Added DomitoGetPortableExecutableDigestKind
This commit is contained in:
parent
e930f829ca
commit
965c6d8730
@ -128,6 +128,7 @@ DomitoFindExportedFunctionAddress(
|
|||||||
_Success_(return == STATUS_SUCCESS)
|
_Success_(return == STATUS_SUCCESS)
|
||||||
_Must_inspect_result_
|
_Must_inspect_result_
|
||||||
_IRQL_requires_max_(DISPATCH_LEVEL)
|
_IRQL_requires_max_(DISPATCH_LEVEL)
|
||||||
|
EXTERN_C
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoMemorySearchPattern(
|
DomitoMemorySearchPattern(
|
||||||
_In_ PCUCHAR pcPattern,
|
_In_ PCUCHAR pcPattern,
|
||||||
@ -137,3 +138,14 @@ DomitoMemorySearchPattern(
|
|||||||
_In_ SIZE_T puSize,
|
_In_ SIZE_T puSize,
|
||||||
_Outptr_result_maybenull_ PVOID * ppMatch
|
_Outptr_result_maybenull_ PVOID * ppMatch
|
||||||
);
|
);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Extracts the CALG_ID from a signed PE that was used to
|
||||||
|
// calculate the message digest when it was signed
|
||||||
|
//
|
||||||
|
EXTERN_C
|
||||||
|
UINT32
|
||||||
|
DomitoGetPortableExecutableDigestKind(
|
||||||
|
_In_ PUCHAR pPeBytes,
|
||||||
|
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
|
||||||
|
);
|
||||||
|
@ -135,7 +135,7 @@ DomitoFindModuleBaseAddress(
|
|||||||
|
|
||||||
// Found the module, store the base address
|
// Found the module, store the base address
|
||||||
if (ModuleBase)
|
if (ModuleBase)
|
||||||
{
|
{
|
||||||
*ModuleBase = moduleInfo->Module[i].Base;
|
*ModuleBase = moduleInfo->Module[i].Base;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -257,3 +257,61 @@ DomitoMemorySearchPattern(
|
|||||||
|
|
||||||
return STATUS_NOT_FOUND;
|
return STATUS_NOT_FOUND;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
UINT32
|
||||||
|
DomitoGetPortableExecutableDigestKind(
|
||||||
|
_In_ PUCHAR pPeBytes,
|
||||||
|
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
|
||||||
|
)
|
||||||
|
{
|
||||||
|
if (!pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
|
||||||
|
{
|
||||||
|
return CALG_SHA1;
|
||||||
|
}
|
||||||
|
|
||||||
|
const PVOID pBase = pPeBytes + pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress;
|
||||||
|
const LPWIN_CERTIFICATE pCert = (WIN_CERTIFICATE*)pBase;
|
||||||
|
PUCHAR pMatch = NULL;
|
||||||
|
|
||||||
|
if (NT_SUCCESS(DomitoMemorySearchPattern(
|
||||||
|
(const PUCHAR)"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
|
||||||
|
0x00,
|
||||||
|
15,
|
||||||
|
pBase,
|
||||||
|
pCert->dwLength,
|
||||||
|
(PVOID*)&pMatch
|
||||||
|
)))
|
||||||
|
{
|
||||||
|
return CALG_SHA1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (NT_SUCCESS(DomitoMemorySearchPattern(
|
||||||
|
(const PUCHAR)"\x30\xcc\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\xcc\x05\x00\x04\xcc",
|
||||||
|
0xcc,
|
||||||
|
19,
|
||||||
|
pBase,
|
||||||
|
pCert->dwLength,
|
||||||
|
(PVOID*)&pMatch
|
||||||
|
)))
|
||||||
|
{
|
||||||
|
if (pMatch == NULL)
|
||||||
|
{
|
||||||
|
return CALG_SHA1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (pMatch[1] == 0x31 && pMatch[14] == 0x01 && pMatch[18] == 0x20)
|
||||||
|
{
|
||||||
|
return CALG_SHA256;
|
||||||
|
}
|
||||||
|
else if (pMatch[1] == 0x41 && pMatch[14] == 0x02 && pMatch[18] == 0x30)
|
||||||
|
{
|
||||||
|
return CALG_SHA384;
|
||||||
|
}
|
||||||
|
else if (pMatch[1] == 0x51 && pMatch[14] == 0x03 && pMatch[18] == 0x40)
|
||||||
|
{
|
||||||
|
return CALG_SHA512;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return CALG_SHA1;
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user