[Forensics-changes] [yara] 117/407: Merge branch 'master' into authenticode
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:16 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 2b73387631e4b5d870612b78332f5f1d6732cfab
Merge: fbafd23 d3f2707
Author: Wesley Shields <wxs at atarininja.org>
Date: Wed Oct 15 10:57:20 2014 -0400
Merge branch 'master' into authenticode
Conflicts:
libyara/modules/pe.c
libyara/include/yara/re.h | 4 ++
libyara/modules/pe.c | 93 +++++++++++++++++++++++------------------------
libyara/parser.c | 11 ++++++
libyara/re.c | 23 ++++++++++++
4 files changed, 84 insertions(+), 47 deletions(-)
diff --cc libyara/modules/pe.c
index e31ff68,0f25a82..caba9a9
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@@ -2348,140 -2349,7 +2354,139 @@@ IMPORTED_DLL* pe_parse_imports
}
+void pe_parse_certificates(
- PE* pe,
- YR_OBJECT *pe_obj)
++ PE* pe)
+{
+ PIMAGE_DATA_DIRECTORY directory;
+ PIMAGE_SECURITY_DESCRIPTOR sec_desc;
+ BIO *cert_bio, *date_bio;
+ PKCS7 *p7;
+ X509 *cert;
+ int i, j;
+ char *p;
+ const char *sig_alg;
+ unsigned long date_length;
+ ASN1_INTEGER *serial;
+ ASN1_TIME *date_time;
+ STACK_OF(X509) *certs;
+
+ directory = pe_get_directory_entry(pe, IMAGE_DIRECTORY_ENTRY_SECURITY);
+ // directory->VirtualAddress is a file offset. Don't call pe_rva_to_offset().
+ if (directory->VirtualAddress == 0 ||
+ directory->VirtualAddress + sizeof(IMAGE_SECURITY_DESCRIPTOR) > pe->data_size) {
+ return;
+ }
+
+ //
+ // Walk the directory, pulling out certificates. Make sure the current
+ // certificate fits in pe, and that we don't walk past the end of the
+ // directory.
+ //
+ sec_desc = (PIMAGE_SECURITY_DESCRIPTOR) (pe->data + directory->VirtualAddress);
+ while (struct_fits_in_pe(pe, sec_desc, IMAGE_SECURITY_DESCRIPTOR) &&
+ (uint8_t *) sec_desc <= pe->data + directory->VirtualAddress + directory->Size)
+ {
+ cert_bio = BIO_new_mem_buf(sec_desc->Certificate, sec_desc->Length);
+ if (!cert_bio)
+ break;
+ p7 = d2i_PKCS7_bio(cert_bio, NULL);
+ certs = PKCS7_get0_signers(p7, NULL, 0);
+ for (i = 0; i < sk_X509_num(certs); i++) {
+ cert = sk_X509_value(certs, i);
+
+ p = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
+ if (!p)
+ break;
- set_string(p, pe_obj, "signature.issuer");
++ set_string(p, pe->object, "signature.issuer");
+ yr_free(p);
+
+ p = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
+ if (!p)
+ break;
- set_string(p, pe_obj, "signature.subject");
++ set_string(p, pe->object, "signature.subject");
+ yr_free(p);
+
+ // Versions are zero based, so add one.
- set_integer(X509_get_version(cert) + 1, pe_obj, "signature.version");
++ set_integer(X509_get_version(cert) + 1, pe->object, "signature.version");
+
+ sig_alg = OBJ_nid2ln(OBJ_obj2nid(cert->sig_alg->algorithm));
- set_string(sig_alg, pe_obj, "signature.algorithm");
++ set_string(sig_alg, pe->object, "signature.algorithm");
+
+ serial = X509_get_serialNumber(cert);
+ if (serial->length <= 0)
+ continue;
+ //
+ // Convert serial number to "common" string format: 00:01:02:03:04...
+ // The (length * 2) is for each of the bytes in the integer to convert
+ // to hexlified format. The (length - 1) is for the colons. The extra
+ // byte is for the NULL terminator.
+ //
+ p = (char *) yr_malloc((serial->length * 2) + (serial->length - 1) + 1);
+ if (!p)
+ break;
+ for (j = 0; j < serial->length; j++) {
+ // Don't put the colon on the last one.
+ if (j < serial->length - 1)
+ snprintf(p + 3 * j, 4, "%02x:", serial->data[j]);
+ else
+ snprintf(p + 3 * j, 3, "%02x", serial->data[j]);
+ }
- set_string(p, pe_obj, "signature.serial");
++ set_string(p, pe->object, "signature.serial");
+ yr_free(p);
+
+ //
+ // Use a single BIO for notBefore and notAfter. Saves from having
+ // to allocate multiple BIOs. Just have to track how much is written
+ // each time.
+ //
+ date_bio = BIO_new(BIO_s_mem());
+ if (!date_bio)
+ break;
+ date_time = X509_get_notBefore(cert);
+ ASN1_TIME_print(date_bio, date_time);
+ // Use num_write to get the number of bytes available for reading.
+ p = (char *) yr_malloc(date_bio->num_write + 1);
+ if (!p) {
+ BIO_set_close(date_bio, BIO_CLOSE);
+ BIO_free(date_bio);
+ break;
+ }
+ BIO_read(date_bio, p, date_bio->num_write);
+ p[date_bio->num_write] = '\x0';
- set_string(p, pe_obj, "signature.notBefore");
++ set_string(p, pe->object, "signature.notBefore");
+ yr_free(p);
+ date_time = X509_get_notAfter(cert);
+ ASN1_TIME_print(date_bio, date_time);
+ // How much is written the second time?
+ date_length = date_bio->num_write - date_bio->num_read;
+ if (date_length != 0) {
+ p = (char *) yr_malloc(date_length + 1);
+ if (!p) {
+ BIO_set_close(date_bio, BIO_CLOSE);
+ BIO_free(date_bio);
+ break;
+ }
+ BIO_read(date_bio, p, date_length);
+ p[date_length] = '\x0';
- set_string(p, pe_obj, "signature.notAfter");
++ set_string(p, pe->object, "signature.notAfter");
+ yr_free(p);
+ }
+ BIO_set_close(date_bio, BIO_CLOSE);
+ BIO_free(date_bio);
+ }
+ sec_desc += sec_desc ->Length + 8 - (((unsigned int) sec_desc + sec_desc->Length) % 8);
+ }
+
+ if (cert_bio) {
+ BIO_set_close(cert_bio, BIO_CLOSE);
+ BIO_free(cert_bio);
+ }
+
+ return;
+}
+
+
- void pe_parse(
+ void pe_parse_header(
PE* pe,
size_t base_address,
int flags)
@@@ -3160,10 -3011,10 +3158,11 @@@ int module_load
module_object->data = pe;
- pe_parse(
- pe,
- block->base,
- context->flags);
+ pe_parse_header(pe, block->base, context->flags);
+ pe_parse_rich_signature(pe);
++ pe_parse_certificates(pe);
+
+ pe->imported_dlls = pe_parse_imports(pe);
break;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list