Parsing of multiple Authenticode signatures does not work

[edeca]

Portable executable files with multiple signatures are not currently parsed correctly. This was tested on msvcr120_clr0400.dll (SHA256: d29e93c0fe4f108fa063e1a9692559a4278a0d51ab4feabbb231907dffaeb019). In my testing Yara can only ever extract a maximum of one signature.

The underlying reason for this is that multiple signatures are nested. Extracting additional signatures after the first will require parsing OID 1.3.6.1.4.1.311.2.4.1 (likely because X.509 only supports one signature, but this is not an area of expertise).

The current code attempts to iterate WIN_CERTIFICATE entries in pe.c. This is superfluous as there will only ever be one entry.

The current code also attempts to iterate SignerInfo entries in pe.c. From testing I do not believe there can be multiple entries, but would welcome information about files with multiple SignerInfo entries.

References:

• https://github.com/SummitRoute/osslsigncode-fork/blob/master/osslsigncode.c#L1166
• http://stackoverflow.com/questions/28777582/reading-certificate-data-from-signed-executables-with-multiple-signatures?rq=1

[edeca]

I have started refactoring code in this branch but have not addressed multiple signatures yet.

[wxsBSD]

I have binaries which have more than one WIN_CERTIFICATE entry in them. These are what YARA calls "signatures" despite the fact that they are certificates. I'll have to investigate multiple signatures in a given certificate (which is what it sounds like you're suggesting is a thing), when I get some time on a flight in a few days. For now, I'll drop you at least one binary with multiple WIN_CERTIFICATE entries in it in an email in a little bit.

[wxsBSD]

My apologies for the delay. I completely misunderstood what this issue was about, and it wasn't until now that someone on my team found a sample ITW that was triggering this bug. I've put up a PR which fixes this.