... | ... |
@@ -1164,83 +1164,46 @@ static int asn1_parse_mscat(fmap_t *map, void *start, unsigned int size, crtmgr |
1164 | 1164 |
break; |
1165 | 1165 |
} |
1166 | 1166 |
|
1167 |
- |
|
1167 |
+ cli_dbgmsg("asn1_parse_mscat: catalog succesfully parsed\n"); |
|
1168 | 1168 |
return 0; |
1169 | 1169 |
} while(0); |
1170 | 1170 |
|
1171 |
- cli_errmsg("asn1: epic parsing fail\n"); |
|
1171 |
+ cli_dbgmsg("asn1_parse_mscat: failed to parse catalog\n"); |
|
1172 | 1172 |
return 1; |
1173 | 1173 |
} |
1174 | 1174 |
|
1175 |
- |
|
1176 | 1175 |
int asn1_load_mscat(fmap_t *map, void *start, unsigned int size, struct cl_engine *engine) { |
1177 | 1176 |
void *hashes; |
1178 | 1177 |
unsigned int hashes_size; |
1179 |
- return asn1_parse_mscat(map, start, size, &engine->cmgr, 0, &hashes, &hashes_size); |
|
1180 |
-} |
|
1181 |
- |
|
1182 |
-int asn1_check_mscat(fmap_t *map, void *start, unsigned int size, const struct cl_engine *engine, uint8_t *computed_sha1) { |
|
1183 |
- unsigned int content_size; |
|
1184 | 1178 |
struct cli_asn1 c; |
1185 |
- void *content; |
|
1186 |
- crtmgr certs; |
|
1187 |
- int ret; |
|
1188 | 1179 |
|
1189 |
- crtmgr_init(&certs); |
|
1190 |
- if(crtmgr_add_roots(&certs)) { |
|
1191 |
- /* FIXME: do smthng here */ |
|
1192 |
- crtmgr_free(&certs); |
|
1193 |
- return CL_CLEAN; |
|
1194 |
- } |
|
1195 |
- ret = asn1_parse_mscat(map, start, size, &certs, 1, &content, &content_size); |
|
1196 |
- crtmgr_free(&certs); |
|
1197 |
- if(ret) |
|
1198 |
- return CL_VIRUS; /* FIXME */ |
|
1180 |
+ if(asn1_parse_mscat(map, start, size, &engine->cmgr, 0, &hashes, &hashes_size)) |
|
1181 |
+ return 1; |
|
1199 | 1182 |
|
1200 |
- if(asn1_expect_objtype(map, content, &content_size, &c, 0x30)) |
|
1201 |
- return CL_VIRUS; |
|
1202 |
- if(asn1_expect_obj(map, &c.content, &c.size, 0x06, lenof(OID_SPC_PE_IMAGE_DATA_OBJID), OID_SPC_PE_IMAGE_DATA_OBJID)) |
|
1203 |
- return CL_VIRUS; |
|
1204 |
- if(asn1_expect_objtype(map, c.next, &content_size, &c, 0x30)) |
|
1205 |
- return CL_VIRUS; |
|
1206 |
- if(content_size) { |
|
1207 |
- cli_dbgmsg("asn1_check_mscat: extra data in content\n"); |
|
1208 |
- return CL_VIRUS; |
|
1183 |
+ if(asn1_expect_objtype(map, hashes, &hashes_size, &c, 0x30)) |
|
1184 |
+ return 1; |
|
1185 |
+ if(asn1_expect_obj(map, &c.content, &c.size, 0x06, lenof(OID_szOID_CATALOG_LIST), OID_szOID_CATALOG_LIST)) |
|
1186 |
+ return 1; |
|
1187 |
+ if(c.size) { |
|
1188 |
+ cli_dbgmsg("asn1_load_mscat: found extra data in szOID_CATALOG_LIST content\n"); |
|
1189 |
+ return 1; |
|
1209 | 1190 |
} |
1210 |
- if(asn1_expect_algo(map, &c.content, &c.size, lenof(OID_sha1), OID_sha1)) |
|
1211 |
- return CL_VIRUS; |
|
1212 |
- |
|
1213 |
- if(asn1_expect_obj(map, &c.content, &c.size, 0x04, SHA1_HASH_SIZE, computed_sha1)) |
|
1214 |
- return CL_VIRUS; |
|
1215 |
- |
|
1216 |
- cli_dbgmsg("asn1_check_mscat: file with valid authenicode signature, whitelisted\n"); |
|
1217 |
- return CL_CLEAN; |
|
1218 |
-} |
|
1219 |
- |
|
1220 |
- /* dsize = deep.size; */ |
|
1221 |
- /* if(asn1_expect_objtype(map, deep.content, &dsize, &deep, 0x30)) */ |
|
1222 |
- /* break; */ |
|
1223 |
- /* if(asn1_expect_obj(map, &deep.content, &deep.size, 0x06, lenof(OID_szOID_CATALOG_LIST), OID_szOID_CATALOG_LIST)) /\* szOID_CATALOG_LIST - 1.3.6.1.4.1.311.12.1.1 *\/ */ |
|
1224 |
- /* break; */ |
|
1225 |
- /* if(deep.size) { */ |
|
1226 |
- /* cli_dbgmsg("asn1_parse_mscat: found extra data in szOID_CATALOG_LIST content\n"); */ |
|
1227 |
- /* break; */ |
|
1228 |
- /* } */ |
|
1229 |
- /* if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x4)) /\* List ID *\/ */ |
|
1230 |
- /* break; */ |
|
1231 |
- /* if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x17)) /\* Effective date - WTF?! *\/ */ |
|
1232 |
- /* break; */ |
|
1233 |
- /* if(asn1_expect_algo(map, &deep.next, &dsize, lenof(OID_szOID_CATALOG_LIST_MEMBER), OID_szOID_CATALOG_LIST_MEMBER)) /\* szOID_CATALOG_LIST_MEMBER *\/ */ |
|
1234 |
- /* break; */ |
|
1235 |
- /* if(asn1_expect_objtype(map, deep.next, &dsize, &deep, 0x30)) /\* hashes here *\/ */ |
|
1236 |
- /* break; */ |
|
1237 |
- /* while(deep.size) { */ |
|
1238 |
- /* struct cli_asn1 tag; */ |
|
1239 |
- /* if(asn1_expect_objtype(map, deep.content, &deep.size, &deeper, 0x30)) { */ |
|
1240 |
- /* deep.size = 1; */ |
|
1241 |
- /* break; */ |
|
1242 |
- /* } */ |
|
1243 |
- /* deep.content = deeper.next; */ |
|
1191 |
+ if(asn1_expect_objtype(map, c.next, &hashes_size, &c, 0x4)) /* List ID */ |
|
1192 |
+ return 1; |
|
1193 |
+ if(asn1_expect_objtype(map, c.next, &hashes_size, &c, 0x17)) /* Effective date - WTF?! */ |
|
1194 |
+ return 1; |
|
1195 |
+ if(asn1_expect_algo(map, &c.next, &hashes_size, lenof(OID_szOID_CATALOG_LIST_MEMBER), OID_szOID_CATALOG_LIST_MEMBER)) /* szOID_CATALOG_LIST_MEMBER */ |
|
1196 |
+ return 1; |
|
1197 |
+ if(asn1_expect_objtype(map, c.next, &hashes_size, &c, 0x30)) /* hashes here */ |
|
1198 |
+ return 1; |
|
1199 |
+ cli_errmsg("ACAB: %u\n", hashes_size); |
|
1200 |
+ while(c.size) { |
|
1201 |
+ struct cli_asn1 tag; |
|
1202 |
+ if(asn1_expect_objtype(map, c.content, &c.size, &tag, 0x30)) { |
|
1203 |
+ c.size = 1; |
|
1204 |
+ break; |
|
1205 |
+ } |
|
1206 |
+ c.content = tag.next; |
|
1244 | 1207 |
/* if(asn1_expect_objtype(map, deeper.content, &deeper.size, &tag, 0x04)) { /\* TAG NAME *\/ */ |
1245 | 1208 |
/* deep.size = 1; */ |
1246 | 1209 |
/* break; */ |
... | ... |
@@ -1300,6 +1263,46 @@ int asn1_check_mscat(fmap_t *map, void *start, unsigned int size, const struct c |
1300 | 1300 |
/* deep.size = 1; */ |
1301 | 1301 |
/* break; */ |
1302 | 1302 |
/* } */ |
1303 |
- /* } */ |
|
1304 |
- /* if(deep.size) */ |
|
1305 |
- /* break; */ |
|
1303 |
+ } |
|
1304 |
+ if(c.size) |
|
1305 |
+ return 1; |
|
1306 |
+ return 0; |
|
1307 |
+} |
|
1308 |
+ |
|
1309 |
+int asn1_check_mscat(fmap_t *map, void *start, unsigned int size, const struct cl_engine *engine, uint8_t *computed_sha1) { |
|
1310 |
+ unsigned int content_size; |
|
1311 |
+ struct cli_asn1 c; |
|
1312 |
+ void *content; |
|
1313 |
+ crtmgr certs; |
|
1314 |
+ int ret; |
|
1315 |
+ |
|
1316 |
+ crtmgr_init(&certs); |
|
1317 |
+ if(crtmgr_add_roots(&certs)) { |
|
1318 |
+ /* FIXME: do smthng here */ |
|
1319 |
+ crtmgr_free(&certs); |
|
1320 |
+ return CL_CLEAN; |
|
1321 |
+ } |
|
1322 |
+ ret = asn1_parse_mscat(map, start, size, &certs, 1, &content, &content_size); |
|
1323 |
+ crtmgr_free(&certs); |
|
1324 |
+ if(ret) |
|
1325 |
+ return CL_VIRUS; /* FIXME */ |
|
1326 |
+ |
|
1327 |
+ if(asn1_expect_objtype(map, content, &content_size, &c, 0x30)) |
|
1328 |
+ return CL_VIRUS; |
|
1329 |
+ if(asn1_expect_obj(map, &c.content, &c.size, 0x06, lenof(OID_SPC_PE_IMAGE_DATA_OBJID), OID_SPC_PE_IMAGE_DATA_OBJID)) |
|
1330 |
+ return CL_VIRUS; |
|
1331 |
+ if(asn1_expect_objtype(map, c.next, &content_size, &c, 0x30)) |
|
1332 |
+ return CL_VIRUS; |
|
1333 |
+ if(content_size) { |
|
1334 |
+ cli_dbgmsg("asn1_check_mscat: extra data in content\n"); |
|
1335 |
+ return CL_VIRUS; |
|
1336 |
+ } |
|
1337 |
+ if(asn1_expect_algo(map, &c.content, &c.size, lenof(OID_sha1), OID_sha1)) |
|
1338 |
+ return CL_VIRUS; |
|
1339 |
+ |
|
1340 |
+ if(asn1_expect_obj(map, &c.content, &c.size, 0x04, SHA1_HASH_SIZE, computed_sha1)) |
|
1341 |
+ return CL_VIRUS; |
|
1342 |
+ |
|
1343 |
+ cli_dbgmsg("asn1_check_mscat: file with valid authenicode signature, whitelisted\n"); |
|
1344 |
+ return CL_CLEAN; |
|
1345 |
+} |
... | ... |
@@ -2654,106 +2654,6 @@ int cli_scanpe(cli_ctx *ctx) { |
2654 | 2654 |
hlen -= 8; |
2655 | 2655 |
hptr = fmap_need_off_once(map, hsize + 8, hlen); |
2656 | 2656 |
asn1_check_mscat(map, hptr, hlen - 4, ctx->engine, shash1); |
2657 |
-#if 0 |
|
2658 |
- { |
|
2659 |
- struct cli_asn1 asn1; |
|
2660 |
- unsigned int old_hlen, success; |
|
2661 |
- void *old_next; |
|
2662 |
- uint8_t crt_sha1[SHA1_HASH_SIZE]; |
|
2663 |
- |
|
2664 |
- hlen = optional_hdr32.DataDirectory[4].Size; |
|
2665 |
- hlen -= 8; |
|
2666 |
- hptr = fmap_need_off_once(map, hsize + 8, hlen); |
|
2667 |
- do { |
|
2668 |
- if(asn1_expect_objtype(map, hptr, &hlen, &asn1, 0x30)) /* SEQUENCE */ |
|
2669 |
- break; |
|
2670 |
- hlen = asn1.size; |
|
2671 |
- if(asn1_expect_obj(map, &asn1.content, &hlen, 0x06, 9, "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02")) /* OBJECT 1.2.840.113549.1.7.2 - pkcs7 signedData */ |
|
2672 |
- break; |
|
2673 |
- if(asn1_expect_objtype(map, asn1.content, &hlen, &asn1, 0xa0)) /* [0] */ |
|
2674 |
- break; |
|
2675 |
- hlen = asn1.size; |
|
2676 |
- if(asn1_expect_objtype(map, asn1.content, &hlen, &asn1, 0x30)) /* SEQUENCE */ |
|
2677 |
- break; |
|
2678 |
- hlen = asn1.size; |
|
2679 |
- if(asn1_expect_obj(map, &asn1.content, &hlen, 0x02, 1, "\x01")) /* INTEGER - VERSION 1 */ |
|
2680 |
- break; |
|
2681 |
- |
|
2682 |
- if(!asn1_expect_objtype(map, asn1.content, &hlen, &asn1, 0x31)) { /* SET OF DigestAlgorithmIdentifier */ |
|
2683 |
- success = 0; |
|
2684 |
- old_hlen = hlen; |
|
2685 |
- old_next = asn1.next; |
|
2686 |
- |
|
2687 |
- hlen = asn1.size; |
|
2688 |
- if(asn1_expect_objtype(map, asn1.content, &hlen, &asn1, 0x30)) /* SEQUENCE */ |
|
2689 |
- break; |
|
2690 |
- asn1.next = asn1.content; |
|
2691 |
- hlen = asn1.size; |
|
2692 |
- while(hlen) { |
|
2693 |
- if(asn1_get_obj(map, asn1.next, &hlen, &asn1)) |
|
2694 |
- break; |
|
2695 |
- if(asn1.type == 0x05 && asn1.size == 0) { /* NULL or */ |
|
2696 |
- success++; |
|
2697 |
- break; |
|
2698 |
- } |
|
2699 |
- if(asn1.type != 0x06) /* Algo ID */ |
|
2700 |
- break; |
|
2701 |
- if(asn1.size == 5 && fmap_need_ptr_once(map, asn1.content, 5) && !memcmp(asn1.content, "\x2b\x0e\x03\x02\x1a", 5)) /* but only sha1 */ |
|
2702 |
- if(!success) |
|
2703 |
- success++; |
|
2704 |
- } |
|
2705 |
- if(success < 2) |
|
2706 |
- break; |
|
2707 |
- hlen = old_hlen; |
|
2708 |
- asn1.next = old_next; |
|
2709 |
- } else |
|
2710 |
- break; |
|
2711 |
- |
|
2712 |
- if(asn1_expect_objtype(map, asn1.next, &hlen, &asn1, 0x30)) /* SEQUENCE */ |
|
2713 |
- break; |
|
2714 |
- |
|
2715 |
- if(ms_asn1_get_sha1(map, asn1.content, asn1.size, 1, crt_sha1, NULL)) |
|
2716 |
- break; |
|
2717 |
- |
|
2718 |
- for(i=0; i<sizeof(crt_sha1); i++) |
|
2719 |
- sprintf(&shatxt[i*2], "%02x", crt_sha1[i]); |
|
2720 |
- cli_errmsg("CRT sha: %s\n", shatxt); |
|
2721 |
- |
|
2722 |
- if(memcmp(crt_sha1, shash1, sizeof(crt_sha1))) |
|
2723 |
- break; |
|
2724 |
- |
|
2725 |
- if(asn1_expect_objtype(map, asn1.next, &hlen, &asn1, 0xa0)) /* certificates */ |
|
2726 |
- break; |
|
2727 |
- |
|
2728 |
- old_hlen = hlen; |
|
2729 |
- old_next = asn1.next; |
|
2730 |
- hlen = asn1.size; |
|
2731 |
- asn1.next = asn1.content; |
|
2732 |
- success = 1; |
|
2733 |
- while(hlen) { |
|
2734 |
- cli_crt x509; |
|
2735 |
- /* FIXME, new proto */ |
|
2736 |
- /* if(!asn1_get_x509(map, &asn1.next, &hlen, &x509)) */ |
|
2737 |
- /* continue; */ |
|
2738 |
- success = 0; |
|
2739 |
- break; |
|
2740 |
- } |
|
2741 |
- if(!success) |
|
2742 |
- break; |
|
2743 |
- |
|
2744 |
- hlen = old_hlen; |
|
2745 |
- if(asn1_get_obj(map, old_next, &hlen, &asn1)) |
|
2746 |
- break; |
|
2747 |
- if(asn1.type == 0xa1 && asn1_get_obj(map, asn1.next, &hlen, &asn1)) /* crls - unused shouldn't be present */ |
|
2748 |
- break; |
|
2749 |
- |
|
2750 |
- if(asn1.type != 0x31) /* signerInfos */ |
|
2751 |
- break; |
|
2752 |
- |
|
2753 |
- cli_errmsg("good %u - %p\n", hlen, asn1.next); |
|
2754 |
- } while(0); |
|
2755 |
- } |
|
2756 |
-#endif |
|
2757 | 2657 |
|
2758 | 2658 |
free(exe_sections); |
2759 | 2659 |
return ret; |
... | ... |
@@ -2365,7 +2365,8 @@ static int cli_loadmscat(FILE *fs, struct cl_engine *engine, unsigned int option |
2365 | 2365 |
return 1; |
2366 | 2366 |
} |
2367 | 2367 |
|
2368 |
- asn1_load_mscat(map, base, map->len, engine); |
|
2368 |
+ if(asn1_load_mscat(map, base, map->len, engine)) |
|
2369 |
+ cli_errmsg("BIG FAIL\n"); |
|
2369 | 2370 |
funmap(map); |
2370 | 2371 |
return 0; |
2371 | 2372 |
} |