Manually sign PE file

[WindowsNT]

I'm trying to manually sign the PE file. My problem is how to calculate the hash of the file.

I'm following This Document:

1. Load the image header into memory.
2. Initialize a hash algorithm context.
3. Hash the image header from its base to immediately before the start of the checksum address, as specified in Optional Header Windows-Specific Fields.
4. Skip over the checksum, which is a 4-byte field.
5. Hash everything from the end of the checksum field to immediately before the start of the Certificate Table entry, as specified in Optional Header Data Directories.
6. Get the Attribute Certificate Table address and size from the Certificate Table entry. For details, see section 5.7 of the PE/COFF specification.
7. Exclude the Certificate Table entry from the calculation and hash everything from the end of the Certificate Table entry to the end of image header, including Section Table (headers).The Certificate Table entry is 8 bytes long, as specified iOptional Header Data Directories.
8. Create a counter called SUM_OF_BYTES_HASHED, which is not part of the signature. Set this counter to the SizeOfHeaders field, as specified in Optional Header Windows-Specific Field.
9. Build a temporary table of pointers to all of the section headers in the image. The NumberOfSections field of COFF File Header indicates how big the table should be. Do not include any section headers in the table whose SizeOfRawData field is zero.
10. Using the PointerToRawData field (offset 20) in the referenced SectionHeader structure as a key, arrange the table's elements in ascending order. In other words, sort the section headers in ascending order according to the disk-file offset of the sections.
11. Walk through the sorted table, load the corresponding section into memory, and hash the entire section. Use the SizeOfRawData field in the SectionHeader structure to determine the amount of data to hash.
12. Add the section’s SizeOfRawData value to SUM_OF_BYTES_HASHED.
13. Repeat steps 11 and 12 for all of the sections in the sorted table.
14. Create a value called FILE_SIZE, which is not part of the signature. Set this value to the image’s file size, acquired from the underlying file system. If FILE_SIZE is greater than SUM_OF_BYTES_HASHED, the file contains extra data that must be added to the hash. This data begins at the SUM_OF_BYTES_HASHED file offset, and its length is: (File Size) – ((Size of AttributeCertificateTable) + SUM_OF_BYTES_HASHED) Note: The size of Attribute Certificate Table is specified in the second ULONG value in the Certificate Table entry (32 bit: offset 132, 64 bit: offset 148) in Optional Header Data Directories.
15. Finalize the hash algorithm context. Note: This procedure uses offset values from the PE/COFF specification, version 8.1 . For authoritative offset values, refer to the most recent version of the PE/COFF specification.

The problem is that I don't seem to be able to calculate the hash correctly. Test executable: test1.exe , this is a plain message box produced with FASM so I have the minimum test executable.


According to the documentation file steps, I only have to exclude the 4 byte checksum (position 216 from the start), and the 8 byte certificate table entry (position 296, 8 bytes). However this doesn't seem to work.

When I use signtool sign /f cert.p12 /p pwd /fd sha256 test1.exe, the hash of the file is calculated as such:

04 20 19 3d 7f a8 72 74 . .=.rt
15 ef 3f ff 84 81 7f e5 ..?....
02 64 fc 92 c5 a6 63 41 .d....cA
c6 ec 06 34 fb 29 42 37 ...4.)B7
cd e1

with my tool, the hash is different.

04 20 c2 04 74 1d d0 d5 . ..t...
06 0e 92 46 9a ca 3b 9e ...F..;.
db 37 2a 91 3c 4a bd 4c .7*.<J.L
e9 6c d8 b5 2a 01 5e 50 .l..*.^P
70 ef

So windows explorer tells me that my signature is invalid.

What am I missing?








Michael

Continue reading...