Add Certificate Table parsing and Authentihash support for PE #15987
Conversation
I do not use Windows. Do you have any of those binary on your system? If so, you can upload it to https://github.com/radareorg/radare2-testbins .
Maybe you can fix a bit the code around the |
Currently, I am testing it on commercial programs. I will look it up how to sign one without a proper cert.
Thanks for the green light, I will proceed to refactor |
|
thanks! i think we are good to remove the WIP after you do this refactor so we will be ready to merge |
|
Binary was merged, please update the PR and we are good to go. |
* Add Certificate Table parser to PE plugin * Add SpcIndirectDataContent ASN.1 structure parser * Add Authentihash calculation and check * Refactor r_bin_file_hash * Add tests for Authentihash check
github-actions
bot
added
command
abcSup
changed the title
|
Appveyor and one of the Travis tests passed, but others failed because of: I assume that if we rebuild the tests, it should be fine. |
There was a problem hiding this comment.
Looking at it now, I'm not sure adding the securihash to the info method was the best approach :(
I have not run your branch, but I believe r_file_bin_hash will not compute the format-specific hashes, so SecuriHash will be computed only the first time and it will never be updated, right? Also, I think the API is not very good, as it forces users of r_bin_file_hash to save the result in o->info->file_hashes and that's error prone (because you have to remember to manually update that value every time you use r_bin_file_hash) and not very encapsulating.
For the r_bin_file_hash APIs, what about:
// compute hashes of the current rbinfile and return them
RList *r_bin_file_compute_hashes(RBin *bin, int limit);
// set `hashes` as the last computed hashes for the current rbinfile. `hashes` becomes owned by the current rbinfile, so you don't need to free it. If other hashes were previously set for the current rbinfile, they are returned and they should be freed by the caller when not needed anymore.
RList *r_bin_file_set_hashes(RBin *bin, RList *hashes);So for it you can do something like:
RList *new_hashes = r_bin_file_compute_hashes (bin, limit);
RList *old_hashes = r_bin_file_set_hashes (bin, new_hashes);
.... do the diff, print, etc ....
r_list_free (old_hashes);And in radare2.c something like:
r_bin_file_set_hashes (bin, r_bin_file_compute_hashes (bin, limit));With regard to where to place the new securihash, maybe the best thing was indeed to add a RBinPlugin.hashes method and call it at the end of r_bin_file_compute_hashes function.
What do you think?
| if (!info) { | ||
| eprintf ("r_bin_get_info: Cannot get bin info"); | ||
| r_list_free (old_file_hashes); | ||
| RList *new_file_hashes = r_bin_file_hash (core->bin, limit); |
There was a problem hiding this comment.
this does not re-compute the securihash, does it?
There was a problem hiding this comment.
You are right, it does not.
Initially, I was thinking that I think your suggestions are good by including the binary specific hash in |
I guess you meant |
Yeah, sorry for the typo. I will work on it first and see how it goes. Thanks for the help! :) |
|
No problem, thank you for working on this! The base stuff that calculates the securihash is actually good already I think, it's just a matter of integrating it with r2 code base ;) |
This reverts commit 2c6fc43.
|
I have clicked wrong for the revert pull request. I guess I will create another pull request for the refactor in two hours. |
|
Yep better improve in a separate pr than reverting. The contrib is good 👍
… On 20 Feb 2020, at 21:46, Zi Fan ***@***.***> wrote:
I have clicked wrong for the revert pull request. I guess I will create another pull request for the refactor in two hours.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Your checklist for this pull request
Detailed description
Add Authentihash and Authentihash check support for Portable Executable. Currently, the Authentihash information are stored in the
pesdb.Missing steps
signature.exein testbins which has an invalid Authentihash.itoutput (?)Imo, Authentihash information should be displayed at somewhere specific to the file format. For now,
itseems to generate general hashes (md5, sha1, sha256). Adding Authentihash into the command will complicate the code (checking ifrclass == pe, get authentihash withsdb_querys, output directly) while the existing code is using aRListofRBinHash, which makes me wonder if there is a cleaner way to do this. For Authentihash check, I thought about adding it intoRBinInfo, but that makes the structure less general, so I am looking forward to some feedbacks.Closing issues
#921