Windows Image Signers

[randomuserid]

Windows images are signed and the data can be enumerated with something like this:

import psutil
import subprocess
import json

def get_signature_info(filepath):
    try:
        ps_script = f"""
        $sig = Get-AuthenticodeSignature -FilePath '{filepath}';
        $output = [PSCustomObject]@{{
            Status = $sig.Status.ToString()
            Signer = if ($sig.SignerCertificate) {{ $sig.SignerCertificate.Subject }} else {{ "None" }}
        }}
        $output | ConvertTo-Json -Compress
        """
        result = subprocess.run(["powershell", "-Command", ps_script], capture_output=True, text=True)
        result_json = result.stdout.strip()
        if result_json:
            data = json.loads(result_json)
            return data["Status"], data["Signer"]
        else:
            return "Unknown", "Unknown"
    except Exception as e:
        return "Error", str(e)

output_lines = []

for proc in psutil.process_iter(['pid', 'exe', 'name']):
    try:
        pid = proc.info['pid']
        exe = proc.info['exe']
        name = proc.info['name']
        if exe and exe.lower().endswith(".exe"):
            status, signer = get_signature_info(exe)
            line = f"PID: {pid} | Name: {name} | Executable: {exe} | Signature Status: {status} | Signer: {signer}"
            output_lines.append(line)
    except (psutil.AccessDenied, psutil.NoSuchProcess):
        continue

with open("process_signatures.txt", "w", encoding="utf-8") as f:
    for line in output_lines:
        f.write(line + "\n")

print("[+] Process signature info written to process_signatures.txt")

[alankoshy]

Image signing information will be used to augment process events data.

[randomuserid]

Needs updating to match schema and will need a new field in the systemevents table