1

When I open up my macro-enabled office files (i.e., .docm, .xlsm, .pptm) that contain signed macros as a Zip file, I see the following three files which I assume contain the digital signatures for the macro:

  1. vbaProjectSignature.bin
  2. vbaProjectSignatureAgile.bin
  3. vbaProjectSignatureV3.bin

Each file contains binary data, although I can see elements of the signing certificate in human readable format. I tried to parse each file out by treating it as a CMS (or PKCS#7) file but that didn't work. Perhaps it is a CMSSignedData structure but with some additional header and/or footer data that needs to be stripped off?

What I would like to know is how to parse out the raw signature value. If I can get it in a format like CMSSignedData that works too, since I can easily parse the signature from there.

Hmmmmm
  • 235
  • 2
  • 7

1 Answers1

3

Everything is documented in MS-OSHARED. The files are DigSigInfoSerialized structures (2.3.2.1 in the link). So first you read an UInt32 which is the size of the signature buffer. Then you read an UInt32 which represents the offset to the signature buffer (always 44 or 0x2C).

So you jump to the offset and read the size into a byte array (or equivalent).

If you are a .Net programmer you would then just would create a System.Security.SignedCms Object and call the Decode method of the object.

If you are using bouncycastle, you should be able to create the CMSSignedData with the buffer.

kelalaka
  • 5,409
  • 4
  • 24
  • 47
AlexanderP
  • 46
  • 3