Added DomitoGetPortableExecutableDigestKind
This commit is contained in:
parent
e930f829ca
commit
965c6d8730
@ -128,6 +128,7 @@ DomitoFindExportedFunctionAddress(
|
||||
_Success_(return == STATUS_SUCCESS)
|
||||
_Must_inspect_result_
|
||||
_IRQL_requires_max_(DISPATCH_LEVEL)
|
||||
EXTERN_C
|
||||
NTSTATUS
|
||||
DomitoMemorySearchPattern(
|
||||
_In_ PCUCHAR pcPattern,
|
||||
@ -137,3 +138,14 @@ DomitoMemorySearchPattern(
|
||||
_In_ SIZE_T puSize,
|
||||
_Outptr_result_maybenull_ PVOID * ppMatch
|
||||
);
|
||||
|
||||
//
|
||||
// Extracts the CALG_ID from a signed PE that was used to
|
||||
// calculate the message digest when it was signed
|
||||
//
|
||||
EXTERN_C
|
||||
UINT32
|
||||
DomitoGetPortableExecutableDigestKind(
|
||||
_In_ PUCHAR pPeBytes,
|
||||
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
|
||||
);
|
||||
|
@ -257,3 +257,61 @@ DomitoMemorySearchPattern(
|
||||
|
||||
return STATUS_NOT_FOUND;
|
||||
}
|
||||
|
||||
UINT32
|
||||
DomitoGetPortableExecutableDigestKind(
|
||||
_In_ PUCHAR pPeBytes,
|
||||
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
|
||||
)
|
||||
{
|
||||
if (!pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
|
||||
{
|
||||
return CALG_SHA1;
|
||||
}
|
||||
|
||||
const PVOID pBase = pPeBytes + pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress;
|
||||
const LPWIN_CERTIFICATE pCert = (WIN_CERTIFICATE*)pBase;
|
||||
PUCHAR pMatch = NULL;
|
||||
|
||||
if (NT_SUCCESS(DomitoMemorySearchPattern(
|
||||
(const PUCHAR)"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
|
||||
0x00,
|
||||
15,
|
||||
pBase,
|
||||
pCert->dwLength,
|
||||
(PVOID*)&pMatch
|
||||
)))
|
||||
{
|
||||
return CALG_SHA1;
|
||||
}
|
||||
|
||||
if (NT_SUCCESS(DomitoMemorySearchPattern(
|
||||
(const PUCHAR)"\x30\xcc\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\xcc\x05\x00\x04\xcc",
|
||||
0xcc,
|
||||
19,
|
||||
pBase,
|
||||
pCert->dwLength,
|
||||
(PVOID*)&pMatch
|
||||
)))
|
||||
{
|
||||
if (pMatch == NULL)
|
||||
{
|
||||
return CALG_SHA1;
|
||||
}
|
||||
|
||||
if (pMatch[1] == 0x31 && pMatch[14] == 0x01 && pMatch[18] == 0x20)
|
||||
{
|
||||
return CALG_SHA256;
|
||||
}
|
||||
else if (pMatch[1] == 0x41 && pMatch[14] == 0x02 && pMatch[18] == 0x30)
|
||||
{
|
||||
return CALG_SHA384;
|
||||
}
|
||||
else if (pMatch[1] == 0x51 && pMatch[14] == 0x03 && pMatch[18] == 0x40)
|
||||
{
|
||||
return CALG_SHA512;
|
||||
}
|
||||
}
|
||||
|
||||
return CALG_SHA1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user