search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
799 stars 131 forks source link

PE PageHash isn't functioning properly #8

Closed Jemmy1228 closed 5 years ago

Jemmy1228 commented 5 years ago

I think the -ph option in osslsigncode isn't functioning properly. I've tried to sign a PE file using both signtool and osslsigncode with -ph option. The signature from osslsigncode seems contain an invalid SpcSerializedObject. The classId is correct, but the serializedData is invalid. You can view the pkcs7 signed data in the attachment. serializedData is very very long in the signature from signtool, but short in that from osslsigncode. What's more, by viewing the octects in that, I think the serializedData produced by osslsigncode doesn't even contain either SPC_PE_IMAGE_PAGE_HASHES_V1 (1.3.6.1.4.1.311.2.3.1) nor SPC_PE_IMAGE_PAGE_HASHES_V2 (1.3.6.1.4.1.311.2.3.2) der object identifier. I don't know what these octects really are....

The code in 

static SpcLink *get_page_hash_link(int phtype, char *indata, size_t peheader, int pe32plus, size_t sigpos)

may not be correct. I've tried to locate the bug but failed. I don't understand why you need SpcAttributeTypeAndOptionalValue to produce SpcLink?

Some Asn.1 structure for you reference

SpcIndirectDataContent ::= SEQUENCE {
    data                    SpcAttributeTypeAndOptionalValue,
    messageDigest           DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
    type                    ObjectID,
    value                   [0] EXPLICIT ANY OPTIONAL
}
// type should be SPC_PE_IMAGE_DATAOBJ OID (1.3.6.1.4.1.311.2.1.15)
// value should be an SpcPeImageData structure

SpcPeImageData ::= SEQUENCE {
   flags                   SpcPeImageFlags DEFAULT { includeResources },
   file                    SpcLink
}

SpcLink ::= CHOICE {
    url                     [0] IMPLICIT IA5STRING,
    moniker                 [1] IMPLICIT SpcSerializedObject,
    file                    [2] EXPLICIT SpcString
}

SpcSerializedObject ::= SEQUENCE {
    classId             SpcUuid,
    serializedData      OCTETSTRING
}

I can guess what is the structure of serializedData

SpcSerializedObject ::= SEQUENCE {
    classId             SpcUuid,
    serializedData      OCTETSTRING
}

OCTETSTRING ::= SET OF PageHashObject

PageHashObject ::= SEQUENCE {
    type                ObjectID,
    pageHashes          OCTETSTRING
}

The pageHashes are addresses in uint32 followed by the hash in its length. But I have no idea how the hash is calculated. I didn't get it from the your code nor the python script as well. attachment.zip

Jemmy1228 commented 5 years ago

I've solved the problem myself. See https://github.com/mtrojnar/osslsigncode/pull/10