Filed under: Malware — Didier Stevens @ 0:00
A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list.
The procedure involves right-clicking the EXE in Windows Explorer, selecting properties to view the digital signature, and so on …
But I don’t like procedures where one has to click on malware.
So I looked for a PowerShell command, and found this.
Get-AuthenticodeSignature .\malware.exe.vir | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath SignerCertificate.cer
No comments yet.