search

EmersonElectricCo / fsf

File Scanning Framework
Apache License 2.0
285 stars 49 forks source link

Question about META_PE_SIGNATURE.py ? #38

Closed mayarblack closed 7 years ago

mayarblack commented 7 years ago

typedef struct _WIN_CERTIFICATE

{

DWORD dwLength;

WORD wRevision;

WORD wCertificateType;

BYTE bCertificate[ANYSIZE_ARRAY];

} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;

thanks.

jxb5151 commented 7 years ago

I don't believe we are extracting this information within the module. After looking over the code for the module, this snippet is instructive:

   # Eight bytes in due to the struct spec
   # typedef struct _WIN_CERTIFICATE
   # {
   #     DWORD       dwLength;
   #     WORD        wRevision;
   #     WORD        wCertificateType;   
   #     BYTE        bCertificate[ANYSIZE_ARRAY];
   # } WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
   sig_buff = buff[address + 8 : address + 8 + size]

So we are just focusing on the buffer containing the bCertificate data exclusively, and parsing that data.

mayarblack commented 7 years ago

Thanks for replying. I try to write a process of validating PE’s signature: ` 1) # Read PEHeaders: (done)

2) # Validate Certificate: (I don't know how)

3) # Validate File's Hash: (I don't know how)

Can you please help me to write a python script that do that process ?

jxb5151 commented 7 years ago

Hmm, I'm not directly familiar with this process, but a little research turned up a few methods out there that might be of use to you:

x509 verification - http://aviadas.com/blog/2015/06/18/verifying-x509-certificate-chain-of-trust-in-python/ PKCS#7 - http://stackoverflow.com/questions/15979542/verify-signature-of-pkcs7-signed-file-using-python

You might also want to look at hashlib for hash comparisons.