Process Authenticode signatures using authenticode-parser

AUTHORS

@@ -8,6 +8,7 @@
 
 # Please keep the list sorted.
 
+Avast
 Google Inc.
 Hilko Bengen <bengen@hilluzination.de>
 Joachim Metz <joachim.metz@gmail.com>

CONTRIBUTORS

@@ -31,6 +31,7 @@ Antonio Vargas Gonzalez <winden@google.com>
 Christian Blichmann <cblichmann@google.com>
 Hilko Bengen <bengen@hilluzination.de>
 Joachim Metz <joachim.metz@gmail.com>
+Karel Hajek <houndthe@protonmail.com>
 Karl Hiramoto <karl.hiramoto@virustotal.com>
 Mike Wiacek <mjwiacek@google.com>
 Shane Huntley <shuntley@google.com>

bazel/yara.bzl

@@ -187,6 +187,16 @@ def yara_library(
             "libyara/stream.c",
             "libyara/strutils.c",
             "libyara/threading.c",
+            "libyara/include/authenticode-parser/authenticode.h",
+            "libyara/modules/pe/authenticode-parser/authenticode.c",
+            "libyara/modules/pe/authenticode-parser/certificate.c",
+            "libyara/modules/pe/authenticode-parser/certificate.h",
+            "libyara/modules/pe/authenticode-parser/countersignature.c",
+            "libyara/modules/pe/authenticode-parser/countersignature.h",
+            "libyara/modules/pe/authenticode-parser/helper.c",
+            "libyara/modules/pe/authenticode-parser/helper.h",
+            "libyara/modules/pe/authenticode-parser/structs.c",
+            "libyara/modules/pe/authenticode-parser/structs.h",
         ],
         hdrs = [
             "libyara/include/yara.h",

bazel/yara_deps.bzl

@@ -36,9 +36,9 @@ def yara_deps():
     maybe(
         http_archive,
         name = "openssl",
-        url = "https://github.com/openssl/openssl/archive/OpenSSL_1_1_0h.tar.gz",
-        sha256 = "f56dd7d81ce8d3e395f83285bd700a1098ed5a4cb0a81ce9522e41e6db7e0389",
-        strip_prefix = "openssl-OpenSSL_1_1_0h",
+        url = "https://github.com/openssl/openssl/archive/OpenSSL_1_1_1h.tar.gz",
+        sha256 = "d1f723c1f6b6d1eaf26655caa50d2f60d4d33f4b04977b1da63def878f386fcc",
+        strip_prefix = "openssl-OpenSSL_1_1_1h",
         build_file = "@com_github_virustotal_yara//:bazel/openssl.BUILD",
     )
     maybe(

configure.ac

@@ -325,6 +325,7 @@ AS_IF([test "x$have_crypto" = "xno"],
       ])
   ],
   [
+    build_authenticode_module=true # Authenticode relies on openssl
     build_hash_module=true
     CFLAGS="$CFLAGS -DHASH_MODULE"
     PC_REQUIRES_PRIVATE="$PC_REQUIRES_PRIVATE libcrypto"
@@ -343,6 +344,7 @@ AM_CONDITIONAL([ADDRESS_SANITIZER], [test x$address_sanitizer = xtrue])
 AM_CONDITIONAL([CUCKOO_MODULE], [test x$build_cuckoo_module = xtrue])
 AM_CONDITIONAL([MAGIC_MODULE], [test x$build_magic_module = xtrue])
 AM_CONDITIONAL([HASH_MODULE], [test x$build_hash_module = xtrue])
+AM_CONDITIONAL([AUTHENTICODE_MODULE], [test x$build_authenticode_module = xtrue])
 AM_CONDITIONAL([DOTNET_MODULE], [test x$build_dotnet_module = xtrue])
 AM_CONDITIONAL([MACHO_MODULE], [test x$build_macho_module = xtrue])
 AM_CONDITIONAL([PB_TESTS_MODULE], [test x$build_pb_tests_module = xtrue])

docs/modules/pe.rst

@@ -820,6 +820,10 @@ Reference
 
     Number of authenticode signatures in the PE.
 
+.. c:type:: is_signed
+
+    True if any of the PE signatures is valid.
+
 .. c:type:: signatures
 
     A zero-based array of signature objects, one for each authenticode
@@ -898,6 +902,117 @@ Reference
 
             timestamp >= pe.signatures[n].not_before and timestamp <= pe.signatures[n].not_after
 
+   .. c:member:: verified
+
+        Boolean, true if signature was sucessfully verified.
+
+    .. c:member:: digest_alg
+
+        Name of the algorithm used for file digest. Usually "sha1" or "sha256"
+
+    .. c:member:: digest
+
+        Digest of the file signed in the signature.
+
+    .. c:member:: file_digest
+
+        Calculated digest using digest_alg of the analysed file.
+
+    .. c:member:: number_of_certificates
+
+        Number of the certificates stored in the signature, including the ones in countersignatures.
+
+    .. c:type:: certificates
+
+        A zero-based array of certificates stored in the signature, including the ones in countersignatures.
+        The members of the certificates are identical to those already explained before, with the same name.
+
+        .. c:member:: thumbprint
+        .. c:member:: issuer
+        .. c:member:: subject
+        .. c:member:: version
+        .. c:member:: algorithm
+        .. c:member:: serial
+        .. c:member:: not_before
+        .. c:member:: not_after
+
+    .. c:type:: signer_info
+
+        Information about the signature signer.
+
+        .. c:member:: program_name
+
+            Optional program name stored in the signature.
+
+        .. c:member:: digest
+
+            Signed digest of the signature.
+
+        .. c:member:: digest_alg
+
+            Algorithm used for the digest of the signature. Usually "sha1" or "sha256"
+
+        .. c:member:: length_of_chain
+
+            Number of certificates in the signers chain.
+
+        .. c:type:: chain
+
+        A zero-based array of certificates in the signers chain. The members of the certificates are
+        identical to those already explained before, with the same name.
+
+            .. c:member:: thumbprint
+            .. c:member:: issuer
+            .. c:member:: subject
+            .. c:member:: version
+            .. c:member:: algorithm
+            .. c:member:: serial
+            .. c:member:: not_before
+            .. c:member:: not_after
+
+    .. c:member:: number_of_countersignatures
+
+        Number of the countersignatures of the signature.
+
+    .. c:type:: countersignatures
+
+        A zero-based array of the countersignatures of the signature.
+        Almost always it's just single timestamp one.
+
+        .. c:member:: verified
+
+            Boolean, true if countersignature was sucessfully verified.
+
+        .. c:member:: sign_time
+
+            Integer - unix time of the timestamp signing time.
+
+        .. c:member:: digest
+
+            Signed digest of the countersignature.
+
+        .. c:member:: digest_alg
+
+            Algorithm used for the digest of the countersignature. Usually "sha1" or "sha256"
+
+        .. c:member:: length_of_chain
+
+            Number of certificates in the countersigners chain.
+
+        .. c:type:: chain
+
+        A zero-based array of certificates in the countersigners chain. The members of the certificates are
+        identical to those already explained before, with the same name.
+
+            .. c:member:: thumbprint
+            .. c:member:: issuer
+            .. c:member:: subject
+            .. c:member:: version
+            .. c:member:: algorithm
+            .. c:member:: serial
+            .. c:member:: not_before
+            .. c:member:: not_after
+
 .. c:type:: rich_signature
 
     Structure containing information about the PE's rich signature as

libyara/Makefile.am

@@ -77,6 +77,14 @@ MODULES += modules/pb_tests/pb_tests.c
 MODULES += modules/pb_tests/pb_tests.pb-c.c
 endif
 
+if AUTHENTICODE_MODULE
+MODULES += modules/pe/authenticode-parser/authenticode.c
+MODULES += modules/pe/authenticode-parser/certificate.c
+MODULES += modules/pe/authenticode-parser/helper.c
+MODULES += modules/pe/authenticode-parser/countersignature.c
+MODULES += modules/pe/authenticode-parser/structs.c
+endif
+
 #
 # Add your modules here:
 #