I am receiving a pointer to memory which contains a file and I need to check if the file has an embedded certificate (digital signature) and that it is valid. In the past I used winverifytrust for checking this with the WINTRUST_ACTION_GENERIC_VERIFY_V2 flag but that is only for files on disk (I am getting the pointer to the memory from the driver before it is being written to the disk). I thought of using the winverifytrust with the WINTRUST_BLOB_INFO structure which according to this:
is used when calling WinVerifyTrust to verify a memory BLOB.
But unfortunately the documentation states:
Note This structure is not currently supported for the following Inbox file formats. There may be other formats besides these that are not supported. Portable executable (such as .exe, .dll, .ocx) Cab files (.cab) Catalog files (.cat)
I was able to get the Certificate of the file using the X509Certificate(byte[]) constructor in C# and even check the chain using the X509chain.Build(X509Certificate2) function but there are more verifications that winverifytrust does that aren't included in that check (for example: check if the file was tampered with since it was signed).