I don't believe we are extracting this information within the module. After looking over the code for the module, this snippet is instructive:

   # Eight bytes in due to the struct spec
   # typedef struct _WIN_CERTIFICATE
   # {
   #     DWORD       dwLength;
   #     WORD        wRevision;
   #     WORD        wCertificateType;   
   #     BYTE        bCertificate[ANYSIZE_ARRAY];
   # } WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
   sig_buff = buff[address + 8 : address + 8 + size]

So we are just focusing on the buffer containing the bCertificate data exclusively, and parsing that data.

from fsf.

Thanks for replying.
I try to write a process of validating PE’s signature:
`

1. Read PEHeaders: (done)

• Read DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
• ReadDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size

2. Validate Certificate: (I don't know how)

• Access attribute certificate table, parse PKCS #7 and X.509 v3 and extract the data (issuer, hashes, etc).
• Validate the certificate information against the Certificates store using CryptQueryObject,
  CryptMsgGetParam and CertFindCertificateInStore.

3. Validate File's Hash: (I don't know how)

• Compare file's hash against the hash mentioned in PKCS #7's SignedData. If it matches, the file has a
  valid signature. If not, the digital signature is invalid`

Can you please help me to write a python script that do that process ?

from fsf.

Hmm, I'm not directly familiar with this process, but a little research turned up a few methods out there that might be of use to you:

x509 verification - http://aviadas.com/blog/2015/06/18/verifying-x509-certificate-chain-of-trust-in-python/
PKCS#7 - http://stackoverflow.com/questions/15979542/verify-signature-of-pkcs7-signed-file-using-python

You might also want to look at hashlib for hash comparisons.

from fsf.