Get process image or dll signature info

Open rabbitstack opened this issue 4 years ago • 0 comments

Windows API provides the CryptQueryObject function to obtain details about the certificate that signed the executable. We should invoke this function in the process/image interceptors and augment the corresponding events with various parameters including:

certificate issuer
certificate serial number
certificate timestamp
publisher information

References

https://docs.microsoft.com/en-US/troubleshoot/windows/win32/get-information-authenticode-signed-executables

Mar 24 '21 15:03 rabbitstack