Compartir a través de


[Random] How to quickly view a binary's embedded manifest?

 

The "sigcheck" tool from sysinternals is of great help here. Use the "-m" option to view the embedded manifest.

 

 

Sigcheck v1.63 - File version and signature viewer

Copyright (C) 2004-2009 Mark Russinovich

Sysinternals - www.sysinternals.com

 

usage: \\live.sysinternals.com\tools\sigcheck.exe [-a][-h][-i][-e][-n][[-s]|[-v]|[-m]][-q][-r][-u][-c catalog file] <file or directory>

-a Show extended version information

-c Look for signature in the specified catalog file

-e Scan executable images only (regardless of their extension)

-h Show file hashes

-i Show catalog name and image signers

-m Dump manifest

-n Only show file version number

-q Quiet (no banner)

-r Check for certificate revocation

-s Recurse subdirectories

-u Show unsigned files only

-v Csv output

 

 

Here is an example. We'll use the sigcheck tool on notepad.

 

C:\>\\live.sysinternals.com\tools\sigcheck.exe -m c:\Windows\notepad.exe

 

Sigcheck v1.63 - File version and signature viewer

Copyright (C) 2004-2009 Mark Russinovich

Sysinternals - www.sysinternals.com

 

c:\windows\notepad.exe:

        Verified:       Signed

        Signing date:   5:30 AM 11/2/2006

        Publisher:      Microsoft Corporation

        Description:    Notepad

        Product:        Microsoft« Windows« Operating System

        Version:        6.0.6000.16386

        File version:   6.0.6000.16386 (vista_rtm.061101-2205)

        Manifest:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<!-- Copyright (c) Microsoft Corporation -->

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

<assemblyIdentity

    name="Microsoft.Windows.Shell.notepad"

    processorArchitecture="amd64"

    version="5.1.0.0"

    type="win32"/>

<description>Windows Shell</description>

<dependency>

    <dependentAssembly>

        <assemblyIdentity

            type="win32"

            name="Microsoft.Windows.Common-Controls"

            version="6.0.0.0"

            processorArchitecture="*"

            publicKeyToken="6595b64144ccf1df"

            language="*"

        />

    </dependentAssembly>

</dependency>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

    <security>

        <requestedPrivileges>

            <requestedExecutionLevel level="asInvoker" uiAccess="false"/>

        </requestedPrivileges>

    </security>

</trustInfo>

</assembly>

 

 

FYI - You can "net use" into \\live.sysinternals.com\tools and use all the sysinternals tools like process explorer, process monitor etc. Isn't that cool?