Closed antonioCoco closed 5 months ago
ms_countersig_new
is exiting early because the call to d2i_PKCS7
shown below returns NULL
.
It looks like something in the parsing logic is not correct. I've noticed that you already filled an issue at https://github.com/avast/authenticode-parser/issues/16, which is the library used by YARA for authenticode parsing. Let's see if they come up with a solution.
PR for these types of countersignatures have been created in authenticode-parser. Since the issue is not really trivial, it needs more testing before being merged or even integrated into YARA though.
Fixed in #2034
Describe the bug When using the "pe" module with the "signatures" array, the "countersignatures" array is not parsed properly for signed drivers by microsoft, e.g. procexp.sys The "number_of_countersignatures" field is populated correctly, so the module correctly detects a countersignature, but if you try to access any field in the array it will show invalid data, like "sign_time" = 0 and "verified" = 0. BTW this bug happens with any drivers signed by Microsoft, you can pick any drivers with a signature in the C:\Windows\System32\drivers directory and the same unwanted behavior happens. The parsing of countersignatures from drivers non-Microsoft signed works properly, e.g. kprocesshacker.sys
To Reproduce Steps to reproduce the behavior:
Using the following testing yara rule:
Run the above yara rule on a signed microsoft driver, e.g. procexp.sys:
As you can observe on the above output, the "sign_time" and "verified" has not been parsed properly for the countersignature.
Expected behavior The expected behavior is that the array of countersignatures is populated correctly and that the number_of_countersignatures value correctly reflects what to expect in the countersignatures array.
Below an example of a successful parsing of countersignatures on a non-Microsoft signed driver, e.g. kprocesshacker.sys
In the above example you can see that all of the countersignatures contains properly parsed values for "sign_time" and "verified" fields.
Screenshots When using the "Digital Signatures" tab from explorer in Windows, you can see that it correctly parses the countersignature from Microsoft-signed drivers. Below example for the procexp.sys driver:
Please complete the following information:
Additional context N/A