Browse code

Handle case where Authenticode sig directly follows PE header

Andrew authored on 2019/11/14 07:05:05
Showing 1 changed files
... ...
@@ -5631,11 +5631,6 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)
5631 5631
         goto finish;
5632 5632
     }
5633 5633
 
5634
-    /* Security to End of header */
5635
-    hlen = peinfo->hdr_size - at;
5636
-    add_chunk_to_hash_list(at, hlen);
5637
-    at += hlen;
5638
-
5639 5634
     if (sec_dir_offset) {
5640 5635
 
5641 5636
         // Verify that we have all the bytes we expect in the authenticode sig
... ...
@@ -5646,12 +5641,14 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)
5646 5646
             goto finish;
5647 5647
         }
5648 5648
 
5649
-        // Hash everything from the end of the header to the start of the
5650
-        // security section
5649
+        // Hash everything else up to the start of the security section. Allow
5650
+        // the case where at == sec_dir_offset without adding another region
5651
+        // to hash, since this could technically be valid (although I haven't
5652
+        // verified this).
5651 5653
         if (at < sec_dir_offset) {
5652 5654
             hlen = sec_dir_offset - at;
5653 5655
             add_chunk_to_hash_list(at, hlen);
5654
-        } else {
5656
+        } else if(at > sec_dir_offset) {
5655 5657
             cli_dbgmsg("cli_check_auth_header: security directory offset appears to overlap with the PE header\n");
5656 5658
             goto finish;
5657 5659
         }
... ...
@@ -5705,8 +5702,7 @@ cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo)
5705 5705
 
5706 5706
     } else {
5707 5707
 
5708
-        // Hash everything from the end of the header to the end of the
5709
-        // file
5708
+        // Hash everything else
5710 5709
         if (at < fsize) {
5711 5710
             hlen = fsize - at;
5712 5711
             add_chunk_to_hash_list(at, hlen);