Added DomitoGetPortableExecutableDigestKind

2023-07-01 06:12:05 +02:00 · 2023-07-01 06:12:05 +02:00 · 965c6d8730
commit 965c6d8730
parent e930f829ca
2 changed files with 71 additions and 1 deletions
--- a/include/Domito.h
+++ b/include/Domito.h
@ -128,6 +128,7 @@ DomitoFindExportedFunctionAddress(
 _Success_(return == STATUS_SUCCESS)
 _Must_inspect_result_
 _IRQL_requires_max_(DISPATCH_LEVEL)
+EXTERN_C
 NTSTATUS
 DomitoMemorySearchPattern(
    _In_ PCUCHAR pcPattern,
@ -137,3 +138,14 @@ DomitoMemorySearchPattern(
    _In_ SIZE_T puSize,
    _Outptr_result_maybenull_ PVOID * ppMatch
 );
+
+//
+// Extracts the CALG_ID from a signed PE that was used to
+// calculate the message digest when it was signed
+//
+EXTERN_C
+UINT32
+DomitoGetPortableExecutableDigestKind(
+    _In_ PUCHAR pPeBytes,
+    _In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
+);
--- a/src/Domito.cpp
+++ b/src/Domito.cpp
@ -135,7 +135,7 @@ DomitoFindModuleBaseAddress(

            // Found the module, store the base address
            if (ModuleBase)
-            {                
+            {
                *ModuleBase = moduleInfo->Module[i].Base;
            }
            break;
@ -257,3 +257,61 @@ DomitoMemorySearchPattern(

    return STATUS_NOT_FOUND;
 }
+
+UINT32
+DomitoGetPortableExecutableDigestKind(
+    _In_ PUCHAR pPeBytes,
+    _In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
+)
+{
+    if (!pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
+    {
+        return CALG_SHA1;
+    }
+
+    const PVOID pBase = pPeBytes + pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress;
+    const LPWIN_CERTIFICATE pCert = (WIN_CERTIFICATE*)pBase;
+    PUCHAR pMatch = NULL;
+
+    if (NT_SUCCESS(DomitoMemorySearchPattern(
+        (const PUCHAR)"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
+        0x00,
+        15,
+        pBase,
+        pCert->dwLength,
+        (PVOID*)&pMatch
+    )))
+    {
+        return CALG_SHA1;
+    }
+
+    if (NT_SUCCESS(DomitoMemorySearchPattern(
+        (const PUCHAR)"\x30\xcc\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\xcc\x05\x00\x04\xcc",
+        0xcc,
+        19,
+        pBase,
+        pCert->dwLength,
+        (PVOID*)&pMatch
+    )))
+    {
+        if (pMatch == NULL)
+        {
+            return CALG_SHA1;
+        }
+
+        if (pMatch[1] == 0x31 && pMatch[14] == 0x01 && pMatch[18] == 0x20)
+        {
+            return CALG_SHA256;
+        }
+        else if (pMatch[1] == 0x41 && pMatch[14] == 0x02 && pMatch[18] == 0x30)
+        {
+            return CALG_SHA384;
+        }
+        else if (pMatch[1] == 0x51 && pMatch[14] == 0x03 && pMatch[18] == 0x40)
+        {
+            return CALG_SHA512;
+        }
+    }
+
+    return CALG_SHA1;
+}