pe: add authenticode support #358

baloo · 2023-03-10T06:01:46Z

Authenticode is the hashing format used to sign PE binaries. This provides the hash to be signed.

Usage:

use goblin::pe::PE;
use sha2::Sha256;
use std::{fs::File, io::Read};

fn main() {
    let mut buf = Vec::new();
    let mut f =
        File::open("/nix/store/bhsxra1hc7yhja2kzw5rdds90i3w3a54-linux-5.10.147/bzImage").unwrap();
    f.read_to_end(&mut buf).unwrap();

    let pe = PE::parse(&buf).unwrap();
    let hash = pe.authenticode_digest::<Sha256>();

    println!("hash: {:x?}", hash);
}

Fixes #355
cc @RaitoBezarius

RaitoBezarius

Some nitpicks but amazing <3. Thank you so much!

src/pe/authenticode.rs

RaitoBezarius · 2023-03-11T14:50:00Z

src/pe/mod.rs

@@ -29,6 +31,11 @@ use log::debug;
 #[derive(Debug)]
 /// An analyzed PE32/PE32+ binary
 pub struct PE<'a> {
+    #[cfg(feature = "pe_source")]
+    /// Underlying bytes
+    bytes: &'a [u8],


I'm not so sure about this, what would be the rationale to introduce this vs. just letting the caller passing the original bytes around?
I will let @m4b weighs on as I don't have fully context on the design goals of the library.

src/pe/mod.rs

src/pe/optional_header.rs

Authenticode is the hashing format used to sign PE binaries. This provides the hash to be signed.

m4b · 2023-03-13T03:10:22Z

For similar reasons I've noted in #360 it's going to take some serious convincing to add more deps to goblin.

baloo · 2023-03-13T04:18:13Z

I get the point about not adding dependencies to goblin itself. I'd be more than happy to implement those as trait and get that implemented in a dependency of both goblin and digest, but there are some data that I need goblin to emit. Namely, the sections I need to omit from the authenticode computation, I don't think I can't get that done outside goblin.

I think it would also be nice to have the "source bytes" in the PE objects, if you're alright with that.

Anyway, thanks for maintaining goblin in the first place.

baloo · 2023-03-13T04:27:19Z

(made an alternative in #362)

baloo marked this pull request as draft March 10, 2023 06:02

baloo force-pushed the baloo/authenticode-support branch 2 times, most recently from 37e49e6 to 39eadb5 Compare March 10, 2023 06:26

baloo marked this pull request as ready for review March 10, 2023 06:26

baloo force-pushed the baloo/authenticode-support branch 7 times, most recently from 4ef7f0d to 48adabc Compare March 11, 2023 06:39

RaitoBezarius suggested changes Mar 11, 2023

View reviewed changes

baloo force-pushed the baloo/authenticode-support branch 4 times, most recently from e21d5c5 to b322e50 Compare March 11, 2023 19:13

pe: add authenticode support

a2f65e3

Authenticode is the hashing format used to sign PE binaries. This provides the hash to be signed.

baloo force-pushed the baloo/authenticode-support branch from b322e50 to a2f65e3 Compare March 11, 2023 19:14

baloo mentioned this pull request Mar 13, 2023

pe: parse pkcs7 Content in certificate table #360

Closed

baloo mentioned this pull request Mar 13, 2023

pe: add authenticode support / v2 #362

Merged

baloo closed this Mar 13, 2023

baloo deleted the baloo/authenticode-support branch May 5, 2023 03:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pe: add authenticode support #358

pe: add authenticode support #358

baloo commented Mar 10, 2023 •

edited

RaitoBezarius left a comment

RaitoBezarius Mar 11, 2023

m4b commented Mar 13, 2023

baloo commented Mar 13, 2023

baloo commented Mar 13, 2023

pe: add authenticode support #358

pe: add authenticode support #358

Conversation

baloo commented Mar 10, 2023 • edited

RaitoBezarius left a comment

Choose a reason for hiding this comment

RaitoBezarius Mar 11, 2023

Choose a reason for hiding this comment

m4b commented Mar 13, 2023

baloo commented Mar 13, 2023

baloo commented Mar 13, 2023

baloo commented Mar 10, 2023 •

edited