Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pe: add authenticode support #358

Closed
wants to merge 1 commit into from
Closed

pe: add authenticode support #358

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions Cargo.toml
View file
Open in desktop
Expand Up @@ -27,6 +27,7 @@ description = "An impish, cross-platform, ELF, Mach-o, and PE binary parsing and

[dependencies]
plain = "0.2.3"
digest = { version = "0.10.6", optional = true }

[dependencies.log]
version = "0.4"
Expand All @@ -50,6 +51,8 @@ mach64 = ["alloc", "endian_fd", "archive"]
pe32 = ["alloc", "endian_fd"]
pe64 = ["alloc", "endian_fd"]
archive = ["alloc"]
pe_source = []
pe_authenticode = ["pe_source", "digest"]

[badges.travis-ci]
branch = "master"
Expand Down
129 changes: 129 additions & 0 deletions src/pe/authenticode.rs
View file
Open in desktop
@@ -0,0 +1,129 @@
// Reference:
// https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode
// https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx

// Authenticode works by omiting sections of the PE binary from the digest
// those sections are:
// - checksum
// - data directory entry for certtable
// - certtable

use alloc::{boxed::Box, vec::Vec};
use core::ops::Range;
use digest::{Digest, Output};

use super::PE;

impl PE<'_> {
/// [`authenticode_ranges`] returns the various ranges of the binary that are relevant for
/// signature.
fn authenticode_ranges(&self) -> ExcludedAuthenticodeSectionsIter<'_> {
ExcludedAuthenticodeSectionsIter {
pe: self,
state: IterState::default(),
}
}

/// [`authenticode_digest`] returns the result of the provided hash algorithm.
pub fn authenticode_digest<D: Digest>(&self) -> Output<D> {
let mut digest = D::new();

for chunk in self.authenticode_ranges() {
digest.update(chunk);
}

digest.finalize()
}

/// [`authenticode_slice`] is intended for convenience when signing a binary with a PKCS#11
/// interface (HSM interface).
/// Some algorithms (RSA-PKCS at least) for signature require the non-prehashed slice to be provided.
pub fn authenticode_slice(&self) -> Box<[u8]> {
// PE may be 70-80MB large (especially for linux UKIs). We'll get the length beforehand as
// it's cheaper than getting Vec to realloc and move stuff around multiple times.
let mut length = 0;
for chunk in self.authenticode_ranges() {
length += chunk.len();
}

let mut out = Vec::with_capacity(length);
for chunk in self.authenticode_ranges() {
out.extend_from_slice(chunk);
}

out.into()
}
}

/// [`ExcludedAuthenticodeSections`] holds the various ranges of the binary that are expected to be
/// excluded from the authenticode computation.
#[derive(Debug, Clone, Default)]
pub(super) struct ExcludedAuthenticodeSections {
pub checksum: Range<usize>,
pub datadir_entry_certtable: Range<usize>,
pub certtable: Option<Range<usize>>,
}

pub struct ExcludedAuthenticodeSectionsIter<'s> {
pe: &'s PE<'s>,
state: IterState,
}

#[derive(Default, Debug, PartialEq)]
enum IterState {
#[default]
Initial,
DatadirEntry(usize),
CertTable(usize),
Final(usize),
Done,
}

impl<'s> Iterator for ExcludedAuthenticodeSectionsIter<'s> {
type Item = &'s [u8];

fn next(&mut self) -> Option<Self::Item> {
let bytes = &self.pe.bytes;

if let Some(sections) = self.pe.excluded_authenticode_sections.as_ref() {
loop {
match self.state {
IterState::Initial => {
self.state = IterState::DatadirEntry(sections.checksum.end);
return Some(&bytes[..sections.checksum.start]);
}
IterState::DatadirEntry(start) => {
self.state = IterState::CertTable(sections.datadir_entry_certtable.end);
return Some(&bytes[start..sections.datadir_entry_certtable.start]);
}
IterState::CertTable(start) => {
if let Some(certtable) = sections.certtable.as_ref() {
self.state = IterState::Final(certtable.end);
return Some(&bytes[start..certtable.start]);
} else {
self.state = IterState::Final(start)
}
}
IterState::Final(start) => {
self.state = IterState::Done;
return Some(&bytes[start..]);
}
IterState::Done => return None,
}
}
} else {
loop {
match self.state {
IterState::Initial => {
self.state = IterState::Done;
return Some(bytes);
}
IterState::Done => return None,
_ => {
self.state = IterState::Done;
}
}
}
}
}
}
75 changes: 72 additions & 3 deletions src/pe/mod.rs
View file
Open in desktop
Expand Up @@ -5,6 +5,8 @@

use alloc::vec::Vec;

#[cfg(feature = "pe_authenticode")]
pub mod authenticode;
pub mod certificate_table;
pub mod characteristic;
pub mod data_directories;
Expand All @@ -29,6 +31,11 @@ use log::debug;
#[derive(Debug)]
/// An analyzed PE32/PE32+ binary
pub struct PE<'a> {
#[cfg(feature = "pe_source")]
/// Underlying bytes
bytes: &'a [u8],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not so sure about this, what would be the rationale to introduce this vs. just letting the caller passing the original bytes around?
I will let @m4b weighs on as I don't have fully context on the design goals of the library.

#[cfg(feature = "pe_authenticode")]
excluded_authenticode_sections: Option<authenticode::ExcludedAuthenticodeSections>,
/// The PE header
pub header: header::Header,
/// A list of the sections in this PE binary
Expand Down Expand Up @@ -72,11 +79,16 @@ impl<'a> PE<'a> {
/// Reads a PE binary from the underlying `bytes`
pub fn parse_with_opts(bytes: &'a [u8], opts: &options::ParseOptions) -> error::Result<Self> {
let header = header::Header::parse(bytes)?;
#[cfg(feature = "pe_authenticode")]
let mut excluded_authenticode_sections = None;

debug!("{:#?}", header);
let offset = &mut (header.dos_header.pe_pointer as usize
let optional_header_offset = header.dos_header.pe_pointer as usize
+ header::SIZEOF_PE_MAGIC
+ header::SIZEOF_COFF_HEADER
+ header.coff_header.size_of_optional_header as usize);
+ header::SIZEOF_COFF_HEADER;
let offset =
&mut (optional_header_offset + header.coff_header.size_of_optional_header as usize);

let sections = header.coff_header.sections(bytes, offset)?;
let is_lib = characteristic::is_dll(header.coff_header.characteristics);
let mut entry = 0;
Expand All @@ -92,6 +104,47 @@ impl<'a> PE<'a> {
let mut certificates = Default::default();
let mut is_64 = false;
if let Some(optional_header) = header.optional_header {
#[cfg(feature = "pe_authenticode")]
// Sections we are assembling through the parsing, eventually, it will be passed
// to the authenticode_sections attribute of `PE`.
let mut excluded_sections = {
let (checksum, datadir_entry_certtable) =
match optional_header.standard_fields.magic {
optional_header::MAGIC_32 => {
let standard_field_offset =
optional_header_offset + optional_header::SIZEOF_STANDARD_FIELDS_32;
let checksum_field_offset = standard_field_offset
+ optional_header::OFFSET_WINDOWS_FIELDS_32_CHECKSUM;
(
checksum_field_offset..checksum_field_offset + 4,
optional_header_offset + 128..optional_header_offset + 136,
)
}
optional_header::MAGIC_64 => {
let standard_field_offset =
optional_header_offset + optional_header::SIZEOF_STANDARD_FIELDS_64;
let checksum_field_offset = standard_field_offset
+ optional_header::OFFSET_WINDOWS_FIELDS_64_CHECKSUM;

(
checksum_field_offset..checksum_field_offset + 4,
optional_header_offset + 144..optional_header_offset + 152,
)
}
magic => {
return Err(error::Error::Malformed(format!(
"Unsupported header magic ({magic:#x})"
)))
}
};

authenticode::ExcludedAuthenticodeSections {
checksum,
datadir_entry_certtable,
certtable: None,
}
};

entry = optional_header.standard_fields.address_of_entry_point as usize;
image_base = optional_header.windows_fields.image_base as usize;
is_64 = optional_header.container()? == container::Container::Big;
Expand Down Expand Up @@ -190,9 +243,25 @@ impl<'a> PE<'a> {
certificate_table.virtual_address,
certificate_table.size,
)?;

#[cfg(feature = "pe_authenticode")]
{
let start = certificate_table.virtual_address as usize;
let end = start + certificate_table.size as usize;
excluded_sections.certtable = Some(start..end);
}
}

#[cfg(feature = "pe_authenticode")]
{
excluded_authenticode_sections = Some(excluded_sections);
}
}
Ok(PE {
#[cfg(feature = "pe_source")]
bytes,
#[cfg(feature = "pe_authenticode")]
excluded_authenticode_sections,
header,
sections,
size: 0,
Expand Down
4 changes: 4 additions & 0 deletions src/pe/optional_header.rs
View file
Open in desktop
Expand Up @@ -120,6 +120,8 @@ pub struct WindowsFields32 {
}

pub const SIZEOF_WINDOWS_FIELDS_32: usize = 68;
/// Offset of the `check_sum` field in [`WindowsFields32`]
pub const OFFSET_WINDOWS_FIELDS_32_CHECKSUM: usize = 36;
baloo marked this conversation as resolved.
Show resolved Hide resolved

/// 64-bit Windows specific fields
#[repr(C)]
Expand Down Expand Up @@ -149,6 +151,8 @@ pub struct WindowsFields64 {
}

pub const SIZEOF_WINDOWS_FIELDS_64: usize = 88;
/// Offset of the `check_sum` field in [`WindowsFields64`]
pub const OFFSET_WINDOWS_FIELDS_64_CHECKSUM: usize = 40;
baloo marked this conversation as resolved.
Show resolved Hide resolved

// /// Generic 32/64-bit Windows specific fields
// #[derive(Debug, PartialEq, Copy, Clone, Default)]
Expand Down