search

m4b / goblin

An impish, cross-platform binary parsing crate, written in Rust
MIT License
1.17k stars 156 forks source link

Validating authenticode of PE File #416

Open samuel-sqrx opened 1 month ago

samuel-sqrx commented 1 month ago

Hi, I am trying to validate the authenticode of PE files by computing a hash from the PE file using goblin and then comparing against the authenticode signature in the PKCS7 SignedData.

It's working well for most exe files and the value matches. However, when I am testing it for firefox.exe, the computed value does not match the signature and I am wondering what is the issue.

This is the code I used to compute the authenticode, is there anything I am missing?

let mut xhasher = Hasher::new(MessageDigest::sha256()).unwrap();
let authenticate_data = pe.authenticode_ranges();
for a in authenticode_data.into_iter() {
        xhasher.update(a);
}
let final_hash = xhasher.finish().unwrap();
println!("hash {:?}", hex::encode(final_hash));

The authenticode I computed : ee2d315da52ae04011dca0f89bba6801f81454f437463675b4285742d720076d The actual authenticode : d60710b5d82808bd887e1d8f8cda866ce22eee173adb407b48e2c001456aeff3 (definitely correct, verified using other sources)

firefox.exe : https://www.mozilla.org/en-US/firefox/windows/

m4b commented 1 month ago

there was some work going on here about authenticode, not sure what happened with it: https://github.com/m4b/goblin/issues/355 i don't know much about the topic myself, but if something needs to be fixed on our end, we should do that :)