Browse code
Fix actual authenticode hash computation for header overlap case I'm really not sure why my testing earlier didn't catch that the computed hash was not correct, but this seems to fix it in the UPX case
Andrew authored on 2018/09/05 00:28:20Showing 1 changed files
| ... | ... |
@@ -5660,6 +5660,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin |
| 5660 | 5660 |
/* Security to End of header */ |
| 5661 | 5661 |
hlen = hdr_size - at; |
| 5662 | 5662 |
hash_chunk(at, hlen, 0, 0); |
| 5663 |
+ at += hlen; |
|
| 5663 | 5664 |
break; |
| 5664 | 5665 |
} |
| 5665 | 5666 |
|
| ... | ... |
@@ -5669,6 +5670,24 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin |
| 5669 | 5669 |
continue; |
| 5670 | 5670 |
|
| 5671 | 5671 |
hash_chunk(exe_sections[i].raw, exe_sections[i].rsz, 1, i); |
| 5672 |
+ |
|
| 5673 |
+ /* If the section overlaps with the header (the case for UPX binaries) |
|
| 5674 |
+ * adjust the entry in the authenticode hash regions list to account |
|
| 5675 |
+ * for the fact that we've already accounted for computing the hash |
|
| 5676 |
+ * over the header */ |
|
| 5677 |
+ if (exe_sections[i].raw < at) |
|
| 5678 |
+ {
|
|
| 5679 |
+ uint32_t overlap_size = (at - exe_sections[i].raw); |
|
| 5680 |
+ if (overlap_size >= exe_sections[i].rsz) {
|
|
| 5681 |
+ /* The section completely overlaps the header. Setting the |
|
| 5682 |
+ * size to zero should prevent this section from affecting |
|
| 5683 |
+ * the actual Authenticode hash computation. */ |
|
| 5684 |
+ regions[nregions-1].size = 0; |
|
| 5685 |
+ } else {
|
|
| 5686 |
+ regions[nregions-1].size -= overlap_size; |
|
| 5687 |
+ regions[nregions-1].ptr += overlap_size; |
|
| 5688 |
+ } |
|
| 5689 |
+ } |
|
| 5672 | 5690 |
} |
| 5673 | 5691 |
|
| 5674 | 5692 |
/* Finally, if there is data after the section with the highest |