Added DomitoGetPortableExecutableDigestKind

This commit is contained in:
Benjamin Höglinger-Stelzer 2023-07-01 06:12:05 +02:00
parent e930f829ca
commit 965c6d8730
2 changed files with 71 additions and 1 deletions

View File

@ -128,6 +128,7 @@ DomitoFindExportedFunctionAddress(
_Success_(return == STATUS_SUCCESS) _Success_(return == STATUS_SUCCESS)
_Must_inspect_result_ _Must_inspect_result_
_IRQL_requires_max_(DISPATCH_LEVEL) _IRQL_requires_max_(DISPATCH_LEVEL)
EXTERN_C
NTSTATUS NTSTATUS
DomitoMemorySearchPattern( DomitoMemorySearchPattern(
_In_ PCUCHAR pcPattern, _In_ PCUCHAR pcPattern,
@ -137,3 +138,14 @@ DomitoMemorySearchPattern(
_In_ SIZE_T puSize, _In_ SIZE_T puSize,
_Outptr_result_maybenull_ PVOID * ppMatch _Outptr_result_maybenull_ PVOID * ppMatch
); );
//
// Extracts the CALG_ID from a signed PE that was used to
// calculate the message digest when it was signed
//
EXTERN_C
UINT32
DomitoGetPortableExecutableDigestKind(
_In_ PUCHAR pPeBytes,
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
);

View File

@ -135,7 +135,7 @@ DomitoFindModuleBaseAddress(
// Found the module, store the base address // Found the module, store the base address
if (ModuleBase) if (ModuleBase)
{ {
*ModuleBase = moduleInfo->Module[i].Base; *ModuleBase = moduleInfo->Module[i].Base;
} }
break; break;
@ -257,3 +257,61 @@ DomitoMemorySearchPattern(
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;
} }
UINT32
DomitoGetPortableExecutableDigestKind(
_In_ PUCHAR pPeBytes,
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
)
{
if (!pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
{
return CALG_SHA1;
}
const PVOID pBase = pPeBytes + pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress;
const LPWIN_CERTIFICATE pCert = (WIN_CERTIFICATE*)pBase;
PUCHAR pMatch = NULL;
if (NT_SUCCESS(DomitoMemorySearchPattern(
(const PUCHAR)"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
0x00,
15,
pBase,
pCert->dwLength,
(PVOID*)&pMatch
)))
{
return CALG_SHA1;
}
if (NT_SUCCESS(DomitoMemorySearchPattern(
(const PUCHAR)"\x30\xcc\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\xcc\x05\x00\x04\xcc",
0xcc,
19,
pBase,
pCert->dwLength,
(PVOID*)&pMatch
)))
{
if (pMatch == NULL)
{
return CALG_SHA1;
}
if (pMatch[1] == 0x31 && pMatch[14] == 0x01 && pMatch[18] == 0x20)
{
return CALG_SHA256;
}
else if (pMatch[1] == 0x41 && pMatch[14] == 0x02 && pMatch[18] == 0x30)
{
return CALG_SHA384;
}
else if (pMatch[1] == 0x51 && pMatch[14] == 0x03 && pMatch[18] == 0x40)
{
return CALG_SHA512;
}
}
return CALG_SHA1;
}