[Forensics-changes] [yara] 75/407: Implement sha256 of rich signature.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:11 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit ff6646c92d303f442c26bd87d6034ff9b2255289
Author: Wesley Shields <wxs at atarininja.org>
Date: Fri Oct 3 20:54:05 2014 -0400
Implement sha256 of rich signature.
Also, remove storing the parsed rich signature data redundantly. It is
already stored as yara strings internally.
---
libyara/Makefile.am | 4 +-
libyara/include/yara/sha256.h | 34 +++++++++
libyara/modules/pe.c | 72 ++++++++++++-------
libyara/sha256.c | 158 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 243 insertions(+), 25 deletions(-)
diff --git a/libyara/Makefile.am b/libyara/Makefile.am
index 3571b64..d486688 100644
--- a/libyara/Makefile.am
+++ b/libyara/Makefile.am
@@ -46,7 +46,8 @@ yarainclude_HEADERS = \
include/yara/object.h \
include/yara/strutils.h \
include/yara/libyara.h \
- include/yara/md5.h
+ include/yara/md5.h \
+ include/yara/sha256.h
lib_LTLIBRARIES = libyara.la
@@ -92,6 +93,7 @@ libyara_la_SOURCES = \
re_lexer.l \
rules.c \
scan.c \
+ sha256.c \
sizedstr.h \
strutils.c \
utils.h
diff --git a/libyara/include/yara/sha256.h b/libyara/include/yara/sha256.h
new file mode 100644
index 0000000..4d824bd
--- /dev/null
+++ b/libyara/include/yara/sha256.h
@@ -0,0 +1,34 @@
+/*********************************************************************
+* Filename: sha256.h
+* Author: Brad Conte (brad AT bradconte.com)
+* Copyright:
+* Disclaimer: This code is presented "as is" without any guarantees.
+* Details: Defines the API for the corresponding SHA1 implementation.
+*********************************************************************/
+
+#ifndef SHA256_H
+#define SHA256_H
+
+/*************************** HEADER FILES ***************************/
+#include <stddef.h>
+
+/****************************** MACROS ******************************/
+#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest
+
+/**************************** DATA TYPES ****************************/
+typedef unsigned char SHA_BYTE; // 8-bit byte
+typedef unsigned int SHA_WORD; // 32-bit word, change to "long" for 16-bit machines
+
+typedef struct {
+ SHA_BYTE data[64];
+ SHA_WORD datalen;
+ unsigned long long bitlen;
+ SHA_WORD state[8];
+} SHA256_CTX;
+
+/*********************** FUNCTION DECLARATIONS **********************/
+void sha256_init(SHA256_CTX *ctx);
+void sha256_update(SHA256_CTX *ctx, const SHA_BYTE data[], size_t len);
+void sha256_final(SHA256_CTX *ctx, SHA_BYTE hash[]);
+
+#endif // SHA256_H
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index b8b8590..0eb72a7 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -24,6 +24,7 @@ limitations under the License.
#include <yara/modules.h>
#include <yara/md5.h>
#include <yara/mem.h>
+#include <yara/sha256.h>
#include <yara/strutils.h>
#define MODULE_NAME pe
@@ -106,7 +107,6 @@ typedef struct _PE
PIMAGE_NT_HEADERS32 header;
YR_OBJECT* object;
- PRICH_DATA rich_data;
PIMPORT_LIST imports;
} PE;
@@ -1733,7 +1733,7 @@ PIMAGE_NT_HEADERS32 pe_get_header(
// Parse the rich signature.
// http://www.ntcore.com/files/richsign.htm
-PRICH_DATA pe_get_rich_signature(
+void *pe_get_rich_signature(
uint8_t* buffer,
size_t buffer_length,
YR_OBJECT* pe_obj)
@@ -1742,7 +1742,6 @@ PRICH_DATA pe_get_rich_signature(
PIMAGE_NT_HEADERS32 pe_header;
PRICH_SIGNATURE rich_signature;
DWORD* rich_ptr;
- PRICH_DATA rich_data;
BYTE* raw_data = NULL;
BYTE* clear_data = NULL;
@@ -1809,18 +1808,9 @@ PRICH_DATA pe_get_rich_signature(
*rich_ptr ^= rich_signature->key1;
}
- rich_data = (PRICH_DATA) yr_malloc(sizeof(RICH_DATA));
- if (!rich_data) {
- yr_free(raw_data);
- yr_free(clear_data);
- }
-
set_string((char *) raw_data, rich_len, pe_obj, "rich_signature.raw_data");
set_string((char *) clear_data, rich_len, pe_obj, "rich_signature.clear_data");
- rich_data->len = rich_len;
- rich_data->raw_data = raw_data;
- rich_data->clear_data = clear_data;
- return rich_data;
+ return NULL;
}
return NULL;
@@ -2381,7 +2371,7 @@ define_function(imphash)
md5_final(&ctx, md_value);
// Convert md_value into it's hexlified form.
- final_hash = yr_malloc((MD5_BLOCK_SIZE * 2));
+ final_hash = yr_malloc(MD5_BLOCK_SIZE * 2);
if (!final_hash)
return_integer(0);
@@ -2389,7 +2379,48 @@ define_function(imphash)
for (i = 0; i < MD5_BLOCK_SIZE; i++)
snprintf(p + 2 * i, 3, "%02x", md_value[i]);
- if (strncasecmp(hash, final_hash, (MD5_BLOCK_SIZE* 2)) == 0)
+ if (strncasecmp(hash, final_hash, (MD5_BLOCK_SIZE * 2)) == 0)
+ result = 1;
+
+ yr_free(final_hash);
+ return_integer(result);
+}
+
+
+/*
+ * XXX: Nothing fancy here. Just a sha256 of the clear data.
+ */
+define_function(richhash)
+{
+ char *p;
+ int i;
+ SHA256_CTX ctx;
+ unsigned char md_value[SHA256_BLOCK_SIZE];
+ char *final_hash;
+ char *hash = string_argument(1);
+ int result = 0;
+ YR_OBJECT* parent = parent();
+
+ SIZED_STRING *clear_data = get_string(parent, "clear_data");
+
+ // Length should be at least 0x80
+ sha256_init(&ctx);
+ for (i = 0; i < clear_data->length; i += 4) {
+ sha256_update(&ctx, (SHA_BYTE *) ((uint32_t *) (clear_data->c_string + i)), 0x04);
+ }
+ sha256_final(&ctx, md_value);
+
+ // Convert md_value into it's hexlified form.
+ final_hash = yr_malloc(SHA256_BLOCK_SIZE * 2);
+ if (!final_hash)
+ return_integer(0);
+
+ p = final_hash;
+ for (i = 0; i < SHA256_BLOCK_SIZE; i++) {
+ snprintf(p + 2 * i, 3, "%02x", md_value[i]);
+ }
+
+ if (strncasecmp(hash, final_hash, (SHA256_BLOCK_SIZE * 2)) == 0)
result = 1;
yr_free(final_hash);
@@ -2797,6 +2828,7 @@ begin_declarations;
declare_integer("key");
declare_string("raw_data");
declare_string("clear_data");
+ declare_function("richhash", "s", "i", richhash);
end_struct("rich_signature");
declare_function("section_index", "s", "i", section_index);
@@ -2924,13 +2956,12 @@ int module_load(
return ERROR_INSUFICIENT_MEMORY;
// Get the rich signature.
- PRICH_DATA rich_data = pe_get_rich_signature(block->data, block->size, module_object);
+ pe_get_rich_signature(block->data, block->size, module_object);
pe->data = block->data;
pe->data_size = block->size;
pe->header = pe_header;
pe->object = module_object;
- pe->rich_data = rich_data;
module_object->data = pe;
@@ -2958,13 +2989,6 @@ int module_unload(YR_OBJECT* module_object)
PIMPORT_FUNC_LIST next_func_node = NULL;
PE* pe = (PE *) module_object->data;
if (pe != NULL) {
- if (pe->rich_data) {
- if (pe->rich_data->raw_data)
- yr_free(pe->rich_data->raw_data);
- if (pe->rich_data->clear_data)
- yr_free(pe->rich_data->clear_data);
- yr_free(pe->rich_data);
- }
if (pe->imports) {
cur_dll_node = pe->imports;
while (cur_dll_node) {
diff --git a/libyara/sha256.c b/libyara/sha256.c
new file mode 100644
index 0000000..bc8d53f
--- /dev/null
+++ b/libyara/sha256.c
@@ -0,0 +1,158 @@
+/*********************************************************************
+* Filename: sha256.c
+* Author: Brad Conte (brad AT bradconte.com)
+* Copyright:
+* Disclaimer: This code is presented "as is" without any guarantees.
+* Details: Implementation of the SHA-256 hashing algorithm.
+ SHA-256 is one of the three algorithms in the SHA2
+ specification. The others, SHA-384 and SHA-512, are not
+ offered in this implementation.
+ Algorithm specification can be found here:
+ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
+ This implementation uses little endian byte order.
+*********************************************************************/
+
+/*************************** HEADER FILES ***************************/
+#include <stdlib.h>
+#include <memory.h>
+#include <yara/sha256.h>
+
+/****************************** MACROS ******************************/
+#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
+#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
+
+#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
+#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
+#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
+#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
+#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
+
+/**************************** VARIABLES *****************************/
+static const SHA_WORD k[64] = {
+ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+};
+
+/*********************** FUNCTION DEFINITIONS ***********************/
+void sha256_transform(SHA256_CTX *ctx, const SHA_BYTE data[])
+{
+ SHA_WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+
+ for (i = 0, j = 0; i < 16; ++i, j += 4)
+ m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+ for ( ; i < 64; ++i)
+ m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
+
+ a = ctx->state[0];
+ b = ctx->state[1];
+ c = ctx->state[2];
+ d = ctx->state[3];
+ e = ctx->state[4];
+ f = ctx->state[5];
+ g = ctx->state[6];
+ h = ctx->state[7];
+
+ for (i = 0; i < 64; ++i) {
+ t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
+ t2 = EP0(a) + MAJ(a,b,c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + t1;
+ d = c;
+ c = b;
+ b = a;
+ a = t1 + t2;
+ }
+
+ ctx->state[0] += a;
+ ctx->state[1] += b;
+ ctx->state[2] += c;
+ ctx->state[3] += d;
+ ctx->state[4] += e;
+ ctx->state[5] += f;
+ ctx->state[6] += g;
+ ctx->state[7] += h;
+}
+
+void sha256_init(SHA256_CTX *ctx)
+{
+ ctx->datalen = 0;
+ ctx->bitlen = 0;
+ ctx->state[0] = 0x6a09e667;
+ ctx->state[1] = 0xbb67ae85;
+ ctx->state[2] = 0x3c6ef372;
+ ctx->state[3] = 0xa54ff53a;
+ ctx->state[4] = 0x510e527f;
+ ctx->state[5] = 0x9b05688c;
+ ctx->state[6] = 0x1f83d9ab;
+ ctx->state[7] = 0x5be0cd19;
+}
+
+void sha256_update(SHA256_CTX *ctx, const SHA_BYTE data[], size_t len)
+{
+ SHA_WORD i;
+
+ for (i = 0; i < len; ++i) {
+ ctx->data[ctx->datalen] = data[i];
+ ctx->datalen++;
+ if (ctx->datalen == 64) {
+ sha256_transform(ctx, ctx->data);
+ ctx->bitlen += 512;
+ ctx->datalen = 0;
+ }
+ }
+}
+
+void sha256_final(SHA256_CTX *ctx, SHA_BYTE hash[])
+{
+ SHA_WORD i;
+
+ i = ctx->datalen;
+
+ // Pad whatever data is left in the buffer.
+ if (ctx->datalen < 56) {
+ ctx->data[i++] = 0x80;
+ while (i < 56)
+ ctx->data[i++] = 0x00;
+ }
+ else {
+ ctx->data[i++] = 0x80;
+ while (i < 64)
+ ctx->data[i++] = 0x00;
+ sha256_transform(ctx, ctx->data);
+ memset(ctx->data, 0, 56);
+ }
+
+ // Append to the padding the total message's length in bits and transform.
+ ctx->bitlen += ctx->datalen * 8;
+ ctx->data[63] = ctx->bitlen;
+ ctx->data[62] = ctx->bitlen >> 8;
+ ctx->data[61] = ctx->bitlen >> 16;
+ ctx->data[60] = ctx->bitlen >> 24;
+ ctx->data[59] = ctx->bitlen >> 32;
+ ctx->data[58] = ctx->bitlen >> 40;
+ ctx->data[57] = ctx->bitlen >> 48;
+ ctx->data[56] = ctx->bitlen >> 56;
+ sha256_transform(ctx, ctx->data);
+
+ // Since this implementation uses little endian byte ordering and SHA uses big endian,
+ // reverse all the bytes when copying the final state to the output hash.
+ for (i = 0; i < 4; ++i) {
+ hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
+ hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;
+ }
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list