Skip to content
QCecuring

Binary Scanner

The Binary Scanner inspects compiled binaries to discover linked cryptographic libraries, embedded certificates, and code signatures.

What It Scans

Section titled “What It Scans”

Compiled binary files including:

  • Windows: DLL, EXE files (Authenticode signatures)
  • Linux: SO (shared object) files
  • Java: JAR files (JAR signatures, embedded certs)

How It Works

Section titled “How It Works”
  1. Walks configured directories looking for binary files by extension
  2. Analyzes each binary for:
    • Linked crypto libraries — detects references to OpenSSL, BoringSSL, NSS, Windows CryptoAPI
    • Embedded certificates — finds X.509 certificates compiled into the binary
    • Code signatures — extracts Authenticode (Windows) or JAR signing certificates
    • Signature algorithms — identifies the algorithms used for code signing
  3. Reports library versions where detectable

Configuration

Section titled “Configuration”
scanners:
  binary:
    - paths:
        - /usr/local/bin
        - /opt/app/lib
        - C:\Program Files\MyApp
      extensions:
        - dll
        - exe
        - so
        - jar
ParameterRequiredDefaultDescription
pathsYesList of directories to scan
extensionsNodll, exe, so, jarFile extensions to include

Assets Produced

Section titled “Assets Produced”
Asset TypeWhat’s Captured
algorithmLinked crypto library name and version, algorithm implementations detected
signatureCode signing algorithm, signer certificate reference, timestamp
certificateEmbedded or signing certificates with full X.509 properties

What Gets Detected

Section titled “What Gets Detected”
Detection TypeExamples
Crypto librariesOpenSSL 1.1.1, BoringSSL, NSS 3.68, Windows CNG
Embedded certsRoot CA certificates compiled into applications
AuthenticodeWindows code signing certificates and timestamp countersignatures
JAR signaturesJava archive signing certificates
Signature algorithmsSHA256withRSA, SHA384withECDSA

Deduplication

Section titled “Deduplication”
  • Embedded certificates: SHA-256 of DER-encoded bytes
  • Signatures: SHA-256 of signer certificate + binary file hash
  • Algorithms: Deduplicated by library name + version + binary path

Use Cases

Section titled “Use Cases”
  • Audit deployed binaries for crypto library versions — find outdated OpenSSL
  • Verify code signing — ensure all production binaries are properly signed
  • Detect expired signing certificates before they affect software updates
  • Identify embedded root CAs that may need rotation

Example Output

Section titled “Example Output”
{
  "type": "signature",
  "algorithm": "SHA256withRSA",
  "signerSubject": "CN=Example Corp Code Signing, O=Example Corp",
  "signerFingerprint": "sha256:f6a7b8c9d0e1...",
  "timestamp": "2024-03-01T14:30:00Z",
  "source": {
    "scanner": "binary",
    "filePath": "/opt/app/lib/crypto-service.jar",
    "signatureType": "JAR",
    "fileSize": 4521984
  }
}
{
  "type": "algorithm",
  "name": "OpenSSL",
  "version": "1.1.1w",
  "category": "crypto-library",
  "source": {
    "scanner": "binary",
    "filePath": "/usr/local/bin/myapp",
    "linkType": "dynamic"
  }
}

hidden Binary Scanner configuration

← Back to Scanners Overview | Sensor Setup Guide