@@ -1360,7 +1360,7 @@ static int asn1_parse_countersignature(fmap_t *map, const void **asn1data, unsig

     return 1;

 }

-static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmgr *cmgr, int embedded, const void **hashes, unsigned int *hashes_size, struct cl_engine *engine) {

+static cl_error_t asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmgr *cmgr, int embedded, const void **hashes, unsigned int *hashes_size, struct cl_engine *engine) {

     struct cli_asn1 asn1, deep, deeper;

     uint8_t issuer[SHA1_HASH_SIZE], serial[SHA1_HASH_SIZE];

     const uint8_t *message, *attrs;

@@ -1374,7 +1374,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

     cli_crt *x509;

     void *ctx;

     int result;

-    int isBlacklisted = 0;

+    cl_error_t ret = CL_EPARSE;

     cli_dbgmsg("in asn1_parse_mscat\n");

@@ -1589,9 +1589,10 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

                             // NOTE: In this case, parent is a blacklist entry

                             // in cmgr for this certificate, not a blacklist

                             // entry for this certificate's parent

-                            isBlacklisted = 1;

+                            ret = CL_VIRUS;

                             cli_dbgmsg("asn1_parse_mscat: Authenticode certificate %s is revoked. Flagging sample as virus.\n", (parent->name ? parent->name : "(no name)"));

-                            break;

+                            crtmgr_free(&newcerts);

+                            goto finish;

                         }

                         // TODO Why is this done?

@@ -1874,6 +1875,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

         // Verify the authenticatedAttributes

         if(!(x509 = crtmgr_verify_pkcs7(cmgr, issuer, serial, asn1.content, asn1.size, hashtype, hash, VRFY_CODE))) {

             cli_dbgmsg("asn1_parse_mscat: pkcs7 signature verification failed\n");

+            ret = CL_EVERIFY;

             break;

         }

         message = asn1.content;

@@ -1895,10 +1897,12 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

             if(now < x509->not_before || now > x509->not_after) {

                 cli_dbgmsg("asn1_parse_mscat: no countersignature (unauthAttrs missing) and signing certificate has expired\n");

+                ret = CL_EVERIFY;

                 break;

             }

             cli_dbgmsg("asn1_parse_mscat: no countersignature (unauthAttrs missing) but the signing certificate is still valid\n");

+            ret = CL_CLEAN;

             goto finish;

         }

@@ -1998,6 +2002,8 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

         if(dsize)

             break;

+        cli_dbgmsg("asn1_parse_mscat: unauthenticatedAttributes successfully parsed\n");

+

         if (1 != (result & 1)) {

             time_t now;

@@ -2006,23 +2012,22 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

             if(now < x509->not_before || now > x509->not_after) {

                 cli_dbgmsg("asn1_parse_mscat: no countersignature and signing certificate has expired\n");

+                ret = CL_EVERIFY;

                 break;

             }

             cli_dbgmsg("asn1_parse_mscat: no countersignature but the signing certificate is still valid\n");

         }

-        cli_dbgmsg("asn1_parse_mscat: unauthenticatedAttributes successfully parsed\n");

+        ret = CL_CLEAN;

-finish:

-        if (isBlacklisted) {

-            return 1;

-        }

-        return 0;

     } while(0);

-    cli_dbgmsg("asn1_parse_mscat: failed to parse catalog\n");

-    return 1;

+finish:

+    if (CL_EPARSE == ret) {

+        cli_dbgmsg("asn1_parse_mscat: failed to parse authenticode section\n");

+    }

+    return ret;

 }

 int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) {

@@ -2031,7 +2036,15 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) {

     struct cli_matcher *db;

     int i;

-    if(asn1_parse_mscat(map, 0, map->len, &engine->cmgr, 0, &c.next, &size, engine))

+    // TODO As currently implemented, loading in a .cat file with -d requires

+    // an accompanying .crb with whitelist entries that will cause the .cat

+    // file signatures to verify successfully.  If a user is specifying a .cat

+    // file to use, though, we should assume they trust it and at least add the

+    // covered hashes from it to hm_fp

+    // TODO Since we pass engine->cmgr directly here, the whole chain of trust

+    // for this .cat file will get added to the global trust store assuming it

+    // verifies successfully.  Is this a bug for a feature?

+    if(CL_CLEAN != asn1_parse_mscat(map, 0, map->len, &engine->cmgr, 0, &c.next, &size, engine))

         return 1;

     if(asn1_expect_objtype(map, c.next, &size, &c, ASN1_TYPE_SEQUENCE))

@@ -2172,7 +2185,12 @@ int asn1_load_mscat(fmap_t *map, struct cl_engine *engine) {

     return 0;

 }

-int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions) {

+/* Check an embedded PE Authenticode section to determine whether it's trusted.

+ * This will return CL_CLEAN if the file should be trusted, CL_EPARSE if an

+ * error occurred while parsing the signature, CL_EVERIFY if parsing was

+ * successful but there were no whitelist rules for the signature, and

+ * CL_VIRUS if a blacklist rule was found for an embedded certificate. */

+cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions) {

     unsigned int content_size;

     struct cli_asn1 c;

     cli_crt_hashtype hashtype;

@@ -2183,29 +2201,30 @@ int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsig

     int ret;

     void *ctx;

+    // TODO Move these into cli_checkfp_pe

     if (!(engine->dconf->pe & PE_CONF_CERTS))

-        return CL_VIRUS;

+        return CL_EVERIFY;

     if (engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_CERTS)

-        return CL_VIRUS;

+        return CL_EVERIFY;

     cli_dbgmsg("in asn1_check_mscat (offset: %llu)\n", (long long unsigned)offset);

     crtmgr_init(&certs);

     if(crtmgr_add_roots(engine, &certs)) {

         crtmgr_free(&certs);

-        return CL_VIRUS;

+        return CL_EVERIFY;

     }

     ret = asn1_parse_mscat(map, offset, size, &certs, 1, &content, &content_size, engine);

     crtmgr_free(&certs);

-    if(ret)

-        return CL_VIRUS;

+    if(CL_CLEAN != ret)

+        return ret;

     if(asn1_expect_objtype(map, content, &content_size, &c, ASN1_TYPE_SEQUENCE)) {

         cli_dbgmsg("asn1_check_mscat: expected SEQUENCE at top level of hash container\n");

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     if(asn1_expect_obj(map, &c.content, &c.size, ASN1_TYPE_OBJECT_ID, lenof(OID_SPC_PE_IMAGE_DATA_OBJID), OID_SPC_PE_IMAGE_DATA_OBJID)) {

         cli_dbgmsg("asn1_check_mscat: expected spcPEImageData OID in the first hash SEQUENCE\n");

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     // TODO Should we do anything with the underlying SEQUENCE and data?  From

@@ -2214,28 +2233,31 @@ int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsig

     if(asn1_expect_objtype(map, c.next, &content_size, &c, ASN1_TYPE_SEQUENCE)) {

         cli_dbgmsg("asn1_check_mscat: expected second hash container object to be a SEQUENCE\n");

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     if(content_size) {

         cli_dbgmsg("asn1_check_mscat: extra data in hash SEQUENCE\n");

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     if(asn1_expect_hash_algo(map, &c.content, &c.size, &hashtype, &hashsize)) {

         cli_dbgmsg("asn1_check_mscat: unexpected file hash algo\n");

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     if (NULL == (ctx = get_hash_ctx(hashtype))) {

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     // Now that we know the hash algorithm, compute the authenticode hash

     // across the required regions of memory.

     for(unsigned int i = 0; i < nregions; i++) {

-        const uint8_t *hptr; \

+        const uint8_t *hptr;

+        if (0 == regions[i].size) {

+            continue;

+        }

         if(!(hptr = fmap_need_off_once(map, regions[i].offset, regions[i].size))){

-            return CL_VIRUS;

+            return CL_EVERIFY;

         }

         cl_update_hash(ctx, hptr, regions[i].size);

@@ -2252,11 +2274,11 @@ int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsig

     if(asn1_expect_obj(map, &c.content, &c.size, ASN1_TYPE_OCTET_STRING, hashsize, hash)) {

         cli_dbgmsg("asn1_check_mscat: computed authenticode hash did not match stored value\n");

-        return CL_VIRUS;

+        return CL_EVERIFY;

     }

     if(c.size) {

         cli_dbgmsg("asn1_check_mscat: extra data after the stored authenticode hash\n");

-        return CL_VIRUS;

+        return CL_EPARSE;

     }

     cli_dbgmsg("asn1_check_mscat: file with valid authenticode signature, whitelisted\n");

@@ -31,6 +31,6 @@ struct cli_mapped_region {

 };

 int asn1_load_mscat(fmap_t *map, struct cl_engine *engine);

-int asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions);

+cl_error_t asn1_check_mscat(struct cl_engine *engine, fmap_t *map, size_t offset, unsigned int size, struct cli_mapped_region *regions, uint32_t nregions);

 #endif

@@ -632,19 +632,14 @@ int cli_checkfp_virus(unsigned char *digest, size_t size, cli_ctx *ctx, const ch

         if (!(ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_STATS) && !(ctx->engine->dconf->stats & (DCONF_STATS_DISABLED | DCONF_STATS_PE_SECTION_DISABLED)))

             flags |= CL_CHECKFP_PE_FLAG_STATS;

-        switch(cli_checkfp_pe(ctx, shash1, &sections, flags)) {

+        switch(cli_checkfp_pe(ctx, &sections, flags)) {

         case CL_CLEAN:

-            cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");

+            cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid digital signature\n");

             if (sections.sections)

                 free(sections.sections);

             return CL_CLEAN;

-        case CL_VIRUS:

-            if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {

-                cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");

-                if (sections.sections)

-                    free(sections.sections);

-                return CL_CLEAN;

-            }

+        default:

+            break;

         }

     }

@@ -5391,10 +5391,23 @@ static int sort_sects(const void *first, const void *second) {

 }

 /* Check the given PE file for an authenticode signature and return CL_CLEAN if

- * the signature is valid.  Also, this function computes the hashes of each

- * section (sorted based on the RVAs of the sections) if the

- * CL_CHECKFP_PE_FLAG_STATS flag exists in flags.

+ * the signature is valid.  There are two cases that this function should

+ * handle:

+ * - A PE file has an embedded Authenticode section

+ * - The PE file has no embedded Authenticode section but is covered by a

+ *   catalog file that was loaded in via a -d 

+ * CL_CLEAN will be returned if the file was whitelisted based on its

+ * signature.  CL_VIRUS will be returned if the file was blacklisted based on

+ * its signature.  Otherwise, an cl_error_t error value will be returned.

+ * 

+ * Also, this function computes the hashes of each section (sorted based on the

+ * RVAs of the sections) if the CL_CHECKFP_PE_FLAG_STATS flag exists in flags

  *

+ * TODO The code to compute the section hashes is copied from

+ * cli_genhash_pe - we should use that function instead where this

+ * functionality is needed, since we no longer need to compute the section

+ * hashes as part of the authenticode hash calculation.

+ * 

  * If the section hashes are to be computed and returned, this function

  * allocates memory for the section hashes, and it's up to the caller to free

  * it.  hashes->sections will be initialized to NULL at the beginning of the

@@ -5408,7 +5421,7 @@ static int sort_sects(const void *first, const void *second) {

  *  - TODO Instead of not providing back any hashes when an invalid section is

  *    encountered, would it be better to still compute hashes for the valid

  *    sections? */

-int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uint32_t flags) {

+cl_error_t cli_checkfp_pe(cli_ctx *ctx, stats_section_t *hashes, uint32_t flags) {

     uint16_t e_magic; /* DOS signature ("MZ") */

     uint16_t nsections;

     uint32_t e_lfanew; /* address of new exe header */

@@ -5425,20 +5438,25 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

     struct cli_exe_section *exe_sections;

     struct pe_image_data_dir *dirs;

     fmap_t *map = *ctx->fmap;

+    void *hashctx=NULL;

     struct pe_certificate_hdr cert_hdr;

-    struct cli_mapped_region *regions;

+    struct cli_mapped_region *regions = NULL;

     unsigned int nregions;

-    int ret;

+    cl_error_t ret = CL_EVERIFY;

+    uint8_t authsha1[SHA1_HASH_SIZE];

+    uint32_t sec_dir_offset;

+    uint32_t sec_dir_size;

+

+    if (flags == CL_CHECKFP_PE_FLAG_NONE)

+        return CL_BREAK;

     if (flags & CL_CHECKFP_PE_FLAG_STATS) {

         if (!(hashes))

-            return CL_EFORMAT;

+            return CL_ENULLARG;

         hashes->sections = NULL;

     }

-    if (flags == CL_CHECKFP_PE_FLAG_NONE)

-        return CL_VIRUS;

-

+    // TODO What does this do?

     if(!(DCONF & PE_CONF_CATALOG))

         return CL_EFORMAT;

@@ -5507,15 +5525,19 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         dirs = optional_hdr64.DataDirectory;

     }

+    sec_dir_offset = EC32(dirs[4].VirtualAddress);

+    sec_dir_size = EC32(dirs[4].Size);

+

     // As an optimization, check the security DataDirectory here and if

     // it's less than 8-bytes (and we aren't relying on this code to compute

-    // the section hashes), bail out

-    if (EC32(dirs[4].Size) < 8) {

+    // the section hashes), bail out if we don't have any Authenticode hashes

+    // loaded from .cat files

+    if (sec_dir_size < 8 && !cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 2)) {

         if (flags & CL_CHECKFP_PE_FLAG_STATS) {

             /* If stats is enabled, continue parsing the sample */

             flags ^= CL_CHECKFP_PE_FLAG_AUTHENTICODE;

         } else {

-            return CL_VIRUS;

+            return CL_BREAK;

         }

     }

     fsize = map->len;

@@ -5627,42 +5649,21 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         }

     }

-    /* After this point it's the caller's responsibility to free hashes->sections */

+    /* After this point it's the caller's responsibility to free

+     * hashes->sections. Also, in the case where we are just computing the

+     * stats, we are finished */

     free(exe_sections);

-    if (flags & CL_CHECKFP_PE_FLAG_AUTHENTICODE) {

-        /* Check to see if we have a security section. */

-        if(!cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 2) && EC32(dirs[4].Size) < 8) {

-            if (flags & CL_CHECKFP_PE_FLAG_STATS) {

-                /* If stats is enabled, continue parsing the sample */

-                flags ^= CL_CHECKFP_PE_FLAG_AUTHENTICODE;

-            } else {

-                return CL_BREAK;

-            }

-        }

-

+    while (flags & CL_CHECKFP_PE_FLAG_AUTHENTICODE) {

-        // Verify that we have all the bytes we expect in the authenticode sig

-        // and that the certificate table is the last thing in the file

-        // (according to the MS13-098 bulletin, this is a requirement)

-        if (fsize != EC32(dirs[4].Size) + EC32(dirs[4].VirtualAddress)) {

-            cli_dbgmsg("cli_checkfp_pe: expected authenticode data at the end of the file\n");

-            if (flags & CL_CHECKFP_PE_FLAG_STATS) {

-                flags ^= CL_CHECKFP_PE_FLAG_AUTHENTICODE;

-            } else {

-                return CL_EFORMAT;

-            }

+        // We'll build a list of the regions that need to be hashed and pass it to

+        // asn1_check_mscat to do hash verification there (the hash algorithm is

+        // specified in the PKCS7 structure).  We need to hash up to 4 regions

+        regions = (struct cli_mapped_region *) cli_calloc(4, sizeof(struct cli_mapped_region));

+        if(!regions) {

+            return CL_EMEM;

         }

-    }

-

-    // We'll build a list of the regions that need to be hashed and pass it to

-    // asn1_check_mscat to do hash verification there (the hash algorithm is

-    // specified in the PKCS7 structure).  We need to hash up to 4 regions

-    regions = (struct cli_mapped_region *) cli_calloc(4, sizeof(struct cli_mapped_region));

-    if(!regions) {

-        return CL_EMEM;

-    }

-    nregions = 0;

+        nregions = 0;

 #define add_chunk_to_hash_list(_offset, _size) \

     do { \

@@ -5673,7 +5674,9 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         } \

     } while(0)

-    while (flags & CL_CHECKFP_PE_FLAG_AUTHENTICODE) {

+        // Pretty much every case below should return CL_EFORMAT

+        ret = CL_EFORMAT;

+

         /* MZ to checksum */

         at = 0;

         hlen = e_lfanew + sizeof(struct pe_image_file_hdr) + (pe_plus ? offsetof(struct pe_image_optional_hdr64, CheckSum) : offsetof(struct pe_image_optional_hdr32, CheckSum));

@@ -5689,76 +5692,138 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin

         at += hlen + 8;

         if(at > hdr_size) {

-            if (flags & CL_CHECKFP_PE_FLAG_STATS) {

-                flags ^= CL_CHECKFP_PE_FLAG_AUTHENTICODE;

-                break;

-            } else {

-                free(regions);

-                return CL_EFORMAT;

-            }

+            break;

         }

         /* Security to End of header */

         hlen = hdr_size - at;

         add_chunk_to_hash_list(at, hlen);

         at += hlen;

-        break;

-    }

-    /* Finally, hash everything from the end of the header to the start of

-     * the security section, which must be the last thing in a file

-     */

-    if (at < EC32(dirs[4].VirtualAddress)) {

-        hlen = EC32(dirs[4].VirtualAddress)-at;

-        add_chunk_to_hash_list(at, hlen);

-    }

+        if (sec_dir_offset) {

+

+            // Verify that we have all the bytes we expect in the authenticode sig

+            // and that the certificate table is the last thing in the file

+            // (according to the MS13-098 bulletin, this is a requirement)

+            if (fsize != sec_dir_size + sec_dir_offset) {

+                cli_dbgmsg("cli_checkfp_pe: expected authenticode data at the end of the file\n");

+                break;

+            }

-    if (flags & CL_CHECKFP_PE_FLAG_AUTHENTICODE) {

+            // Hash everything from the end of the header to the start of the

+            // security section

+            if (at < sec_dir_offset) {

+                hlen = sec_dir_offset - at;

+                add_chunk_to_hash_list(at, hlen);

+            } else {

+                cli_dbgmsg("cli_checkfp_pe: security directory offset appears to overlap with the PE header\n");

+                break;

+            }

-        hlen = EC32(dirs[4].Size);

+            // Parse the security directory header

-        if(fmap_readn(map, &cert_hdr, EC32(dirs[4].VirtualAddress), sizeof(cert_hdr)) != sizeof(cert_hdr)) {

-            free(regions);

-            return CL_EFORMAT;

+            if(fmap_readn(map, &cert_hdr, sec_dir_offset, sizeof(cert_hdr)) != sizeof(cert_hdr)) {

+                break;

+            }

+

+            if (EC16(cert_hdr.revision) != WIN_CERT_REV_2) {

+                cli_dbgmsg("cli_checkfp_pe: unsupported authenticode data revision\n");

+                break;

+            }

+

+            if (EC16(cert_hdr.type) != WIN_CERT_TYPE_PKCS7) {

+                cli_dbgmsg("cli_checkfp_pe: unsupported authenticode data type\n");

+                break;

+            }

+

+            hlen = sec_dir_size;

+

+            if (EC32(cert_hdr.length) != hlen) {

+                /* This is the case that MS13-098 aimed to address, but it got

+                 * pushback to where the fix (not allowing additional, non-zero

+                 * bytes in the security directory) is now opt-in via a registry

+                 * key.  Given that most machines will treat these binaries as

+                 * valid, we'll still parse the signature and just trust that

+                 * our whitelist signatures are tailored enough to where any

+                 * instances of this are reasonable (for instance, I saw one

+                 * binary that appeared to use this to embed a license key.) */

+                cli_dbgmsg("cli_checkfp_pe: MS13-098 violation detected, but continuing on to verify certificate\n");

+            }

+

+            at = sec_dir_offset + sizeof(cert_hdr);

+            hlen -= sizeof(cert_hdr);

+

+            ret = asn1_check_mscat((struct cl_engine *)(ctx->engine), map, at, hlen, regions, nregions);

+

+            if (CL_CLEAN == ret) {

+                // We validated the embedded signature.  Hooray!

+                break;

+            } else if(CL_VIRUS == ret) {

+                // A blacklist rule hit - don't continue on to check hm_fp for a match

+                break;

+            }

+

+            // Otherwise, we still need to check to see whether this file is

+            // covered by a .cat file (it's common these days for driver files

+            // to have .cat files covering PEs with embedded signatures)

+

+        } else {

+

+            // Hash everything from the end of the header to the end of the

+            // file

+            if (at < fsize) {

+                hlen = fsize - at;

+                add_chunk_to_hash_list(at, hlen);

+            }

         }

-        if (EC16(cert_hdr.revision) != WIN_CERT_REV_2) {

-            cli_dbgmsg("cli_checkfp_pe: unsupported authenticode data revision\n");

-            free(regions);

-            return CL_VIRUS;

+        // At this point we should compute the SHA1 authenticode hash to see

+        // whether we've had any hashes added from external catalog files

+        // TODO Is it gauranteed that the hashing algorithm will be SHA1?  If

+        // not, figure out how to handle that case

+        hashctx = cl_hash_init("sha1");

+        if (NULL == hashctx) {

+            ret = CL_EMEM;

+            break;

         }

-        if (EC16(cert_hdr.type) != WIN_CERT_TYPE_PKCS7) {

-            cli_dbgmsg("cli_checkfp_pe: unsupported authenticode data type\n");

-            free(regions);

-            return CL_VIRUS;

+        for(i = 0; i < nregions; i++) {

+            const uint8_t *hptr;

+            if (0 == regions[i].size) {

+                continue;

+            }

+            if(!(hptr = fmap_need_off_once(map, regions[i].offset, regions[i].size))){

+                break;

+            }

+

+            cl_update_hash(hashctx, hptr, regions[i].size);

         }

-        if (EC32(cert_hdr.length) != hlen) {

-            /* This is the case that MS13-098 aimed to address, but it got

-             * pushback to where the fix (not allowing additional, non-zero

-             * bytes in the security directory) is now opt-in via a registry

-             * key.  Given that most machines will treat these binaries as

-             * valid, we'll still parse the signature and just trust that

-             * our whitelist signatures are tailored enough to where any

-             * instances of this are reasonable (for instance, I saw one

-             * binary that appeared to use this to embed a license key.) */

-            cli_dbgmsg("cli_checkfp_pe: MS13-098 violation detected, but continuing on to verify certificate\n");

+        if (i != nregions) {

+            break;

         }

-        at = EC32(dirs[4].VirtualAddress) + sizeof(cert_hdr);

-        hlen -= sizeof(cert_hdr);

+        cl_finish_hash(hashctx, authsha1);

+        hashctx = NULL;

-        ret = asn1_check_mscat((struct cl_engine *)(ctx->engine), map, at, hlen, regions, nregions);

+        if(cli_hm_scan(authsha1, 2, NULL, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {

+            cli_dbgmsg("cli_checkfp_pe: PE file whitelisted by catalog file\n");

+            ret = CL_CLEAN;

+            break;

+        }

-        free(regions);

+        ret = CL_EVERIFY;

+        break;

+    } /* while(flags & CL_CHECKFP_PE_FLAG_AUTHENTICODE) */

-        return ret;

+    if (NULL != hashctx) {

+        cl_hash_destroy(hashctx);

+    }

-    } else {

+    if (NULL != regions) {

         free(regions);

-        return CL_VIRUS;

     }

+    return ret;

 }

 int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type)

@@ -187,7 +187,7 @@ enum {

 };

 int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo);

-int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uint32_t flags);

+cl_error_t cli_checkfp_pe(cli_ctx *ctx, stats_section_t *hashes, uint32_t flags);

 int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type);

 uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);

@@ -3392,13 +3392,12 @@ static int dumpcerts(const struct optstruct *opts)

 {

     char * filename = NULL;

     STATBUF sb;

-    const char * fmptr;

     struct cl_engine *engine;

     cli_ctx ctx;

     struct cl_scan_options options;

-    int fd, ret;

-    uint8_t shash1[SHA1_HASH_SIZE];

-	

+    int fd;

+    cl_error_t ret;

+

     logg_file = NULL;

     filename = optget(opts, "print-certs")->strarg;

@@ -3474,20 +3473,7 @@ static int dumpcerts(const struct optstruct *opts)

 	return -1;

     }

-    fmptr = fmap_need_off_once(*ctx.fmap, 0, sb.st_size);

-    if(!fmptr) {

-        mprintf("!dumpcerts: fmap_need_off_once failed!\n");

-        free(ctx.containers);

-        free(ctx.fmap);

-        close(fd);

-        cl_engine_free(engine);

-	return -1;

-    }

-

-    /* Generate SHA1 */

-    cl_sha1(fmptr, sb.st_size, shash1, NULL);

-

-    ret = cli_checkfp_pe(&ctx, shash1, NULL, CL_CHECKFP_PE_FLAG_AUTHENTICODE);

+    ret = cli_checkfp_pe(&ctx, NULL, CL_CHECKFP_PE_FLAG_AUTHENTICODE);

     switch(ret) {

         case CL_CLEAN:

@@ -3500,7 +3486,7 @@ static int dumpcerts(const struct optstruct *opts)

             mprintf("*dumpcerts: CL_BREAK after cli_checkfp_pe()!\n");

             break;

         case CL_EFORMAT:

-            mprintf("!dumpcerts: Not a valid PE file!\n");

+            mprintf("!dumpcerts: An error occurred when parsing the file\n");

             break;

         default:

             mprintf("!dumpcerts: Other error %d inside cli_checkfp_pe.\n", ret);