Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Run authenticode check on byte array or stream #14

Open
Mgamerz opened this issue Nov 7, 2020 · 2 comments
Open

Feature request: Run authenticode check on byte array or stream #14

Mgamerz opened this issue Nov 7, 2020 · 2 comments

Comments

@Mgamerz
Copy link

Mgamerz commented Nov 7, 2020
edited
Loading

Hi,

Thanks for this library, I use it in my modding software I write to validate the source of a game. I'm wondering if it would be possible to extend this to support reading files from memory/byte arrays, which is apparently something that can be done in powershell (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-authenticodesignature?view=powershell-7).

I ask for this feature because for one of the games my software mods, the executable has to be modified to support Large Address Aware (LAA - it's a really old game from mid 2000s), as well as patched in a few other areas to prevent things like running as admin (it's a long story) and other stuff. I want to be able to determine the source of it still, so I'm planning to write a 'executable reverser', which will read in the executable, reverse the changes we've made, and then I would feed that data to AuthenticodeExaminer. The game will not work if we don't make these changes so we will always have a game executable with a broken signature.

This is easily possible by doing a disk write but I'm trying to avoid writing a 20MB file to disk just to determine the signature.

I see you are using native windows API to perform this, and I haven't looked at powershell to see how it does it. Another use case for this is that I perform updates through patches, so I update my program's executable by applying a patch to it in memory and validating the hash. If I could validate the signature in memory instead, it would drop the need for me to validate the hash (I don't write to disk until I validate the result), which is extra manual work I have to do on every build of my software.
@srivas-ksh
Copy link

+1 for the feature to have this library work byte array or file stream such that the dependency on physical file path can be avoided. In cloud environment, it is hard to store file, instead file stream or byte array can help this library to work in cloud environment also.

@kapsiR
Copy link

kapsiR commented Jan 30, 2023

You can use the same package, that PowerShell uses under the hood 😉

Microsoft.Security.Extensions is available for that:

using Microsoft.Security.Extensions;

...

using (FileStream fs = File.OpenRead(@"c:\test.exe"))
{
    FileSignatureInfo sigInfo = FileSignatureInfo.GetFromFileStream(fs);

    Console.WriteLine(sigInfo.State); // SignatureState.SignedAndTrusted
}

Example from Stack Overflow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mgamerz @kapsiR @srivas-ksh