...
|
...
|
@@ -5631,11 +5631,6 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)
|
5631
|
5631
|
goto finish;
|
5632
|
5632
|
}
|
5633
|
5633
|
|
5634
|
|
- /* Security to End of header */
|
5635
|
|
- hlen = peinfo->hdr_size - at;
|
5636
|
|
- add_chunk_to_hash_list(at, hlen);
|
5637
|
|
- at += hlen;
|
5638
|
|
-
|
5639
|
5634
|
if (sec_dir_offset) {
|
5640
|
5635
|
|
5641
|
5636
|
// Verify that we have all the bytes we expect in the authenticode sig
|
...
|
...
|
@@ -5646,12 +5641,14 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)
|
5646
|
5646
|
goto finish;
|
5647
|
5647
|
}
|
5648
|
5648
|
|
5649
|
|
- // Hash everything from the end of the header to the start of the
|
5650
|
|
- // security section
|
|
5649
|
+ // Hash everything else up to the start of the security section. Allow
|
|
5650
|
+ // the case where at == sec_dir_offset without adding another region
|
|
5651
|
+ // to hash, since this could technically be valid (although I haven't
|
|
5652
|
+ // verified this).
|
5651
|
5653
|
if (at < sec_dir_offset) {
|
5652
|
5654
|
hlen = sec_dir_offset - at;
|
5653
|
5655
|
add_chunk_to_hash_list(at, hlen);
|
5654
|
|
- } else {
|
|
5656
|
+ } else if(at > sec_dir_offset) {
|
5655
|
5657
|
cli_dbgmsg("cli_check_auth_header: security directory offset appears to overlap with the PE header\n");
|
5656
|
5658
|
goto finish;
|
5657
|
5659
|
}
|
...
|
...
|
@@ -5705,8 +5702,7 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)
|
5705
|
5705
|
|
5706
|
5706
|
} else {
|
5707
|
5707
|
|
5708
|
|
- // Hash everything from the end of the header to the end of the
|
5709
|
|
- // file
|
|
5708
|
+ // Hash everything else
|
5710
|
5709
|
if (at < fsize) {
|
5711
|
5710
|
hlen = fsize - at;
|
5712
|
5711
|
add_chunk_to_hash_list(at, hlen);
|