...
|
...
|
@@ -5660,6 +5660,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin
|
5660
|
5660
|
/* Security to End of header */
|
5661
|
5661
|
hlen = hdr_size - at;
|
5662
|
5662
|
hash_chunk(at, hlen, 0, 0);
|
|
5663
|
+ at += hlen;
|
5663
|
5664
|
break;
|
5664
|
5665
|
}
|
5665
|
5666
|
|
...
|
...
|
@@ -5669,6 +5670,24 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin
|
5669
|
5669
|
continue;
|
5670
|
5670
|
|
5671
|
5671
|
hash_chunk(exe_sections[i].raw, exe_sections[i].rsz, 1, i);
|
|
5672
|
+
|
|
5673
|
+ /* If the section overlaps with the header (the case for UPX binaries)
|
|
5674
|
+ * adjust the entry in the authenticode hash regions list to account
|
|
5675
|
+ * for the fact that we've already accounted for computing the hash
|
|
5676
|
+ * over the header */
|
|
5677
|
+ if (exe_sections[i].raw < at)
|
|
5678
|
+ {
|
|
5679
|
+ uint32_t overlap_size = (at - exe_sections[i].raw);
|
|
5680
|
+ if (overlap_size >= exe_sections[i].rsz) {
|
|
5681
|
+ /* The section completely overlaps the header. Setting the
|
|
5682
|
+ * size to zero should prevent this section from affecting
|
|
5683
|
+ * the actual Authenticode hash computation. */
|
|
5684
|
+ regions[nregions-1].size = 0;
|
|
5685
|
+ } else {
|
|
5686
|
+ regions[nregions-1].size -= overlap_size;
|
|
5687
|
+ regions[nregions-1].ptr += overlap_size;
|
|
5688
|
+ }
|
|
5689
|
+ }
|
5672
|
5690
|
}
|
5673
|
5691
|
|
5674
|
5692
|
/* Finally, if there is data after the section with the highest
|