PE CounterSignatures not parsed correctly in Microsoft signed drivers

[antonioCoco]

Describe the bug When using the "pe" module with the "signatures" array, the "countersignatures" array is not parsed properly for signed drivers by microsoft, e.g. procexp.sys The "number_of_countersignatures" field is populated correctly, so the module correctly detects a countersignature, but if you try to access any field in the array it will show invalid data, like "sign_time" = 0 and "verified" = 0. BTW this bug happens with any drivers signed by Microsoft, you can pick any drivers with a signature in the C:\Windows\System32\drivers directory and the same unwanted behavior happens. The parsing of countersignatures from drivers non-Microsoft signed works properly, e.g. kprocesshacker.sys

To Reproduce Steps to reproduce the behavior:

Using the following testing yara rule:

import "pe"
import "console"

rule DriversCounterSignature
{
    meta:
        author = "Antonio Cocomazzi"

    condition:
        uint16(0) == 0x5a4d and
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size > 0 and
        pe.imports("ntoskrnl.exe") and
        for any signature in pe.signatures : (
            console.log("signature.subject = ", signature.subject) and
            console.log("signature.thumbprint = ", signature.thumbprint) and
            console.log("signature.number_of_countersignatures = ", signature.number_of_countersignatures) and
            console.log("\tsignature.countersignatures[0].sign_time = ", signature.countersignatures[0].sign_time) and
            console.log("\tsignature.countersignatures[0].verified = ", signature.countersignatures[0].verified) and
            false
        )
}

Run the above yara rule on a signed microsoft driver, e.g. procexp.sys:

yara64.exe DriversCounterSignature.yar 440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c.SYS
signature.subject = /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Hardware Compatibility Publisher
signature.thumbprint = 92d7192a7c3180912ff8414f790973a05c28f8b0
signature.number_of_countersignatures = 1
        signature.countersignatures[0].sign_time = 0
        signature.countersignatures[0].verified = 0

As you can observe on the above output, the "sign_time" and "verified" has not been parsed properly for the countersignature.

Expected behavior The expected behavior is that the array of countersignatures is populated correctly and that the number_of_countersignatures value correctly reflects what to expect in the countersignatures array.

Below an example of a successful parsing of countersignatures on a non-Microsoft signed driver, e.g. kprocesshacker.sys

yara64.exe DriversCounterSignature.yar 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4.sys
signature.subject = /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
signature.thumbprint = 32387aec09eb287f202e98398189b460f4c61a0d
signature.number_of_countersignatures = 1
        signature.countersignatures[0].sign_time = 1459189265
        signature.countersignatures[0].verified = 1
signature.subject = /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
signature.thumbprint = 190d956129dde6972d46f46ef98bd86b982e6633
signature.number_of_countersignatures = 1
        signature.countersignatures[0].sign_time = 1459189265
        signature.countersignatures[0].verified = 1

In the above example you can see that all of the countersignatures contains properly parsed values for "sign_time" and "verified" fields.

Screenshots When using the "Digital Signatures" tab from explorer in Windows, you can see that it correctly parses the countersignature from Microsoft-signed drivers. Below example for the procexp.sys driver:

Please complete the following information:

• OS: Windows 10 22H2 (build 10.0.19045.2728)
• YARA version: 4.3.2

Additional context N/A

[plusvic]

ms_countersig_new is exiting early because the call to d2i_PKCS7 shown below returns NULL.

https://github.com/VirusTotal/yara/blob/5b6f0f6ecd32e9434be3f1db861d4866be43ba6e/libyara/modules/pe/authenticode-parser/countersignature.c#L217

It looks like something in the parsing logic is not correct. I've noticed that you already filled an issue at https://github.com/avast/authenticode-parser/issues/16, which is the library used by YARA for authenticode parsing. Let's see if they come up with a solution.

[metthal]

PR for these types of countersignatures have been created in authenticode-parser. Since the issue is not really trivial, it needs more testing before being merged or even integrated into YARA though.

[plusvic]

Fixed in #2034