Author Topic: DONE: Tool that lists digitally signed files from a folder/disk (Read 105352 times)

neverlight · « **on:** August 04, 2014, 09:32 AM »

At the moment, I can not find such a tool.

This kind of tool could be quite handy since malware analysts/researchers look into digitally signed files for whitelisting/blacklisting purposes.
Possible (important) features (to be considered):
- display digitally signed files from a specific folder as a list;
- ability to view the specific folder using a right-click menu (or something similar) on the digitally signed file;
- ability to filter files using digital signature details such as "Issued by", "Issued to", "Valid from" - "to", etc;

Kind Regards,
Marius

mouser · « **Reply #1 on:** August 04, 2014, 07:42 PM »

That's really not a bad idea at all -- especially if it showed a grid with the signing details.

4wd · « **Reply #2 on:** August 05, 2014, 04:39 AM »

Maybe skwire can add another column to SFV Ninja ?

Turn it into CFV Ninja, (Complicated File Verification).

neverlight · « **Reply #3 on:** August 05, 2014, 07:25 AM »

I didn't expect such positive replies.

Please note,that it's (very) important to know which files have a valid digital signature in terms of #date. In other words, to less or equal to current date. That could be a method.
Now, extending the idea of complex verification, It could also use an 'offline database', perhaps a text file (list) that contains default/custom trusted vendors. The vendors that are listed in the respective text file will show in a color, let's say green while the others that are not in the list will be marked red. Of course, colors could be customizable/user-choice -- whatever seems appropriate to DonationCoder.

Thanks again for the great feedback.

Kind regards,
Marius

Curt · « **Reply #4 on:** August 05, 2014, 03:02 PM »

is this the same as sigverif?

Verify Unsigned Device Drivers

   Click Start, click Run, type sigverif, and then click OK.
   Click Advanced.
   Click Look for other files that are not digitally signed.

   In the Look in this folder box, type x:\Windows\system32\drivers, where x is the letter of the drive where Windows is installed.
   On the Logging tab, make sure the Save the file signature verification results to a log file check box is selected, and then click OK.
   Click Start.

   NOTE: The log file is named Sigverif.txt, and it is saved in the Windows folder. Third-party drivers that are unsigned are displayed as "Not signed." Use the drivers in this list as your troubleshooting starting point.

http://support.microsoft.com/kb/308514
-support.microsoft.com/kb/308514

The article was about XP, but I can confirm that I have sigverif on Win 7 as well.

Shades · « **Reply #5 on:** August 05, 2014, 08:59 PM »

I tried it, but it only shows an overview of driver files that are not signed. The application sigverif is too limited to be of almost any use, if you would have asked me (and I know you didn't).

neverlight · « **Reply #6 on:** August 25, 2014, 08:56 AM »

In the meantime, I've found a (temporary) solution-- Sigcheck.

More information

Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.

Interesting tool that does the job and it could be used in the "process". I'm guessing a GUI could be made based on this tool.
Hope it helps.

Kind Regards,
Marius Il.

mouser · « **Reply #7 on:** August 25, 2014, 10:40 AM »

Thanks for posting about that.. it does seem like it would be a natural next step for someone to make a gui tool that uses this commandline utility.

skwire · « **Reply #8 on:** August 27, 2014, 09:16 AM »

Interesting tool that does the job and it could be used in the "process". I'm guessing a GUI could be made based on this tool.
-neverlight (August 25, 2014, 08:56 AM)

Yep, quite easily. I assume you would like all bits of information listed in columns? Example output from the CLI tool:

Verified: Signed Signing date: 4:45 PM 4/28/2014 Publisher: Microsoft Corporation Description: File version and signature viewer Product: Sysinternals Sigcheck Prod version: 2.1 File version: 2.1 MachineType: 32-bit

Here's an extended output from the CLI tool:

Verified: Signed Signing date: 4:45 PM 4/28/2014 Publisher: Microsoft Corporation Description: File version and signature viewer Product: Sysinternals Sigcheck Prod version: 2.1 File version: 2.1 MachineType: 32-bit Binary Version: 2.10.0.0 Original Name: sigcheck.exe Internal Name: Sigcheck Copyright: Copyright (C) 2004-2014 Mark Russinovich Comments: n/a Entropy: 6.447

mouser · « **Reply #9 on:** August 27, 2014, 09:20 AM »

columns would be nice.

skwire · « **Reply #10 on:** August 27, 2014, 09:24 AM »

columns would be nice.
-mouser (August 27, 2014, 09:20 AM)

For sure. I foresee something very similar to my PDFInfoGUI tool.

mouser · « **Reply #11 on:** August 27, 2014, 09:51 AM »

perfect.

neverlight · « **Reply #12 on:** August 28, 2014, 05:13 AM »

[...] I assume you would like all bits of information listed in columns? [...]
-skwire (August 27, 2014, 09:16 AM)

Yes. It's a good start (for the first version) but this (suggested) application should not be limited (only) to the output though.

columns would be nice.
-mouser (August 27, 2014, 09:20 AM)
For sure. I foresee something very similar to my PDFInfoGUI tool.
-skwire (August 27, 2014, 09:24 AM)

However, maybe columns should be opt-in. End-users should select which columns to be displayed.

Kind Regards,
Marius

skwire · « **Reply #13 on:** August 28, 2014, 03:48 PM »

Yes. It's a good start (for the first version) but this (suggested) application should not be limited (only) to the output though.
-neverlight (August 28, 2014, 05:13 AM)

Hmmm...not sure what else you'd want out of this tool.

However, maybe columns should be opt-in. End-users should select which columns to be displayed.
-neverlight (August 28, 2014, 05:13 AM)

Column order and widths are saved so, if you don't want to see a column, you would simply set it to zero-width. Here's a teaser screenshot so far:

DONE: Tool that lists digitally signed files from a folder/disk

mouser · « **Reply #14 on:** August 28, 2014, 03:50 PM »

nice!!!
love it.

neverlight · « **Reply #15 on:** August 28, 2014, 05:13 PM »

Awesome.

Hmmm...not sure what else you'd want out of this tool.
-skwire (August 28, 2014, 03:48 PM)

Well, imagine tons & tons of files- you have to sort/filter these by columns, copy/move files to other folders, filter/hide files from signers that are loaded from a list, copy and paste displayed information such as hashes of files. These are most used operations.

Kind Regards,
Marius

skwire · « **Reply #16 on:** September 08, 2014, 11:36 PM »

Apologies for the delay. Here's the first release:

Website | Download v1.0.0 - 2014-09-08 + Initial forum build.

Screenshots:

DONE: Tool that lists digitally signed files from a folder/disk

skwire · « **Reply #17 on:** September 09, 2014, 08:49 PM »

Website | Download v1.0.2 - 2014-09-09 + Added option to include file hashes (MD5, SHA1, PESHA1, PE256, and SHA256). + Added "Is Running" column. (Thanks, mouser) + Added a toolbar button to dump all running exes to the list. (Thanks, mouser)

New screens:

DONE: Tool that lists digitally signed files from a folder/disk

mouser · « **Reply #18 on:** September 09, 2014, 09:02 PM »

LOVE it.

skwire · « **Reply #19 on:** September 10, 2014, 11:15 AM »

Website | Download v1.0.3 - 2014-09-10 + Double-clicking a row display the information box for that process. * Improved performance when clearing list items.

skwire · « **Reply #20 on:** September 10, 2014, 10:44 PM »

Website | Download v1.0.4 - 2014-09-10 + Added option to query VirusTotal (www.virustotal.com) for malware based on file hash. Note that this slows down scanning considerably. You can see the results in two new columns: Virus Total Detection and Virus Total URL. + Added context menu entry to go to the Virus Total URLs. + Added context menu entries to perform web searches based on the process name. Choose from Google, Bing, and Duck Duck Go. + Added "Export file list" feature to dump the full paths to a text file for later import using the "Import file list" feature.

mouser · « **Reply #21 on:** September 11, 2014, 01:48 PM »

Written up by Martin at ghacks today!
http://www.ghacks.ne...es-with-sigcheckgui/

He seems to really like it, though he pointed out a few issues with the virustotal integration.

skwire · « **Reply #22 on:** September 11, 2014, 01:53 PM »

Yeah, disabled that in a new build until I work out those kinks. I know WHAT the issue is...just need to come up with a way to handle it elegantly.

skwire · « **Reply #23 on:** September 11, 2014, 02:58 PM »

Apologies for that.

Website | Download v1.0.6 - 2014-09-11 ! Re-enabled VirusTotal functionality. SigcheckGUI now checks for the acceptance of the Sigcheck EULA and the VirusTotal ToS and will prompt the user for acceptance if necessary. v1.0.5 - 2014-09-11 ! Disabled the VirusTotal functionality until some kinks are worked out.

Mattes57 · « **Reply #24 on:** September 12, 2014, 04:01 AM »

Nice tool. Thank you!