实例一:检查单个文件的数字签名
这里以检查notepad.exe的数字签名为例进行说明,依次选择“所有程序→附件→命令提示符”,右击选择“以管理员身份运行”,进入命令提示符环境之后手工输入如下命令:
sigcheck j:WindowsSystem32notepad.exe
检查效果如图2所示,“Publisher:”后面显示的信息就是了。需要说明的是,即使你将notepad.exe这个文件复制到其他的路径下,其数字签名信息并不会改变。
图2 SigCheck运行界面
实例二:批量检查数字签名
很多情况下,我们可能需要找出某个目录下是否存在未经过数字签名的文件,例如“c:windowssystem32”文件夹,那么可以使用如下命令:
sigcheck -u -e c:windowssystem32 >abc.txt
执行后可以将相关检查信息输出至abc.txt文件
简介
验证映像进行了数字签名并使用这一简单的命令行实用工具转储版本信息。
用法:sigcheck [-i][-e][[-s]|[-v]][-q][-u] [-c catalog file] <文件或目录>
-a Show extended version information. The entropy measure reported
is the bits per byte of information of the file's contents.
-c CSV output with comma delimiter
-ct CSV output with tab delimiter
Specify -nobanner to avoid banner being output to CSV
-d Dump contents of a catalog file
-e Scan executable images only (regardless of their extension)
-f Look for signature in the specified catalog file
-h Show file hashes
-i Show catalog name and signing chain
-l Traverse symbolic links and directory junctions
-m Dump manifest
-n Only show file version number
-o Performs Virus Total lookups of hashes captured in a CSV file previously captured by Sighcheck when using the -h option.This usage is intended for scans of offline systems.
-r Disable check for certificate revocation
-s Recurse subdirectories
-t[u][v] Dump contents of specified certificate store ('*' for all stores). Specify -tu to query the user store (machine store is the default).Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory areused instead, if present.
-u If VirusTotal check is enabled, show files that are unknownby VirusTotal or have non-zero detection, otherwise show only unsigned files.
-v[rs] Query VirusTotal (www.virustotal.com) for malware based on file hash.Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.
-vt Before using VirusTotal features, you must accept VirusTotal terms of service. See:
https://www.virustotal.com/en/about/terms-of-service/
您应该研究所有未签名文件的目的。
例如需要将扫描结果按照csv的格式记录,可以采用下面的命令
Sigcheck>sigcheck.exe -c -e "C:Test" >sigcheckresult.csv