VirusTotal · lucas-soares-npro · Mar 13, 2024 · Mar 13, 2024 · Mar 14, 2024 · Mar 14, 2024
diff --git a/libyara/crypto.h b/libyara/crypto.h
@@ -86,6 +86,8 @@ typedef EVP_MD_CTX *yr_sha256_ctx;
 
 #include <wincrypt.h>
 
+#define HAVE_CRYPTO_WINCRYPT
+
 extern HCRYPTPROV yr_cryptprov;
 
 typedef HCRYPTHASH yr_md5_ctx;
@@ -144,4 +146,8 @@ typedef CC_SHA256_CTX yr_sha256_ctx;
 
 #endif
 
+#if defined(USE_WINCRYPT_AUTHENTICODE) && !defined(HAVE_CRYPTO_WINCRYPT)
+#error Cannot use wincrypt for authenticode if wincrypt library is not available
+#endif // USE_WINCRYPT_AUTHENTICODE && !HAVE_WINCRYPT_H
+
 #endif
diff --git a/libyara/include/authenticode-parser/authenticode.h b/libyara/include/authenticode-parser/authenticode.h
@@ -201,6 +201,10 @@ AuthenticodeArray* authenticode_new(const uint8_t* data, int32_t len);
  */
 void authenticode_array_free(AuthenticodeArray* auth);
 
+/* Moves signatures from src to dst, returns 0 on success,
+ * else 1. If error occurs, arguments are unchanged */
+int authenticode_array_move(AuthenticodeArray* dst, AuthenticodeArray* src);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/libyara/include/authenticode-parser/windows/authenticode.h b/libyara/include/authenticode-parser/windows/authenticode.h
@@ -0,0 +1,61 @@
+/* Copyright (c) 2024 Stormshield
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+#ifndef YR_AUTHENTICODE_WINDOWS_H
+#define YR_AUTHENTICODE_WINDOWS_H
+
+#include <authenticode-parser/authenticode.h>
+
+#include <authenticode-parser/windows/tools.h>
+
+#if USE_WINCRYPT_AUTHENTICODE
+
+/// @brief Parses PE certificate directory data to extract signatures from it
+/// @param[in]      data                Certificate directory raw data PKCS7 blob to read signatures from
+/// @param[in]      length              Length of the data in bytes
+/// @param[in, out] authenticode_array  Signatures array read from data. To be freed using authenticode_array_free
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+INT parse_authenticode_wincrypt(
+  _In_      CONST   PBYTE               data,
+  _In_      CONST   DWORD               length,
+  _Inout_           AuthenticodeArray*  authenticode_array
+);
+
+/// @brief Computes file digest from the given pe data blob, using the digest algorithm specified in the given signature
+/// @param[in, out] authenticode        Authenticode signature to read digest algorithm from, and to write the computed file digest to
+/// @param[in]      pe_data             PE data blob
+/// @param[in]      pe_length           PE data blob length in bytes
+/// @param[in]      pe_header_offset    Offset to the pe header
+/// @param[in]      is_64bit            Is the PE 64 bits ?
+/// @param[in]      cert_addr           Certificates directory address
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+INT authenticode_wincrypt_compute_file_digest(
+  _Inout_           Authenticode    *CONST  authenticode,
+  _In_      CONST   PBYTE                   pe_data,
+  _In_      CONST   ULONGLONG               pe_length,
+  _In_      CONST   uint32_t                pe_header_offset,
+  _In_      CONST   BOOL                    is_64bit,
+  _In_      CONST   uint64_t                cert_addr
+);
+
+#endif  // USE_WINCRYPT_AUTHENTICODE
+
+#endif  // !YR_AUTHENTICODE_WINDOWS_H
diff --git a/libyara/include/authenticode-parser/windows/certificate.h b/libyara/include/authenticode-parser/windows/certificate.h
@@ -0,0 +1,87 @@
+/* Copyright (c) 2024 Stormshield
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+#ifndef YR_AUTHENTICODE_WINDOWS_CERTIFICATE_H
+#define YR_AUTHENTICODE_WINDOWS_CERTIFICATE_H
+
+#include <authenticode-parser/authenticode.h>
+
+#include <authenticode-parser/windows/tools.h>
+
+#if USE_WINCRYPT_AUTHENTICODE
+
+/// @brief Builds a Yara certificates array from the given Microsoft certificates store
+/// @param[in]  cert_store          Certificate from which to extract all certificates
+/// @param[out] certificate_array   Yara certificates array data structure built from the given Microsoft certificates store. To be freed using certificate_array_free
+INT get_all_certificates_authenticode(
+    _In_        CONST   HCERTSTORE                  cert_store,
+    _Outptr_            CertificateArray*   *CONST  certificate_array
+);
+
+/// @brief Take a certificate name blob, which can be an issuer or a subject, and format
+/// it using known OID to match the output given by OpenSSL
+/// @param[in]  cert_name_blob  Certificate name blob which ie. an issuer or a subject
+/// @param[out] Formatted name as PSTR string
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+/// @note The straightforward way to obtain the issuer/subject dn would have been to call
+/// @note CertNameToStrA. But some minors differences would appear relatively to the use
+/// @note of OpenSSL. However the objective of this module is always have the  same output
+/// @note regardless of the API used. That is why, despite the heaviness, it is prefered to
+/// @note build our proper string by enumerating all RDN and using a matching strings table.
+INT format_cert_name_blob_using_known_oid(
+    _In_        CONST   CERT_NAME_BLOB*         cert_name_blob,
+    _Outptr_            PSTR            *CONST  formatted_name
+);
+
+/// @brief Parses the cert name blob to extract attributes it finds in it
+/// @param[in]  cert_name_blob  Data blob to parse to extract attributes
+/// @param[out] attributes      Parsed attributes that could be found
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+INT fill_attributes_using_cert_name_blob(
+    _In_    CONST PCERT_NAME_BLOB           cert_name_blob,
+    _Out_         Attributes        *CONST  attributes
+);
+
+/// @brief Builds certificates chain from a given signer info
+/// @param[in]  cert_store              Certificates store to use to build signer certificates chain
+/// @param[in]  signer_info             Signer info to build certificates chain for
+/// @param[out] certificate_chain_array Resulting built certificates chain
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+INT build_certificate_chain_from_signer_info(
+    _In_    CONST   HCERTSTORE                  cert_store,
+    _In_    CONST   PCMSG_SIGNER_INFO           signer_info,
+    _Out_           CertificateArray*   *CONST  certificate_chain_array
+);
+
+/// @brief Find the signer certificate from certificates store using signer info issuer and serial number
+/// @param[in]  cert_store      Certificates store from where to look for the signer certificate
+/// @param[in]  signer_info     Signer info to use to look for certificate
+/// @param[out] cert_context    Found certificate, to be freed using CertFreeCertificateContext
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+INT find_signer_certificate_from_signer_info(
+    _In_      CONST   HCERTSTORE                  cert_store,
+    _In_      CONST   PCMSG_SIGNER_INFO           signer_info,
+    _Outptr_          PCERT_CONTEXT       *CONST  cert_context
+);
+
+#endif // USE_WINCRYPT_AUTHENTICODE
+
+#endif // !YR_AUTHENTICODE_WINDOWS_CERTIFICATE_H
diff --git a/libyara/include/authenticode-parser/windows/cleanup.h b/libyara/include/authenticode-parser/windows/cleanup.h
@@ -0,0 +1,85 @@
+/* Copyright (c) 2024 Stormshield
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+#ifndef YR_AUTHENTICODE_WINDOWS_CLEANUP_H
+#define YR_AUTHENTICODE_WINDOWS_CLEANUP_H
+
+#include <authenticode-parser/windows/tools.h>
+
+#ifdef USE_WINCRYPT_AUTHENTICODE
+
+/// @brief Cleanups a given byte array by freeing its inner data, but not the container itself
+/// @param[in]  byte_array  Byte array to be cleaned up
+VOID cleanup_byte_array(
+    _Inout_ ByteArray   *CONST  byte_array
+);
+
+/// @brief Cleanups a given attributes container by freeing its inner ByteArray data, but not the container itself
+/// @param[in]  attributes  Attributes to be cleaned up
+VOID cleanup_attributes(
+    _Inout_ Attributes  *CONST  attributes
+);
+
+/// @brief Destroys certificate and free container
+/// @parma[in]  certificate Certificate to be destroyed
+VOID destroy_certificate(
+    _In_ _Post_ptr_invalid_ Certificate *CONST  certificate
+);
+
+/// @brief Destroys certificate array and free container
+/// @param[in]  certificate_array   Certificates array to be destroyed
+VOID destroy_certificate_array(
+    _In_ _Post_ptr_invalid_ CertificateArray    *CONST  certificate_array
+);
+
+/// @brief Destroys signer and free container
+/// @param[in]  signer  Signer to be destroyed
+VOID destroy_signer(
+    _In_ _Post_ptr_invalid_ Signer  *CONST signer
+);
+
+/// @brief Destroy countersignature and free container
+/// @param[in]  countersignature    Countersignature to be destroyed
+VOID destroy_countersignature(
+    _In_ _Post_ptr_invalid_ Countersignature    *CONST  countersignature
+);
+
+/// @brief Destroy countersignature array and free container
+/// @param[in]  array   Countersignatures array to be destroyed
+VOID destroy_countersignature_array(
+    _In_ _Post_ptr_invalid_ CountersignatureArray   *CONST  array
+);
+
+/// @brief Destroy authenticode signature and free container
+/// @param[in]  authenticode    Authenticode signature to be destroyed
+VOID destroy_authenticode(
+    _In_ _Post_ptr_invalid_ Authenticode    *CONST  authenticode
+);
+
+/// @brief Destroy authenticode signatures array and free container
+/// @param[in]  array   Array of authenticode signatures to be destroyed
+VOID destroy_authenticode_array(
+    _In_ _Post_ptr_invalid_ AuthenticodeArray   *CONST  array
+);
+
+#endif // USE_WINCRYPT_AUTHENTICODE
+
+#endif // !YR_AUTHENTICODE_WINDOWS_CLEANUP_H
diff --git a/libyara/include/authenticode-parser/windows/countersignature.h b/libyara/include/authenticode-parser/windows/countersignature.h
@@ -0,0 +1,46 @@
+/* Copyright (c) 2024 Stormshield
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+#ifndef YR_AUTHENTICODE_WINDOWS_COUNTERSIGNATURE_H
+#define YR_AUTHENTICODE_WINDOWS_COUNTERSIGNATURE_H
+
+#include <authenticode-parser/windows/tools.h>
+
+#if USE_WINCRYPT_AUTHENTICODE
+
+/// @brief Looks into crypt message for countersignature in unauthenticated attributes. Can either be RFC3161 or RSA countersignature
+/// @param[in]      crypt_msg               Crypt message from which to look for countersignatures
+/// @param[in]      cert_store              Signature certificates store
+/// @param[in]      signature_index         Signature identified by its index to use to retrieve unauthenticated attributes
+/// @param[out]     countersignature_array  Countersignatures array into which to insert found countersignatures
+/// @param[in, out] certificate_array       Array of certificates into which to insert newly found certificates in the case of a MS RFC3161 countersignature
+/// @return ERROR_SUCCESS if everything went well, a Yara error code otherwise
+INT look_for_counter_signature_authenticode(
+    _In_        CONST   HCRYPTMSG                       crypt_msg,
+    _In_        CONST   HCERTSTORE                      cert_store,
+    _In_        CONST   DWORD                           signature_index,
+    _Outptr_            CountersignatureArray*  *CONST  countersignature_array,
+    _Inout_             CertificateArray        *CONST  certificate_array
+);
+
+#endif // USE_WINCRYPT_AUTHENTICODE
+
+#endif // !YR_AUTHENTICODE_WINDOWS_COUNTERSIGNATURE_H