static void parse_certificates(const options_t *options, pe_ctx_t *ctx)
{
const IMAGE_DATA_DIRECTORY * const directory = pe_directory_by_entry(ctx, IMAGE_DIRECTORY_ENTRY_SECURITY);
if (directory == NULL)
return;
if (directory->VirtualAddress == 0 || directory->Size == 0)
return;
uint32_t fileOffset = directory->VirtualAddress; // This a file pointer rather than a common RVA.
// TODO(jweyrich): We should count how many certificates the file has, and based on this
// decide whether to proceed and open the certificates scope.
output_open_scope("certificates", OUTPUT_SCOPE_TYPE_ARRAY);
while (fileOffset - directory->VirtualAddress < directory->Size)
{
// Read the size of this WIN_CERTIFICATE
uint32_t *dwLength_ptr = LIBPE_PTR_ADD(ctx->map_addr, fileOffset);
if (!pe_can_read(ctx, dwLength_ptr, sizeof(uint32_t))) {
output_close_scope(); // certificates
// TODO: Should we report something?
return;
}
// Type punning
uint32_t dwLength = *(uint32_t *)dwLength_ptr;
WIN_CERTIFICATE *cert = LIBPE_PTR_ADD(ctx->map_addr, fileOffset);
if (!pe_can_read(ctx, cert, dwLength)) {
output_close_scope(); // certificates
// TODO: Should we report something?
return;
}
output_open_scope("certificate", OUTPUT_SCOPE_TYPE_OBJECT);
static char value[MAX_MSG];
snprintf(value, MAX_MSG, "%u bytes", cert->dwLength);
output("Length", value);
snprintf(value, MAX_MSG, "0x%x (%s)", cert->wRevision,
cert->wRevision == WIN_CERT_REVISION_1_0 ? "1" :
cert->wRevision == WIN_CERT_REVISION_2_0 ? "2" : "unknown");
output("Revision", value);
snprintf(value, MAX_MSG, "0x%x", cert->wCertificateType);
switch (cert->wCertificateType) {
default: bsd_strlcat(value, " (UNKNOWN)", MAX_MSG); break;
case WIN_CERT_TYPE_X509: bsd_strlcat(value, " (X509)", MAX_MSG); break;
case WIN_CERT_TYPE_PKCS_SIGNED_DATA: bsd_strlcat(value, " (PKCS_SIGNED_DATA)", MAX_MSG); break;
case WIN_CERT_TYPE_TS_STACK_SIGNED: bsd_strlcat(value, " (TS_STACK_SIGNED)", MAX_MSG); break;
}
output("Type", value);
fileOffset += utils_round_up(cert->dwLength, 8); // Offset to the next certificate.
if (fileOffset - directory->VirtualAddress > directory->Size)
EXIT_ERROR("either the attribute certificate table or the Size field is corrupted");
switch (cert->wRevision) {
default:
EXIT_ERROR("unknown wRevision");
case WIN_CERT_REVISION_1_0:
EXIT_ERROR("WIN_CERT_REVISION_1_0 is not supported");
case WIN_CERT_REVISION_2_0:
break;
}
switch (cert->wCertificateType) {
default:
EXIT_ERROR("unknown wCertificateType");
case WIN_CERT_TYPE_X509:
EXIT_ERROR("WIN_CERT_TYPE_X509 is not supported");
case WIN_CERT_TYPE_PKCS_SIGNED_DATA:
{
CRYPT_DATA_BLOB p7data;
p7data.cbData = cert->dwLength - offsetof(WIN_CERTIFICATE, bCertificate);
p7data.pbData = cert->bCertificate;
parse_pkcs7_data(options, &p7data);
break;
}
case WIN_CERT_TYPE_TS_STACK_SIGNED:
EXIT_ERROR("WIN_CERT_TYPE_TS_STACK_SIGNED is not supported");
case WIN_CERT_TYPE_EFI_PKCS115:
EXIT_ERROR("WIN_CERT_TYPE_EFI_PKCS115 is not supported");
case WIN_CERT_TYPE_EFI_GUID:
EXIT_ERROR("WIN_CERT_TYPE_EFI_GUID is not supported");
}
output_close_scope(); // certificate
}
output_close_scope(); // certificates
}
int main(int argc, char *argv[])
{
pev_config_t config;
PEV_INITIALIZE(&config);
if (argc < 2) {
usage();
return EXIT_FAILURE;
}
output_set_cmdline(argc, argv);
options_t *options = parse_options(argc, argv);
pe_ctx_t ctx;
pe_err_e err = pe_load_file(&ctx, argv[argc-1]);
if (err != LIBPE_E_OK) {
pe_error_print(stderr, err);
return EXIT_FAILURE;
}
err = pe_parse(&ctx);
if (err != LIBPE_E_OK) {
pe_error_print(stderr, err);
return EXIT_FAILURE;
}
if (!pe_is_pe(&ctx))
EXIT_ERROR("not a valid PE file");
const IMAGE_SECTION_HEADER *section_ptr = NULL;
const unsigned char *data = NULL;
uint64_t data_size = 0;
unsigned c = pe_sections_count(&ctx);
IMAGE_SECTION_HEADER ** const sections = pe_sections(&ctx);
data = ctx.map_addr;
data_size = pe_filesize(&ctx);
output_open_document();
if (options->headers.all || options->headers.dos || options->headers.coff || options->headers.optional ||
options->sections.name || options->sections.index) {
options->all = false;
options->content = false;
}
if (options->all) {
options->content = true;
options->headers.all = true;
}
if (options->content) {
output_open_scope("file", OUTPUT_SCOPE_TYPE_OBJECT);
output("filepath", ctx.path);
print_basic_hash(data, data_size);
char *imphash = NULL;
// imphash = pe_imphash(&ctx, LIBPE_IMPHASH_FLAVOR_MANDIANT);
// output("imphash (Mandiant)", imphash);
// free(imphash);
imphash = pe_imphash(&ctx, LIBPE_IMPHASH_FLAVOR_PEFILE);
output("imphash", imphash);
free(imphash);
output_close_scope(); // file
if (!options->all) // whole file content only
goto BYE;
}
if (options->headers.all) {
options->headers.dos = true;
options->headers.coff = true;
options->headers.optional = true;
}
if (options->headers.all || options->headers.dos || options->headers.coff || options->headers.optional)
output_open_scope("headers", OUTPUT_SCOPE_TYPE_ARRAY);
if (options->headers.all || options->headers.dos) {
const IMAGE_DOS_HEADER *dos_hdr = pe_dos(&ctx);
data = (const unsigned char *)dos_hdr;
data_size = sizeof(IMAGE_DOS_HEADER);
output_open_scope("header", OUTPUT_SCOPE_TYPE_OBJECT);
output("header_name", "IMAGE_DOS_HEADER");
print_basic_hash(data, data_size);
output_close_scope(); // header
}
if (options->headers.all || options->headers.coff) {
const IMAGE_COFF_HEADER *coff_hdr = pe_coff(&ctx);
data = (const unsigned char *)coff_hdr;
data_size = sizeof(IMAGE_COFF_HEADER);
output_open_scope("header", OUTPUT_SCOPE_TYPE_OBJECT);
output("header_name", "IMAGE_COFF_HEADER");
print_basic_hash(data, data_size);
output_close_scope(); // header
}
if (options->headers.all || options->headers.optional) {
const IMAGE_OPTIONAL_HEADER *opt_hdr = pe_optional(&ctx);
switch (opt_hdr->type) {
case MAGIC_ROM:
// Oh boy! We do not support ROM. Abort!
fprintf(stderr, "ROM image is not supported\n");
break;
case MAGIC_PE32:
if (!pe_can_read(&ctx, opt_hdr->_32, sizeof(IMAGE_OPTIONAL_HEADER_32))) {
// TODO: Should we report something?
break;
}
data = (const unsigned char *)opt_hdr->_32;
data_size = sizeof(IMAGE_OPTIONAL_HEADER_32);
break;
case MAGIC_PE64:
if (!pe_can_read(&ctx, opt_hdr->_64, sizeof(IMAGE_OPTIONAL_HEADER_64))) {
// TODO: Should we report something?
break;
}
data = (const unsigned char *)opt_hdr->_64;
data_size = sizeof(IMAGE_OPTIONAL_HEADER_64);
break;
}
output_open_scope("header", OUTPUT_SCOPE_TYPE_OBJECT);
output("header_name", "IMAGE_OPTIONAL_HEADER");
print_basic_hash(data, data_size);
output_close_scope(); // header
}
if (options->headers.all || options->headers.dos || options->headers.coff || options->headers.optional)
output_close_scope(); // headers
if (options->all || options->sections.name || options->sections.index)
output_open_scope("sections", OUTPUT_SCOPE_TYPE_ARRAY);
if (options->all) {
for (unsigned int i=0; i<c; i++) {
data_size = sections[i]->SizeOfRawData;
data = LIBPE_PTR_ADD(ctx.map_addr, sections[i]->PointerToRawData);
if (!pe_can_read(&ctx, data, data_size)) {
EXIT_ERROR("Unable to read section data");
}
output_open_scope("section", OUTPUT_SCOPE_TYPE_OBJECT);
output("section_name", (char *)sections[i]->Name);
if (data_size) {
print_basic_hash(data, data_size);
}
output_close_scope(); // section
}
//output_close_scope(); // sections
} else if (options->sections.name != NULL) {
const IMAGE_SECTION_HEADER *section = pe_section_by_name(&ctx, options->sections.name);
if (section == NULL) {
EXIT_ERROR("The requested section could not be found on this binary");
}
section_ptr = section;
} else if (options->sections.index > 0) {
const uint16_t num_sections = pe_sections_count(&ctx);
if (num_sections == 0 || options->sections.index > num_sections) {
EXIT_ERROR("The requested section could not be found on this binary");
}
IMAGE_SECTION_HEADER ** const sections = pe_sections(&ctx);
const IMAGE_SECTION_HEADER *section = sections[options->sections.index - 1];
section_ptr = section;
}
if (section_ptr != NULL) {
if (section_ptr->SizeOfRawData > 0) {
const uint8_t *section_data_ptr = LIBPE_PTR_ADD(ctx.map_addr, section_ptr->PointerToRawData);
// printf("map_addr = %p\n", ctx.map_addr);
// printf("section_data_ptr = %p\n", section_data_ptr);
// printf("SizeOfRawData = %u\n", section_ptr->SizeOfRawData);
if (!pe_can_read(&ctx, section_data_ptr, section_ptr->SizeOfRawData)) {
EXIT_ERROR("The requested section has an invalid size");
}
data = (const unsigned char *)section_data_ptr;
data_size = section_ptr->SizeOfRawData;
} else {
data = (const unsigned char *)"";
data_size = 0;
}
}
if (!options->all && data != NULL) {
output_open_scope("section", OUTPUT_SCOPE_TYPE_OBJECT);
output("section_name", options->sections.name);
print_basic_hash(data, data_size);
output_close_scope();
}
if (options->all || options->sections.name || options->sections.index)
output_close_scope();
BYE:
output_close_document();
// free
free_options(options);
err = pe_unload(&ctx);
if (err != LIBPE_E_OK) {
pe_error_print(stderr, err);
return EXIT_FAILURE;
}
PEV_FINALIZE(&config);
return EXIT_SUCCESS;
}
static int parse_pkcs7_data(const options_t *options, const CRYPT_DATA_BLOB *blob)
{
int result = 0;
const cert_format_e input_fmt = CERT_FORMAT_DER;
PKCS7 *p7 = NULL;
BIO *in = NULL;
CRYPTO_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
in = BIO_new_mem_buf(blob->pbData, blob->cbData);
if (in == NULL) {
result = -2;
goto error;
}
switch (input_fmt) {
default: EXIT_ERROR("unhandled input format for certificate");
case CERT_FORMAT_DER:
p7 = d2i_PKCS7_bio(in, NULL);
break;
case CERT_FORMAT_PEM:
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
break;
}
if (p7 == NULL) {
ERR_print_errors_fp(stderr);
result = -3;
goto error;
}
STACK_OF(X509) *certs = NULL;
int type = OBJ_obj2nid(p7->type);
switch (type) {
default: break;
case NID_pkcs7_signed: // PKCS7_type_is_signed(p7)
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped: // PKCS7_type_is_signedAndEnveloped(p7)
certs = p7->d.signed_and_enveloped->cert;
break;
}
const int numcerts = certs != NULL ? sk_X509_num(certs) : 0;
for (int i = 0; i < numcerts; i++) {
X509 *cert = sk_X509_value(certs, i);
print_certificate(options->certout, options->certoutform, cert);
// NOTE: Calling X509_free(cert) is unnecessary.
}
// Print whether certificate signature is valid
if (numcerts > 0) {
X509 *subject = sk_X509_value(certs, 0);
X509 *issuer = sk_X509_value(certs, numcerts - 1);
int valid_sig = X509_verify(subject, X509_get_pubkey(issuer));
output("Signature", valid_sig == 1 ? "valid" : "invalid");
}
// Print signers
if (numcerts > 0) {
output_open_scope("signers", OUTPUT_SCOPE_TYPE_ARRAY);
for (int i = 0; i < numcerts; i++) {
X509 *cert = sk_X509_value(certs, i);
X509_NAME *name = X509_get_subject_name(cert);
int issuer_name_len = X509_NAME_get_text_by_NID(name, NID_commonName, NULL, 0);
if (issuer_name_len > 0) {
output_open_scope("signer", OUTPUT_SCOPE_TYPE_OBJECT);
char issuer_name[issuer_name_len + 1];
X509_NAME_get_text_by_NID(name, NID_commonName, issuer_name, issuer_name_len + 1);
output("Issuer", issuer_name);
output_close_scope(); // signer
}
}
output_close_scope(); // signers
}
error:
if (p7 != NULL)
PKCS7_free(p7);
if (in != NULL)
BIO_free(in);
// Deallocate everything from OpenSSL_add_all_algorithms
EVP_cleanup();
// Deallocate everything from ERR_load_crypto_strings
ERR_free_strings();
return result;
}
int main(int argc, char *argv[])
{
pev_config_t config;
PEV_INITIALIZE(&config);
if (argc < 2) {
usage();
return EXIT_FAILURE;
}
output_set_cmdline(argc, argv);
OpenSSL_add_all_digests();
options_t *options = parse_options(argc, argv);
pe_ctx_t ctx;
pe_err_e err = pe_load_file(&ctx, argv[argc-1]);
if (err != LIBPE_E_OK) {
pe_error_print(stderr, err);
return EXIT_FAILURE;
}
err = pe_parse(&ctx);
if (err != LIBPE_E_OK) {
pe_error_print(stderr, err);
return EXIT_FAILURE;
}
if (!pe_is_pe(&ctx))
EXIT_ERROR("not a valid PE file");
const IMAGE_SECTION_HEADER *section_ptr = NULL;
const unsigned char *data = NULL;
uint64_t data_size = 0;
unsigned c = pe_sections_count(&ctx);
IMAGE_SECTION_HEADER ** const sections = pe_sections(&ctx);
char hash_value[EVP_MAX_MD_SIZE * 2 + 1];
data = ctx.map_addr;
data_size = pe_filesize(&ctx);
output_open_document();
if (options->all) {
output_open_scope("file", OUTPUT_SCOPE_TYPE_OBJECT);
output("filepath", ctx.path);
print_basic_hash(data, data_size);
output_close_scope(); // file
}
output_open_scope("headers", OUTPUT_SCOPE_TYPE_ARRAY);
if (options->all || options->headers.all || options->headers.dos) {
const IMAGE_DOS_HEADER *dos_hdr = pe_dos(&ctx);
data = (const unsigned char *)dos_hdr;
data_size = sizeof(IMAGE_DOS_HEADER);
output_open_scope("header", OUTPUT_SCOPE_TYPE_OBJECT);
output("header_name", "IMAGE_DOS_HEADER");
PRINT_HASH_OR_HASHES;
output_close_scope(); // header
}
if (options->all || options->headers.all || options->headers.coff) {
const IMAGE_COFF_HEADER *coff_hdr = pe_coff(&ctx);
data = (const unsigned char *)coff_hdr;
data_size = sizeof(IMAGE_COFF_HEADER);
output_open_scope("header", OUTPUT_SCOPE_TYPE_OBJECT);
output("header_name", "IMAGE_COFF_HEADER");
PRINT_HASH_OR_HASHES;
output_close_scope(); // header
}
if (options->all || options->headers.all || options->headers.optional) {
const IMAGE_OPTIONAL_HEADER *opt_hdr = pe_optional(&ctx);
switch (opt_hdr->type) {
case MAGIC_ROM:
// Oh boy! We do not support ROM. Abort!
fprintf(stderr, "ROM image is not supported\n");
break;
case MAGIC_PE32:
if (!pe_can_read(&ctx, opt_hdr->_32, sizeof(IMAGE_OPTIONAL_HEADER_32))) {
// TODO: Should we report something?
break;
}
data = (const unsigned char *)opt_hdr->_32;
data_size = sizeof(IMAGE_OPTIONAL_HEADER_32);
break;
case MAGIC_PE64:
if (!pe_can_read(&ctx, opt_hdr->_64, sizeof(IMAGE_OPTIONAL_HEADER_64))) {
// TODO: Should we report something?
break;
}
data = (const unsigned char *)opt_hdr->_64;
data_size = sizeof(IMAGE_OPTIONAL_HEADER_64);
break;
}
output_open_scope("header", OUTPUT_SCOPE_TYPE_OBJECT);
output("header_name", "IMAGE_OPTIONAL_HEADER");
PRINT_HASH_OR_HASHES;
output_close_scope(); // header
}
output_close_scope(); // headers
if (options->all) {
output_open_scope("sections", OUTPUT_SCOPE_TYPE_ARRAY);
for (unsigned int i=0; i<c; i++) {
data_size = sections[i]->SizeOfRawData;
data = LIBPE_PTR_ADD(ctx.map_addr, sections[i]->PointerToRawData);
output_open_scope("section", OUTPUT_SCOPE_TYPE_OBJECT);
output("section_name", (char *)sections[i]->Name);
if (data_size) {
PRINT_HASH_OR_HASHES;
}
output_close_scope(); // section
}
output_close_scope(); // sections
} else if (options->sections.name != NULL) {
const IMAGE_SECTION_HEADER *section = pe_section_by_name(&ctx, options->sections.name);
if (section == NULL) {
EXIT_ERROR("The requested section could not be found on this binary");
}
section_ptr = section;
} else if (options->sections.index > 0) {
const uint16_t num_sections = pe_sections_count(&ctx);
if (num_sections == 0 || options->sections.index > num_sections) {
EXIT_ERROR("The requested section could not be found on this binary");
}
IMAGE_SECTION_HEADER ** const sections = pe_sections(&ctx);
const IMAGE_SECTION_HEADER *section = sections[options->sections.index - 1];
section_ptr = section;
}
if (section_ptr != NULL) {
if (section_ptr->SizeOfRawData > 0) {
const uint8_t *section_data_ptr = LIBPE_PTR_ADD(ctx.map_addr, section_ptr->PointerToRawData);
// printf("map_addr = %p\n", ctx.map_addr);
// printf("section_data_ptr = %p\n", section_data_ptr);
// printf("SizeOfRawData = %u\n", section_ptr->SizeOfRawData);
if (!pe_can_read(&ctx, section_data_ptr, section_ptr->SizeOfRawData)) {
EXIT_ERROR("The requested section has an invalid size");
}
data = (const unsigned char *)section_data_ptr;
data_size = section_ptr->SizeOfRawData;
} else {
data = (const unsigned char *)"";
data_size = 0;
}
}
if (!options->all && data != NULL) {
char hash_value[EVP_MAX_MD_SIZE * 2 + 1];
if (options->algorithms.all && options->all) {
print_basic_hash(data, data_size);
} else if (options->algorithms.alg_name != NULL) {
calc_hash(options->algorithms.alg_name, data, data_size, hash_value);
output(options->algorithms.alg_name, hash_value);
} else {
print_basic_hash(data, data_size);
}
}
output_close_document();
// free
free_options(options);
err = pe_unload(&ctx);
if (err != LIBPE_E_OK) {
pe_error_print(stderr, err);
return EXIT_FAILURE;
}
EVP_cleanup(); // Clean OpenSSL_add_all_digests.
PEV_FINALIZE(&config);
return EXIT_SUCCESS;
}