Comments (3)
I don't believe we are extracting this information within the module. After looking over the code for the module, this snippet is instructive:
# Eight bytes in due to the struct spec
# typedef struct _WIN_CERTIFICATE
# {
# DWORD dwLength;
# WORD wRevision;
# WORD wCertificateType;
# BYTE bCertificate[ANYSIZE_ARRAY];
# } WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
sig_buff = buff[address + 8 : address + 8 + size]
So we are just focusing on the buffer containing the bCertificate data exclusively, and parsing that data.
from fsf.
Thanks for replying.
I try to write a process of validating PE’s signature:
`
-
Read PEHeaders: (done)
- Read DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
- ReadDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size
-
Validate Certificate: (I don't know how)
- Access attribute certificate table, parse PKCS #7 and X.509 v3 and extract the data (issuer, hashes, etc).
- Validate the certificate information against the Certificates store using CryptQueryObject,
CryptMsgGetParam and CertFindCertificateInStore.
-
Validate File's Hash: (I don't know how)
- Compare file's hash against the hash mentioned in PKCS #7's SignedData. If it matches, the file has a
valid signature. If not, the digital signature is invalid`
Can you please help me to write a python script that do that process ?
from fsf.
Hmm, I'm not directly familiar with this process, but a little research turned up a few methods out there that might be of use to you:
x509 verification - http://aviadas.com/blog/2015/06/18/verifying-x509-certificate-chain-of-trust-in-python/
PKCS#7 - http://stackoverflow.com/questions/15979542/verify-signature-of-pkcs7-signed-file-using-python
You might also want to look at hashlib for hash comparisons.
from fsf.
Related Issues (20)
- META_JAVA_CLASS returns tuples, which are not supported in JSON HOT 4
- ft_macho yara signature has matching string condition to ft_java_class
- sanitize sample artifact in misc_hexascii_pe_in_html.yara HOT 1
- PE analyzer returns clashing types HOT 3
- Errors When Importing Macholibre HOT 1
- thresholding for alerting
- modular logging outputs
- Extend FSF_RPC to pass more source content
- Docstrings and PEP8 formatting
- setuptools install for fsfclient
- offload initializing loggers, configs, and yara.compile to FSF main process
- Decision: Post Processor Efficiency
- Automated Docker Image Build HOT 1
- RTF Processing Improvement
- Strings based analysis
- Can't get to run HOT 1
- Magic number for exit code
- Scanning frameworks
- Update Dockerfile
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fsf.