Extracting Digital Signatures from Signed Malware with pf

Introduction Lot of malware/PUP (Potential Unwanted Programs)/Adwares are now digitally signed. Those signatures can contain interesting properties that can be used as Indicators Of Compromise (IOC) by analysts or used to perform some large-scale analysis on a lot of samples. As an example, let’s use the recent signed dridex sample sample (5df62149bb91084eb677aecff7a8ca5fffeaaa23). On Windows the Portable Executable file format uses IMAGE_DIRECTORY_ENTRY_SECURITY to store the information which corresponds to the 5th IMAGE_DATA_DIRECTORY.