import os
import ctypes
from ctypes import wintypes

# Define GUID structure manually
class GUID(ctypes.Structure):
    _fields_ = [
        ("Data1", wintypes.DWORD),
        ("Data2", wintypes.WORD),
        ("Data3", wintypes.WORD),
        ("Data4", wintypes.BYTE * 8)
    ]

    def __init__(self, guid_str):
        import uuid
        u = uuid.UUID(guid_str)
        ctypes.Structure.__init__(self)
        self.Data1, self.Data2, self.Data3 = u.fields[0], u.fields[1], u.fields[2]
        self.Data4[:] = u.bytes[8:]

# Use the correct GUID for WinVerifyTrust
WINTRUST_ACTION_GENERIC_VERIFY_V2 = GUID("00AAC56B-CD44-11d0-8CC2-00C04FC295EE")

# Structures and constants
class WINTRUST_FILE_INFO(ctypes.Structure):
    _fields_ = [
        ('cbStruct', wintypes.DWORD),
        ('pcwszFilePath', wintypes.LPCWSTR),
        ('hFile', wintypes.HANDLE),
        ('pgKnownSubject', ctypes.POINTER(GUID)),
    ]

class WINTRUST_DATA(ctypes.Structure):
    _fields_ = [
        ('cbStruct', wintypes.DWORD),
        ('pPolicyCallbackData', wintypes.LPVOID),
        ('pSIPClientData', wintypes.LPVOID),
        ('dwUIChoice', wintypes.DWORD),
        ('fdwRevocationChecks', wintypes.DWORD),
        ('dwUnionChoice', wintypes.DWORD),
        ('pFile', ctypes.POINTER(WINTRUST_FILE_INFO)),
        ('dwStateAction', wintypes.DWORD),
        ('hWVTStateData', wintypes.HANDLE),
        ('pwszURLReference', wintypes.LPCWSTR),
        ('dwProvFlags', wintypes.DWORD),
        ('dwUIContext', wintypes.DWORD),
    ]

# Constants
WTD_UI_NONE = 2
WTD_REVOKE_NONE = 0
WTD_CHOICE_FILE = 1
WTD_STATEACTION_VERIFY = 0x00000001
WTD_STATEACTION_CLOSE = 0x00000002
WTD_SAFER_FLAG = 0x00000100

WinVerifyTrust = ctypes.windll.wintrust.WinVerifyTrust

def is_authenticode_signed(file_path):
    file_info = WINTRUST_FILE_INFO(
        cbStruct=ctypes.sizeof(WINTRUST_FILE_INFO),
        pcwszFilePath=file_path,
        hFile=None,
        pgKnownSubject=None
    )

    trust_data = WINTRUST_DATA(
        cbStruct=ctypes.sizeof(WINTRUST_DATA),
        pPolicyCallbackData=None,
        pSIPClientData=None,
        dwUIChoice=WTD_UI_NONE,
        fdwRevocationChecks=WTD_REVOKE_NONE,
        dwUnionChoice=WTD_CHOICE_FILE,
        pFile=ctypes.pointer(file_info),
        dwStateAction=WTD_STATEACTION_VERIFY,
        hWVTStateData=None,
        pwszURLReference=None,
        dwProvFlags=WTD_SAFER_FLAG,
        dwUIContext=0
    )

    result = WinVerifyTrust(None, ctypes.byref(WINTRUST_ACTION_GENERIC_VERIFY_V2), ctypes.byref(trust_data))

    # Close state data
    trust_data.dwStateAction = WTD_STATEACTION_CLOSE
    WinVerifyTrust(None, ctypes.byref(WINTRUST_ACTION_GENERIC_VERIFY_V2), ctypes.byref(trust_data))

    return result == 0  # 0 means success

def check_folder(folder):
    for file in os.listdir(folder):
        if file.lower().endswith(".exe") or file.lower().endswith(".dll"):
            path = os.path.join(folder, file)            
            if is_authenticode_signed(path):
                #print(f"{file}: ", end="")
                #print("Authenticode signature valid")
                continue
            else:
                print(f"{file}: ", end="")
                print("No valid signature")

# Replace with your actual folder
check_folder(r"C:\ExtractedAssemblies\Starling.NetworkAgent.Service\9ohST8PGRSIduFfcpZoJsrCC3S9bCq4=")