...
...命令行工具也可用于验证签名有效性:
Check the digital signature of a PE file for validity
Usage: pesign.exe verify [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
--no-check-time Ignore certificate validity time
--ca-file <FILE> Trusted certificates file
--embed Verify embedded certificate
-h, --help Print help使用 --no-check-time 选项可跳过签名时间有效性检查,--ca-file 选项用于指定 PEM 格式的可信 CA 证书,若不指定则使用内置的默认证书进行有效性验证。
你也可以将 pe-sign 添加为依赖,集成到自己的项目中。使用以下命令添加依赖:
cargo add pe-sign然后在 main.rs 导入 pesign 并且解析为 PeSign 结构:
use pesign::PeSign;
fn main() {
if let Some(pesign) = PeSign::from_pe_path("test.exe").unwrap() {
// Add your program logic.
} else {
println!("The file is no signed!!");
}
}更多详细信息,请参阅 crate 文档。
如果你发现问题或者有新的功能建议,欢迎提交 Issue 或发起 Pull Request。
你可以在此处查看项目的源码:pe-sign GitHub 仓库
该项目基于 MIT 许可证开源。详情请查看 LICENSE 文件。