Look before you leap: PE File Digital Signature

I. Introduction

When using a computer with the Windows operating system, downloading and running executable files occurs frequently.

But how can you be sure that the Portable Executable (PE) files you download and run are from reputable providers and have not been altered during the download process or supplied through a third party?

In this article, I will address the following key points:

• How to rely on the PE file digital signature to assess the trustworthiness of a file before execution.
• PE file integrity check through digital signature verification.
• Methods by which malware compromises PE file integrity or bypasses PE file integrity verification.

This is one of the articles on the topic of OPSEC. The purpose is to ensure that your computer is a safe place to store personal files like photos and documents. It provides basic security measures to help you avoid data breaches.

II. Key points to know and consider about PE digital signature.

1. PE File Integrity Verification

Windows will perform a PE file integrity check based on the verification of their digital signatures.

A. What is pe file digital signature?

A PE file digital signature is a cryptographic signature used to verify the authenticity and integrity of Portable Executable (PE) files. When a developer creates a PE file, they can use a code signing certificate to sign the file. This involves generating a hash (a unique digital fingerprint) of the file and then encrypting this hash with the developer's private key.

When the PE file is executed, the operating system can verify the signature by decrypting the hash with the developer's public key and comparing it to a newly computed hash of the file. If the hashes match, the file is verified as authentic and unaltered

Only when a file passes the PE file integrity check can it be considered intact and created by the correct registered publisher.

Digital signatures for PE files primarily fall into two types: Embedded Signatures and Catalog File Signatures. I will not delve deeply into this topic; if you want to learn more, you can check Additional details

The software you download after installing Windows often uses embedded signatures.

B. How to check if a PE digital signature is valid

Windows Explorer provides a built-in feature that allows you to check whether a file has a digital signature and its validity.

1. Navigate to the File: Go to the location of the PE file you want to verify.
2. Right-Click the File: Right-click on the file to open the context menu.
3. Select "Properties": Click on "Properties" at the bottom of the context menu.
4. Go to the "Digital Signatures" Tab: In the Properties window, click on the "Digital Signatures" tab.

View Signature Details:

1. In the "Digital Signatures" tab, you will see a list of signatures associated with the file.
2. Select the signature you want to verify and click on "Details".

Verify Signature:

In the Signature Details window, you can see information about the signer, the timestamp, and the status of the digital signature.

If the signature is valid, you will see a message indicating that the signature is OK

If there are any issues with the signature, such as it being invalid or untrusted, you will see an appropriate error message.

Below is an example of how I check the digital signature of the file "msedge.exe" This file is not infected with malware, so the result will be successful.

Digital Signature of clean file

Similarly, with the file "msedge - infected.exe". This file has been infected by malware, and during this process, the digital signature of the file has been broken and is no longer valid.

Digital Signature of infected file

When downloading or copying files from another source to your machine and running a PE file (exe, msi, msp, etc.), always remember to check whether their digital signatures are valid first.

You should never run files with invalid digital signatures. If you must run such files, use a virtual machine and create a snapshot before executing them.

The level of safety decreases in the following order: files with valid digital signatures; files without digital signatures; files with invalid digital signatures.

A file with an invalid digital signature clearly indicates two possibilities. The first, which is rare, is that there is an issue with your Windows system, preventing it from verifying the signature. The second, which is more common, is that your file has become corrupted for some reason, resulting in the loss of its digital signature.

An even rarer case is that the developer made an error in applying the signature when releasing the software. A real-world example is KB5006980, which involves a bad signature error when using PerfView in Exchange Server 2019 and 2016. This issue arises because modifications were made to the PerfView executable after it was signed, using the CorFlags tool, which invalidated the digital signature. More information

Therefore, a file without a digital signature is safer than a file with an invalid signature.

One way to quickly check the credibility of a file without a signature is to obtain its hash (MD5, SHA1, SHA256, etc.) and then paste it into the search engine you are using. If this hash appears on reputable websites, the safety of the file is likely high.

The PowerShell command to calculate the hash of a file, where you can change the algorithm as desired, is as follows:

Get-FileHash -Path "C:\path\to\your\file.ext" -Algorithm SHA256

You can replace "SHA256" with other algorithms such as "MD5" or "SHA1" as needed.

C. How to use Process Explorer to check the digital signatures of running processes

Process Explorer (Procexp) is a powerful system monitoring and management utility from Microsoft Sysinternals. It provides detailed information about the processes running on your Windows system and allows you to perform various actions to manage and analyze them.

Key Features:

• Detailed Process Information: View detailed information about running processes, including their CPU, memory usage, and parent-child relationships.
• DLL and Handle Viewing: See which DLLs and handles are opened or loaded by a process.
• Graphical Representation: Real-time graphical representation of CPU, I/O, and memory usage.
• Verify Image Signatures: Verify the digital signatures of running processes to ensure they are from trusted sources.
• Search Capabilities: Search for specific processes, DLLs, or handles.
• Terminate, Suspend, or Restart Processes: Manage processes by terminating, suspending, or restarting them.

Process Explorer is an essential tool for using and managing your computer.

Process Explorer Download

To check the digital signatures of running processes using Process Explorer, follow these steps:

1. Open Process Explorer: Download and run Process Explorer from the Microsoft Sysinternals website. Remember to check its digital signature before running it.
2. Go to Options: Click on the "Options" menu at the top.
3. Select "Verify Image Signatures": Check the box for "Verify Image Signatures" in the menu.

This option ensures that Process Explorer checks the digital signatures of all running EXE and DLL files. If a file is signed by a trusted certificate authority, it will be marked as "Trusted"; if it's unsigned, it will be marked as "Unsigned"; and if the signature hasn't been checked, it will be marked as "Not Verified".

Running Sysinternals Process Explorer with elevated privileges allows you to access more detailed information about system processes and perform administrative tasks.

Verify image signatures with Procxp

2. Methods by which malware counteracts and exploits digital signatures of PE files

At this point, many may wonder: why don't malwares use digital signatures? Wouldn't this make them appear more legitimate?

There are several reasons why many Windows malware samples do not have digital signatures:

• Digital signatures can make it easier for antivirus and security software to detect malware. Instead of analyzing each file individually, antivirus software can simply check for files with the same PE file digital signature as the malware and block those files. Unsigned files are less likely to raise immediate red flags.
• Cost and Complexity, obtaining a legitimate digital certificate for signing malware is both costly and complex. Malware authors often prefer to avoid this hassle.
• Self-Signed Certificates, malware can use self-signed certificates, but these are often quickly flagged by security software as suspicious.
• Packers and Obfuscation, malware authors use packers and obfuscation techniques to hide their code. This leads to all files being unique, which complicates the use of PE file digital signatures. Even if digital signatures are implemented, this would undermine the polymorphism of malware (as they would be blocked by antivirus software due to sharing the same digital signature).

Note that the above considerations only apply to common types of malware. For those used by well-resourced groups with strong financial backing, such as APT groups, these limitations do not pose a challenge for them.

Advanced Persistent Threat (APT) groups are highly sophisticated and often state-sponsored threat actors. They are known for their stealthy and prolonged cyber-espionage campaigns. Examples of APT Groups: APT28 (Fancy Bear), APT29 (Cozy Bear), APT41 (Double Dragon), Lazarus Group.

Of course, nothing is absolute; the authors of malware will also have various methods to counter PE file integrity verification.

Signature Spoofing, malware may use stolen or forged digital signatures to appear legitimate, tricking users and security software into executing the malicious file.

• Plead malware uses digital signatures stolen from Taiwan. More info
• Lapsus$, leaked NVIDIA certificates used to sign malware

Exploiting vulnerabilities related to PE file integrity verification.

• Flame malware used a collision attack to obtain a valid digital signature. Further data
• Malware groups exploit vulnerabilities in how Windows validates signature files. Additional details
• CatB Ransomware exploits DLL hijacking vulnerabilities to achieve greater concealment. Detailed explanation

III Conclusion

PE file integrity verification relies on one of the factors being the digital signature.

PE file digital signature is an extremely effective mechanism to tackle malware.

You should always check the digital signature of a file after downloading or copying it from another source to your machine.

For files without a signature or with an invalid signature, it is best to run them in a virtual machine.

Using the "Verify Image Signatures" feature of Process Explorer will help you check whether all running programs have valid signatures. And running Procexp as an admin ensures that you can fully utilize its powerful features and get a comprehensive view of your system's operations.

Better safe than sorry, one should not rely solely on the PE file digital signature to determine whether a file is safe. It is also important to consider the software publisher's information, the download source, and the details contained within the digital signature.

Malware groups may potentially use stolen signatures to sign their own malware or exploit vulnerabilities within the PE file integrity system. Therefore, always keep your system updated to the latest version.

Understanding how to use PE digital signatures will provide you with basic security measures to mitigate sensitive data exposure and help you stay safe on the Internet.