search

VirusTotal / yara-x

A rewrite of YARA in Rust.
https://virustotal.github.io/yara-x/
BSD 3-Clause "New" or "Revised" License
657 stars 50 forks source link

Implement authenticode_verify for pe module #231

Closed TheoTurletti closed 3 weeks ago

TheoTurletti commented 3 weeks ago

Hello,

It would be very interesting to implement a feature to verify digital signature that does not rely on open ssl and use rust crypto crates in a same way vthib did in the boreal project: https://github.com/vthib/boreal?tab=readme-ov-file#authenticode-verify

Currently when i scan a pe file that is self-signed, both pe.is_valid and pe.signature.is_verified are set to true, which in my opinion is not really relevant.

plusvic commented 3 weeks ago

YARA-X doesn't depend on OpenSSL, it already uses Rust crypto crates for verifying the signatures by itself.

What you are asking for is probably a different think, that is not related to whether YARA-X uses OpenSSL or not, but to the way in which the validation is performed. Both YARA and YARA-X use the same approach, they don't rely on certificates installed on the host system, they simply check that the PE signature is valid, and goes up the signature chain until finding the highest level certificate that is included in the PE. If the whole chain is valid up the highest level certificate, then pe.signature.is_verified is set to true. For making sure that the highest level certificate is ok, we would need to rely on the operating system's certificate storage, that's what boreal does when they use the WinVerifyTrust in Windows.

However, neither YARA nor YARA-X do that, and there's a reason for that: we want consistent results no matter the operating system. A YARA rule shouldn't produce different results depending on the operating system, or worse, depending on the certificates that are installed in the host machine.

The bottom line is: YARA doesn't validate PE signatures in the way the Windows operating system would do, it only checks the portion of the certificate chain that is included in the PE file itself.

This is stated in the documentation:

True if any of the PE signatures is verified. Verified here means, that the signature is formally correct: digests match, signer public key correctly verifies the encrypted digest, etc. But this doesn't mean that the signer (and thus the signature) can be trusted as there are no trust anchors involved in the verification.