Qestion: PE File certificate

[saeschdivara]

Hi, How can I find out where the section lies in which the certificate is stored? I found IMAGE_DIRECTORY_ENTRY_CERTIFICATE which didn't help me much: https://github.com/libvmi/libvmi/blob/master/libvmi/peparse.h

[wisk]

Hello,

I'm going to assume to want to access this information from medusa. The real define is IMAGE_DIRECTORY_ENTRY_SECURITY and this feature is called Authenticode for further information, take a look at this link

It might be a little bit tricky to retrieve it since it should not be mapped on memory, and unmapped data are discarded by the PE loader (_ldrpe), so if you wanna retrieve this field, get the badly named RVA value from the data directories[PE_DIRECTORY_ENTRY_SECURITY] (in pe.hpp IMAGE_ is replaced with PE_ to avoid conflict) and its size to read it using the BinaryStream.

[saeschdivara]

Ok, thanks I will try to do that and will give you feedback as soon as I've tried it

[wisk]

Hi,

Since this feature is not really useful for a disassembler and there's no news since 2015, I close the issue. Feel free to re-open it if needed.

Thanks.