ZenCert

v2.0

Deep Inspect

PE / EXE / DLL / SYS

Drop file or click to browse

Results

Run an analysis to see results

Inject Signature

Donor — signed source binary

Signed donor binary

Target — unsigned binary

Unsigned target binary

Result

Signed file will download here

Rip Signature

Signed PE File

Drop signed binary here

Output Format

.sig — Injection blob

Full WIN_CERT + PKCS#7. Use this to inject into another PE.

.crt — Leaf cert DER

Signer's raw X.509 cert. Open with certutil/openssl.

Format Guide

.sig blob — the complete WIN_CERTIFICATE structure (8-byte header + PKCS#7 SignedData). Use ZenCert inject or sign to apply this to another PE binary.

.crt (DER) — just the leaf X.509 certificate in binary DER format. Inspect with:
certutil -dump file.crt
openssl x509 -inform DER -in file.crt -text

Good donor sources:
Any Microsoft-signed system binary, signed drivers, or Office binaries chains to an MS root and passes WDAC default policy. See the WDAC Guide tab for specific paths.

Truncate Signature

Signed PE File

Drop signed binary here

What Truncate Does

Zeros the IMAGE_DATA_DIRECTORY certificate table entry, truncates the appended cert blob, and recalculates the PE checksum. The output binary is structurally valid but unsigned.

Quick Check

Any PE File

Drop any PE file

Result

Drop a file to check

MSI Inspect

MSI / MSP File

Drop MSI or MSP file

MSI Result

Drop an MSI file

WDAC Trust Model

WDAC default policy trusts three categories:
1. Binaries signed by Microsoft (cert chains to an MS root CA)
2. WHQL-signed kernel-mode drivers
3. Windows Store apps via SI policy

Injecting a Microsoft cert into your binary satisfies WDAC publisher rules because Windows only checks the cert chain structure in the appended PKCS#7 — it does not re-verify the hash of the signed content when the goal is publisher matching (vs integrity verification).

SmartScreen — why your signed output is still flagged

SmartScreen uses file reputation (SHA-256 hash of the binary), not cert presence. Injecting a cert does not transfer reputation because the file's hash is different from the original donor.

To bypass SmartScreen: use an EV code signing cert (immediate trust), or build download reputation with an OV cert over time.

Even injecting an ntdll.dll cert will be SmartScreen-flagged on first run — the hash is unknown to Microsoft's reputation service.

Recommended MS-Signed Donors

These binaries chain to a known Microsoft Root CA and pass WDAC default policy when their cert is injected.

Path	Signer	Root

Known Microsoft Root CA Thumbprints

A43489159A520F0D93D032CCAF37E7FE20A8B419 — Microsoft Root Authority

3B1EFD3A66EA28B16697394703A72CA340A05BD5 — MS Root CA 2010

8F43288AD272F3103B6FB1428485EA3014C0BCFE — MS Root CA 2011

58120E84B10B4CC582EB0CA1F9B4E35F82E3D21D — MS Code Verification Root

06491B7FE3A9F46B20FC9027A72D97B4AB0B7534 — MS Authenticode Root

Batch Inspect

Drop Multiple PE / EXE / DLL / SYS Files

Drop files or click — select multiple

Batch Results

Add files and run analysis

Operation History

No operations yet — run an analysis or operation to see history here.