Closed jshlbrd closed 1 year ago
I suggest checking and using the value from:
pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size
In theory, nothing should come after the digital signature, but in practice it sometimes occurs.
This PR adds digital signature explosion to the META_PE module. I tried to be mindful of what additional information would be useful to analysts, so I included the two flags that are triggered when there is virtual address space for the digital signature and when the digital signature data is empty.
Something to consider would be the filename of the exploded digital signature. This currently just takes whatever the PE filename is and appends '_digital_signature' ... that might be good enough, but if there's a better idea, I'm happy to try it out.