Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Authenticode verification support for Windows (similar to the 'signature' table on macOS) #3716
This PR aims to add Authenticode verification support to osquery in a similar way to the 'signature' virtual table that has been implemented for macOS.
I have defined a signature virtual table for Windows, containing the following columns: path, original_program_name (from the publisher), serial_number, issuer_name, subject_name, result.
The following are the possible values for the result column:
Verifying the authenticode signature for running executables
SELECT process.pid, process.path, authenticode.result FROM processes as process LEFT JOIN signature AS authenticode ON process.path = authenticode.path;
Listing unsigned/untrusted processes listening for connections
SELECT port_info.pid, port_info.family, port_info.protocol, port_info.port, port_info.address, process.name, process.path, authenticode.result AS authenticode FROM listening_ports AS port_info LEFT JOIN processes AS process ON port_info.pid = process.pid LEFT JOIN signature AS authenticode ON process.path = authenticode.path WHERE authenticode <> "trusted";
@theopolis sure! I'm still writing the utilities I need, as I also want to be able to list signature information like signer name etc. Once it's done, I'll create the new table; how would you like it to work? Should it just list the running executables?
1 similar comment
I have defined a 'signature' virtual table for Windows; it only sports two columns for now, but I plan on adding more. I'm using a more verbose field instead of the 'signed' boolean used in the macOS implementation.
The following are the possible states:
EDIT: I should probably put this information in the summary!
A couple of smaller nits and a question about the
<< operator definition, not sure if that'll fly as it seems risky to define it in such a high scope for something used by so many places in the code base.
Otherwise super excited for this table to land!