I. Introduction
When using a computer with the Windows operating system, downloading and
running executable files occurs frequently.
But how can you be sure that the Portable Executable (PE) files you download
and run are from reputable providers and have not been altered during the
download process or supplied through a third party?
In this article, I will address the following key points:
-
How to rely on the PE file digital signature to assess the trustworthiness
of a file before execution. - PE file integrity check through digital signature verification.
-
Methods by which malware compromises PE file integrity or bypasses PE file
integrity verification.
This is one of the articles on the topic of OPSEC. The purpose is to ensure
that your computer is a safe place to store personal files like photos and
documents. It provides basic security measures to help you avoid data
breaches.
You can follow my Twitter (X) to be notified when there are new posts: Two Seven One Three (@TwoSevenOneT)
II. Key points to know and consider about PE digital signature.
1. PE File Integrity Verification
Windows will perform a PE file integrity check based on the verification of
their digital signatures.
A. What is pe file digital signature?
A PE file digital signature is a cryptographic signature used to verify the
authenticity and integrity of Portable Executable (PE) files. When a developer
creates a PE file, they can use a code signing certificate to sign the file.
This involves generating a hash (a unique digital fingerprint) of the file and
then encrypting this hash with the developer’s private key.
When the PE file is executed, the operating system can verify the signature by
decrypting the hash with the developer’s public key and comparing it to a
newly computed hash of the file. If the hashes match, the file is verified as
authentic and unaltered
Only when a file passes the PE file integrity check can it be considered
intact and created by the correct registered publisher.
Digital signatures for PE files primarily fall into two types: Embedded
Signatures and Catalog File Signatures. I will not delve deeply into this
topic; if you want to learn more, you can check
Additional details
The software you download after installing Windows often uses embedded
signatures.
B. How to check if a PE digital signature is valid
Windows Explorer provides a built-in feature that allows you to check whether
a file has a digital signature and its validity.
- Navigate to the File: Go to the location of the PE file you want to verify.
- Right-Click the File: Right-click on the file to open the context menu.
-
Select “Properties“: Click on “Properties” at the bottom of the
context menu. -
Go to the “Digital Signatures” Tab: In the Properties window, click
on the “Digital Signatures” tab.
View Signature Details:
-
In the “Digital Signatures” tab, you will see a list of signatures
associated with the file. - Select the signature you want to verify and click on “Details“.
Verify Signature:
In the Signature Details window, you can see information about the
signer, the timestamp, and the status of the digital signature.
If the signature is valid, you will see a message indicating that the
signature is OK
If there are any issues with the signature, such as it being invalid or
untrusted, you will see an appropriate error message.
Below is an example of how I check the digital signature of the file
“msedge.exe” This file is not infected with malware, so the result will be
successful.
 |
| Digital Signature of clean file |
Similarly, with the file “msedge – infected.exe”. This file has been infected
by malware, and during this process, the digital signature of the file has
been broken and is no longer valid.
 |
| Digital Signature of infected file |
When downloading or copying files from another source to your machine and
running a PE file (exe, msi, msp, etc.), always remember to check whether
their digital signatures are valid first.
You should never run files with invalid digital signatures. If you must run
such files, use a virtual machine and create a snapshot before executing them.
The level of safety decreases in the following order: files with valid
digital signatures; files without digital signatures; files with invalid
digital signatures.
A file with an invalid digital signature clearly indicates two possibilities.
The first, which is rare, is that there is an issue with your Windows system,
preventing it from verifying the signature. The second, which is more common,
is that your file has become corrupted for some reason, resulting in the loss
of its digital signature.
An even rarer case is that the developer made an error in applying the
signature when releasing the software. A real-world example is
KB5006980, which involves a bad signature error when using PerfView in Exchange Server
2019 and 2016. This issue arises because modifications were made to the
PerfView executable after it was signed, using the CorFlags tool, which
invalidated the digital signature.
More information
Therefore, a file without a digital signature is safer than a file with an
invalid signature.
One way to quickly check the credibility of a file without a signature is to
obtain its hash (MD5, SHA1, SHA256, etc.) and then paste it into the search
engine you are using. If this hash appears on reputable websites, the safety
of the file is likely high.
The PowerShell command to calculate the hash of a file, where you can change
the algorithm as desired, is as follows:
Get-FileHash -Path "C:pathtoyourfile.ext" -Algorithm SHA256
You can replace “SHA256” with other algorithms such as “MD5” or
“SHA1” as needed.
C. How to use Process Explorer to check the digital signatures of running
processes
Process Explorer (Procexp) is a powerful system monitoring and management
utility from Microsoft Sysinternals. It provides detailed information about
the processes running on your Windows system and allows you to perform various
actions to manage and analyze them.
Key Features:
-
Detailed Process Information: View detailed information about running
processes, including their CPU, memory usage, and parent-child
relationships. -
DLL and Handle Viewing: See which DLLs and handles are opened or loaded by a
process. -
Graphical Representation: Real-time graphical representation of CPU, I/O,
and memory usage. -
Verify Image Signatures: Verify the digital signatures of running processes
to ensure they are from trusted sources. - Search Capabilities: Search for specific processes, DLLs, or handles.
-
Terminate, Suspend, or Restart Processes: Manage processes by terminating,
suspending, or restarting them.
Process Explorer is an essential tool for using and managing your computer.
Process Explorer Download
To check the digital signatures of running processes using Process Explorer,
follow these steps:
-
Open Process Explorer: Download and run Process Explorer from the Microsoft
Sysinternals website. Remember to check its digital signature before running
it. - Go to Options: Click on the “Options” menu at the top.
- Select “Verify Image Signatures“: Check the box for “Verify Image Signatures” in the menu.
This option ensures that Process Explorer checks the digital signatures of all
running EXE and DLL files. If a file is signed by a trusted certificate
authority, it will be marked as “Trusted“; if it’s unsigned, it will be
marked as “Unsigned“; and if the signature hasn’t been checked, it will
be marked as “Not Verified“.
Running Sysinternals Process Explorer with elevated privileges allows you to
access more detailed information about system processes and perform
administrative tasks.
 |
| Verify image signatures with Procxp |
2. Methods by which malware counteracts and exploits digital signatures of PE
files
At this point, many may wonder: why don’t malwares use digital signatures?
Wouldn’t this make them appear more legitimate?
There are several reasons why many Windows malware samples do not have digital
signatures:
-
Digital signatures can make it easier for antivirus and security software
to detect malware. Instead of analyzing each file individually, antivirus software can
simply check for files with the same PE file digital signature as the
malware and block those files. Unsigned files are less likely to raise
immediate red flags. -
Cost and Complexity, obtaining a legitimate digital certificate for
signing malware is both costly and complex. Malware authors often prefer to
avoid this hassle. -
Self-Signed Certificates, malware can use self-signed certificates,
but these are often quickly flagged by security software as suspicious. -
Packers and Obfuscation, malware authors use packers and obfuscation
techniques to hide their code. This leads to all files being unique, which
complicates the use of PE file digital signatures. Even if digital
signatures are implemented, this would undermine the polymorphism of malware
(as they would be blocked by antivirus software due to sharing the same
digital signature).
Note that the above considerations only apply to common types of malware. For
those used by well-resourced groups with strong financial backing, such as APT
groups, these limitations do not pose a challenge for them.
Advanced Persistent Threat (APT) groups are highly sophisticated and often
state-sponsored threat actors. They are known for their stealthy and
prolonged cyber-espionage campaigns. Examples of APT Groups: APT28 (Fancy
Bear), APT29 (Cozy Bear), APT41 (Double Dragon), Lazarus Group.
Of course, nothing is absolute; the authors of malware will also have various
methods to counter PE file integrity verification.
Signature Spoofing, malware may use stolen or forged digital signatures to
appear legitimate, tricking users and security software into executing the
malicious file.
Exploiting vulnerabilities related to PE file integrity verification.
-
Flame malware used a collision attack to obtain a valid digital signature.
Further data -
Malware groups exploit vulnerabilities in how Windows validates signature
files.
Additional details -
CatB Ransomware exploits DLL hijacking vulnerabilities to achieve greater
concealment.
Detailed explanation
III Conclusion
PE file integrity verification relies on one of the factors being the digital
signature.
PE file digital signature is an extremely effective mechanism to tackle
malware.
You should always check the digital signature of a file after downloading or
copying it from another source to your machine.
For files without a signature or with an invalid signature, it is best to run
them in a virtual machine.
Using the “Verify Image Signatures” feature of Process Explorer will help you
check whether all running programs have valid signatures. And running Procexp
as an admin ensures that you can fully utilize its powerful features and get a
comprehensive view of your system’s operations.
Better safe than sorry, one should not rely solely on the PE file digital
signature to determine whether a file is safe. It is also important to
consider the software publisher’s information, the download source, and the
details contained within the digital signature.
Malware groups may potentially use stolen signatures to sign their own malware
or exploit vulnerabilities within the PE file integrity system. Therefore,
always keep your system updated to the latest version.
Understanding how to use PE digital signatures will provide you with basic
security measures to mitigate sensitive data exposure and help you stay safe
on the Internet.
IV. READING
Some books you should read to sharpen your cybersecurity skills, especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers
