opexxx

pe32-cert-dump.sh

May 1st, 2014
329
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 1.34 KB | None | 0 0
  1. #!/bin/bash
  2. # Extract a security certificate from a signed Windows binary.
  3. # Required software:
  4. #   pedump (http://pedump.me/)
  5. #   bc (http://www.gnu.org/software/bc/)
  6. #   grep, tr, cut, dd, openssl
  7.  
  8. # This file is licensed under the GNU General Public License v3
  9. # (C) 2012, CIRCL, Smile GIE
  10. # (C) Sascha Rommelfangen, sascha.rommelfangen@circl.lu, @rommelfs
  11.  
  12. INFILE="$1"
  13. if [ ! -e $INFILE ]
  14. then
  15.     echo "Extract certificate information"
  16.     echo "from a signed Windows binary file"
  17.     echo
  18.     echo "Usage: $0 filename"
  19.     exit 1
  20. fi
  21.  
  22. if [[ `file $INFILE | grep PE32` ]]
  23. then
  24.   # Certificate location is referenced in PE header -> data-directory -> Security
  25.   OFFSET=`pedump --data-directory $INFILE | grep SECURITY | tr -s " " | cut -d" " -f 4`
  26.   LENGTH=`pedump --data-directory $INFILE | grep SECURITY | tr -s " " | cut -d" " -f 6`
  27.   # BC does not handle lower case hex values correctly
  28.   OFFSET=`echo $OFFSET | tr '[:lower:]' '[:upper:]'`
  29.   LENGTH=`echo $LENGTH | tr '[:lower:]' '[:upper:]'`
  30.   # Offset needs 8 bytes added
  31.   # (4 bytes dwLength + 2 bytes wRevision + 2 bytes wCertificateType)
  32.   REALOFFSET=`echo "obase=16;ibase=16;$OFFSET+8" | bc`
  33.   # Length is 8 bytes less and 1 byte less
  34.   REALLENGTH=`echo "obase=16;ibase=16;$LENGTH-9" | bc`
  35.   dd if=$INFILE bs=1 skip=0x$REALOFFSET count=0x$REALLENGTH | openssl asn1parse -inform DER
  36. fi
Add Comment
Please, Sign In to add comment