Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 01, 2015, 07:11:21 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: DONE: Tool that lists digitally signed files from a folder/disk  (Read 12222 times)

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 4,391
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #50 on: June 22, 2015, 07:59:23 PM »
Hi, telealex, and welcome to the DonationCoder site.  I'm on holiday this week but I'll try to take a closer look at your post when I get back.

telealex

  • Participant
  • Joined in 2015
  • *
  • Posts: 2
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #51 on: June 27, 2015, 09:10:26 AM »
Hi, telealex, and welcome to the DonationCoder site.  I'm on holiday this week but I'll try to take a closer look at your post when I get back.
many thanks

neverlight

  • Participant
  • Joined in 2012
  • *
  • gravatar avatar
  • Posts: 18
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #52 on: July 06, 2015, 03:42:19 AM »
@skwire, There's also a new version of Sigcheck as of March 10, 2015.  ;)

reveal/hide changelog
This release of Sigcheck, a command-line tool that reports file version, code signing, and hash information, introduces import-hash reporting and support for files larger than 4 GB.



Kind regards,
Marius

pstein

  • Participant
  • Joined in 2007
  • *
  • gravatar avatar
  • Posts: 27
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #53 on: August 10, 2015, 11:50:44 PM »
I started newest SigCheck GUI for all running processes and found some with a blue question mark.
Among them some important prcoesses like lsass.exe, csrss.exe and spoolsv.exe

What does a blue question mark mean?

They are not checked in Virustotal. Why not?

I cannot open the file location: Why not?

How can I verify otherwise that they are the correct/correctly signed original binaries from Microsoft?

Peter

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 4,391
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #54 on: August 11, 2015, 02:28:18 AM »
What does a blue question mark mean?

In the Verified column, you should see some text.  "Signed" gets a green check mark; "Unsigned" gets red exclamation point; "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." gets a yellow exclamation point.  Any other text in there gets a blue question mark.  One example I've seen is, "The timestamp signature and/or certificate could not be verified or is malformed."

They are not checked in Virustotal. Why not?

Are you saying that none of your files have VirusTotal URLs listed?  If so, do you have the appropriate option checked in the Options tab?  FWIW, the VirusTotal URLs appear to be working fine for me under W7/64.  Which OS are you using? 

I cannot open the file location: Why not?

This took some research but should be fixed in the latest version.  In a nutshell, on 64-bit versions of Windows, 32-bit applications such as AutoHotkey run inside WOW64 so calls to certain 64-bit files were getting automatically redirected to the c:\Windows\SysWOW\64 folder.   :-\ :-\ :-\

How can I verify otherwise that they are the correct/correctly signed original binaries from Microsoft?

Again, things appear to be working fine for me.  Which OS are you using?  Please note that I develop and test on Win7/64.  I sometimes test on XP if necessary.  I do not have W8 or W10.

Website | Download
v1.1.0 - 2015-08-11
    ! "Open file location" did not work properly for certain 64-bit files.
      (Thanks, pstein)


pstein

  • Participant
  • Joined in 2007
  • *
  • gravatar avatar
  • Posts: 27
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #55 on: August 11, 2015, 02:46:27 AM »
I am using 64 bit Win 7 pro.

I am using GUI version 1.0.9 and SigCheck v2.2. Are there an newer versions?
VirusChecks are performed for all but the blue items.

There is no comment absolutely noting in the line except the process name.

Have a look at the following snapshot:

SigcheckGUI Problem.pngDONE: Tool that lists digitally signed files from a folder/disk

So again: Why do I get no further information?


skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 4,391
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #56 on: August 11, 2015, 02:56:01 AM »
I am using GUI version 1.0.9 and SigCheck v2.2. Are there an newer versions?

Yes.  If you look at the bottom of my previous post, you'll see version 1.1.0.

So again: Why do I get no further information?

*shrug* I don't know.  Are you running the application with administrator rights?  Please note that SigcheckGUI is just a front-end for the sigcheck.exe commandline program that you'll find in your SigcheckGUI folder.  You could try running sigcheck.exe directly on one of those files in question and see what it reports back.  I'd be interested to know.



pstein

  • Participant
  • Joined in 2007
  • *
  • gravatar avatar
  • Posts: 27
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #57 on: August 11, 2015, 05:44:01 AM »
Ok, with your new version v1.1 it works BUT

On page http://skwire.dcmemb...fp/?page=sigcheckgui
still only v1.0.9 is available and
on page

https://technet.micr...ernals/bb897441.aspx

Sigcheck (cmdline version from sysinternals) v2.2 is already available!

Your package contains only v2.1

Maybe there are problemes with a changed API.

Can you check your GUI with the newest v2.2

?
Peter

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 4,391
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #58 on: August 11, 2015, 09:59:55 AM »
On page http://skwire.dcmemb...fp/?page=sigcheckgui
still only v1.0.9 is available and

Updated, thank you.

Sigcheck (cmdline version from sysinternals) v2.2 is already available!
Your package contains only v2.1

The EULA of the 2.2 version changed and I'm no longer allowed to distribute sigcheck.exe in the SigcheckGUI download zip.  However, you're free to download the new 2.2 version yourself and copy it into your SigcheckGUI folder.  FWIW, I can't seem to find a changelog for Sigcheck so I'm unsure as to what has changed in the 2.2 version.

pstein

  • Participant
  • Joined in 2007
  • *
  • gravatar avatar
  • Posts: 27
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #59 on: August 11, 2015, 01:20:46 PM »
However, you're free to download the new 2.2 version yourself and copy it into your SigcheckGUI folder. 

Thats exactly what I did: But GUI v1.1 works only with SigCheck v2.1 and not v2.2

So something important must be changed. You should be able to find out what

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 4,391
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #60 on: August 11, 2015, 01:35:14 PM »
Thats exactly what I did: But GUI v1.1 works only with SigCheck v2.1 and not v2.2

SigcheckGUI v1.1.0 works fine for me with sigcheck.exe v2.20 in the folder.   :huh:

pstein

  • Participant
  • Joined in 2007
  • *
  • gravatar avatar
  • Posts: 27
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #61 on: August 11, 2015, 01:46:29 PM »
.....except the blue icon lines which appear with v2.2 but not with v2.1

neverlight

  • Participant
  • Joined in 2012
  • *
  • gravatar avatar
  • Posts: 18
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #62 on: August 18, 2015, 04:10:52 PM »
I found one small issue. On the other hand, it might be intended (but limited) behavior.
To better illustrate this issue, please consider the following example: if I tick under "View" tab to display only "Signed" files then some cases are ignored. You will get the blue icon and this message under "Verified" : "A certificate was explicitly revoked by its issuer."
Thus, we have another category of files which are signed : "Revoked". This should be displayed under "View" tab. What do you think, @skwire ?  :-[

Additionally, please check my screenshot.


Kind regards,
Marius

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 4,391
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #63 on: August 18, 2015, 04:25:28 PM »
Thus, we have another category of files which are signed : "Revoked". This should be displayed under "View" tab. What do you think, @skwire ?

Well, I don't know.  I mean, I'm no expert regarding any of this but, without knowing the reason a signature was revoked, I'm not sure I'd put 'Revoked' on the same level as 'Signed'.  Maybe I'm wrong?

neverlight

  • Participant
  • Joined in 2012
  • *
  • gravatar avatar
  • Posts: 18
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #64 on: August 18, 2015, 04:30:34 PM »
Digital signatures get revoked for example when these are found to be malicious (but present a signature in order to be blacklisted, not by hash but by digital signature ; malicious/blacklisted vendor).

Kind regards,
Marius
« Last Edit: August 18, 2015, 04:57:03 PM by neverlight »

neverlight

  • Participant
  • Joined in 2012
  • *
  • gravatar avatar
  • Posts: 18
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #65 on: August 18, 2015, 04:48:45 PM »
Another ignored case is related to altered (signed) files (files that are digitally signed but altered by malicious applications, hex editors etc). These are files where digital signature does not verify.
These are listed under "Unsigned" -- not correct.  Perhaps this is another category of signed files : "Invalid".

Please check my screenshots.

Kind regards,
Marius
« Last Edit: August 18, 2015, 04:55:29 PM by neverlight »