Merge branch 'master' of https://github.com/avast/retdec

CHANGELOG.md

@@ -2,9 +2,12 @@
 
 # dev
 
+* New feature: Add checking for damaged (unloadable) ELF files ([#1036](https://github.com/avast/retdec/pull/1036), [regression-tests #113](https://github.com/avast/retdec-regression-tests/pull/113)).
+* New feature: Parse various PE timestamps and make them available in Fileinfo ([#1035](https://github.com/avast/retdec/pull/1035), [regression-tests #112](https://github.com/avast/retdec-regression-tests/pull/112)).
 * New feature: Generate ELF (import) symbol-related hashes, including VirusTotal compatible `telfhash` ([#286](https://github.com/avast/retdec/issues/286), [#936](https://github.com/avast/retdec/pull/936)).
 * New Feature: `retdec-fileinfo` can be configured via JSON file. See `--fileinfo-config` option for more details.
 * New Feature: RetDec is now also a library ([#779](https://github.com/avast/retdec/pull/779). Related changes are the removal of `retdec-decompiler.py` (it is now a binary, e.g. `retdec-decompiler.exe` on Windows), `retdec-bin2llvmir`, `retdec-llvmir2hll`, and some other supportive functionality.
+* Enhancement: Use [Authenticode parser](https://github.com/avast/authenticode-parser) library instead of RetDec's own implementation ([#1027](https://github.com/avast/retdec/pull/1027), [regression-tests #110](https://github.com/avast/retdec-regression-tests/pull/110)). 
 * Enhancement: Remove `--backend-aggressive-opts` option and all the related code ([#1016](https://github.com/avast/retdec/issues/1016), [#1032](https://github.com/avast/retdec/pull/1032)).
 * Enhancement: Add `SECURITY.md` ([#1018](https://github.com/avast/retdec/issues/1018), [#1025](https://github.com/avast/retdec/pull/1025)).
 * Enhancement: Improve PE's .NET parsing - make it more aligned with parsing in YARA ([#997](https://github.com/avast/retdec/pull/997), [regression tests #106](https://github.com/avast/retdec-regression-tests/pull/106)).
@@ -25,6 +28,7 @@
 * Enhancement: Added support for new ELF UPX unpacking stubs (versions 3.93 - 3.96) ([#929](https://github.com/avast/retdec/pull/929)).
 * Enhancement: Improved YARA rules for detection of the SHA-512 algorithm ([#935](https://github.com/avast/retdec/pull/935)).
 * Enhancement: Improved PE Authenticode parsing ([#902](https://github.com/avast/retdec/pull/902), [#380](https://github.com/avast/retdec/issues/380)).
+* Fix: `ImageLoader::Save()` properly saves PE's Rich Header and section data ([#1028](https://github.com/avast/retdec/issues/1028), [#1029](https://github.com/avast/retdec/pull/1029)).  
 * Fix: Check if data is not empty in .NET integer decoding functions ([#1030](https://github.com/avast/retdec/pull/1030)).
 * Fix: Stricter validation of PE signatures - they need to be outside of the image to be considered valid ([#972](https://github.com/avast/retdec/issues/972), [#986](https://github.com/avast/retdec/pull/986), [regression tests #108](https://github.com/avast/retdec-regression-tests/pull/108)).
 * Fix: Do not provide entry point offset in case it doesn't exist ([#962](https://github.com/avast/retdec/issues/962), [#975](https://github.com/avast/retdec/pull/975), [regression tests #101](https://github.com/avast/retdec-regression-tests/pull/101)).

cmake/options.cmake

@@ -430,6 +430,9 @@ set_if_at_least_one_set(RETDEC_ENABLE_LLVMIR_EMUL
 		RETDEC_ENABLE_CAPSTONE2LLVMIR_TESTS)
 
 # deps
+set_if_at_least_one_set(RETDEC_ENABLE_AUTHENTICODE_PARSER
+		RETDEC_ENABLE_FILEFORMAT)
+
 set_if_at_least_one_set(RETDEC_ENABLE_CAPSTONE
 		RETDEC_ENABLE_CAPSTONE2LLVMIR
 		RETDEC_ENABLE_STACOFIN)

deps/CMakeLists.txt

@@ -14,6 +14,7 @@ endif()
 set(MSVC_GE $<BOOL:${MSVC}>)
 set(MSVC_CONFIG $<${MSVC_GE}:$<CONFIG>/>)
 
+cond_add_subdirectory(authenticode-parser RETDEC_ENABLE_AUTHENTICODE_PARSER)
 cond_add_subdirectory(capstone RETDEC_ENABLE_CAPSTONE)
 cond_add_subdirectory(elfio RETDEC_ENABLE_ELFIO)
 cond_add_subdirectory(googletest RETDEC_ENABLE_GOOGLETEST)

deps/authenticode-parser/CMakeLists.txt

@@ -0,0 +1,66 @@
+cmake_minimum_required(VERSION 3.14)
+
+project(authenticode_parser VERSION 1.0.0 LANGUAGES C)
+
+find_package(OpenSSL 1.1.1 REQUIRED)
+
+include(GNUInstallDirs)
+
+add_library(authenticode STATIC
+        src/authenticode.c
+        src/helper.c
+        src/structs.c
+        src/countersignature.c
+        src/certificate.c
+)
+
+add_library(retdec::deps::authenticode ALIAS authenticode)
+
+include (TestBigEndian)
+TEST_BIG_ENDIAN(IS_BIG_ENDIAN)
+if(IS_BIG_ENDIAN)
+        target_compile_definitions(-DWORDS_BIGENDIAN)
+endif()
+
+target_compile_options(authenticode PRIVATE -Wall)
+target_compile_features(authenticode PRIVATE c_std_11)
+
+target_include_directories(authenticode
+        PUBLIC
+                $<BUILD_INTERFACE:${RETDEC_DEPS_DIR}/authenticode-parser/include>
+                $<INSTALL_INTERFACE:${RETDEC_INSTALL_DEPS_INCLUDE_DIR}>
+        PRIVATE
+                ${CMAKE_CURRENT_SOURCE_DIR}/src
+)
+
+target_link_libraries(authenticode
+        PRIVATE
+                OpenSSL::Crypto
+)
+
+install(
+        DIRECTORY ${RETDEC_DEPS_DIR}/authenticode-parser/include/
+        DESTINATION ${RETDEC_INSTALL_DEPS_INCLUDE_DIR}
+)
+
+install(TARGETS authenticode
+        EXPORT authenticode-targets
+        ARCHIVE DESTINATION ${RETDEC_INSTALL_LIB_DIR}
+        LIBRARY DESTINATION ${RETDEC_INSTALL_LIB_DIR}
+)
+
+install(EXPORT authenticode-targets
+        FILE "retdec-authenticode-targets.cmake"
+        NAMESPACE retdec::deps::
+        DESTINATION ${RETDEC_INSTALL_CMAKE_DIR}
+)
+
+configure_file(
+        "retdec-authenticode-config.cmake"
+        "${CMAKE_CURRENT_LIST_DIR}/retdec-authenticode-config.cmake"
+        @ONLY
+)
+install(
+        FILES "${CMAKE_CURRENT_LIST_DIR}/retdec-authenticode-config.cmake"
+        DESTINATION ${RETDEC_INSTALL_CMAKE_DIR}
+)

deps/authenticode-parser/include/authenticode-parser/authenticode.h

@@ -0,0 +1,198 @@
+/* Copyright (c) 2021 Avast Software
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+#ifndef AUTHENTICODE_PARSER_AUTHENTICODE_H
+#define AUTHENTICODE_PARSER_AUTHENTICODE_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+#include <time.h>
+
+/* Signature is valid */
+#define AUTHENTICODE_VFY_VALID             0
+/* Parsing error (from OpenSSL functions) */
+#define AUTHENTICODE_VFY_CANT_PARSE        1
+/* Signers certificate is missing */
+#define AUTHENTICODE_VFY_NO_SIGNER_CERT    2
+/* No digest saved inside the signature */
+#define AUTHENTICODE_VFY_DIGEST_MISSING    3
+/* Non verification errors - allocations etc. */
+#define AUTHENTICODE_VFY_INTERNAL_ERROR    4
+/* SignerInfo part of PKCS7 is missing */
+#define AUTHENTICODE_VFY_NO_SIGNER_INFO    5
+/* PKCS7 doesn't have type of SignedData, can't proceed */
+#define AUTHENTICODE_VFY_WRONG_PKCS7_TYPE  6
+/* PKCS7 doesn't have corrent content, can't proceed */
+#define AUTHENTICODE_VFY_BAD_CONTENT       7
+/* Contained and calculated digest don't match */
+#define AUTHENTICODE_VFY_INVALID           8
+/* Signature hash and file hash doesn't match */
+#define AUTHENTICODE_VFY_WRONG_FILE_DIGEST 9
+/* Unknown algorithm, can't proceed with verification */
+#define AUTHENTICODE_VFY_UNKNOWN_ALGORITHM 10
+
+/* Countersignature is valid */
+#define COUNTERSIGNATURE_VFY_VALID                  0
+/* Parsing error (from OpenSSL functions) */
+#define COUNTERSIGNATURE_VFY_CANT_PARSE             1
+/* Signers certificate is missing */
+#define COUNTERSIGNATURE_VFY_NO_SIGNER_CERT         2
+/* Unknown algorithm, can't proceed with verification */
+#define COUNTERSIGNATURE_VFY_UNKNOWN_ALGORITHM      3
+/* Verification failed, digest mismatch */
+#define COUNTERSIGNATURE_VFY_INVALID                4
+/* Failed to decrypt countersignature enc_digest for verification */
+#define COUNTERSIGNATURE_VFY_CANT_DECRYPT_DIGEST    5
+/* No digest saved inside the countersignature */
+#define COUNTERSIGNATURE_VFY_DIGEST_MISSING         6
+/* Message digest inside countersignature doesn't match signature it countersigns */
+#define COUNTERSIGNATURE_VFY_DOESNT_MATCH_SIGNATURE 7
+/* Non verification errors - allocations etc. */
+#define COUNTERSIGNATURE_VFY_INTERNAL_ERROR         8
+/* Time is missing in the timestamp signature */
+#define COUNTERSIGNATURE_VFY_TIME_MISSING           9
+
+typedef struct {
+    uint8_t* data;
+    int len;
+} ByteArray;
+
+typedef struct { /* Various X509 attributes parsed out in raw bytes*/
+    ByteArray country;
+    ByteArray organization;
+    ByteArray organizationalUnit;
+    ByteArray nameQualifier;
+    ByteArray state;
+    ByteArray commonName;
+    ByteArray serialNumber;
+    ByteArray locality;
+    ByteArray title;
+    ByteArray surname;
+    ByteArray givenName;
+    ByteArray initials;
+    ByteArray pseudonym;
+    ByteArray generationQualifier;
+    ByteArray emailAddress;
+} Attributes;
+
+typedef struct {
+    long version;             /* Raw version of X509 */
+    char* issuer;             /* Oneline name of Issuer */
+    char* subject;            /* Oneline name of Subject */
+    char* serial;             /* Serial number in format 00:01:02:03:04... */
+    ByteArray sha1;           /* SHA1 of the DER representation of the cert */
+    ByteArray sha256;         /* SHA256 of the DER representation of the cert */
+    char* key_alg;            /* Name of the key algorithm */
+    char* sig_alg;            /* Name of the signature algorithm */
+    time_t not_before;        /* NotBefore validity */
+    time_t not_after;         /* NotAfter validity */
+    char* key;                /* PEM encoded public key */
+    Attributes issuer_attrs;  /* Parsed X509 Attributes of Issuer */
+    Attributes subject_attrs; /* Parsed X509 Attributes of Subject */
+} Certificate;
+
+typedef struct {
+    Certificate** certs;
+    size_t count;
+} CertificateArray;
+
+typedef struct {
+    int verify_flags;        /* COUNTERISGNATURE_VFY_ flag */
+    time_t sign_time;        /* Signing time of the timestamp countersignature */
+    char* digest_alg;        /* Name of the digest algorithm used */
+    ByteArray digest;        /* Stored message digest */
+    CertificateArray* chain; /* Certificate chain of the signer */
+} Countersignature;
+
+typedef struct {
+    Countersignature** counters;
+    size_t count;
+} CountersignatureArray;
+
+typedef struct {             /* Represents SignerInfo structure */
+    ByteArray digest;        /* Message Digest of the SignerInfo */
+    char* digest_alg;        /* name of the digest algorithm */
+    char* program_name;      /* Program name stored in SpcOpusInfo structure of Authenticode */
+    CertificateArray* chain; /* Certificate chain of the signer */
+} Signer;
+
+typedef struct {
+    int verify_flags;        /* AUTHENTICODE_VFY_ flag */
+    int version;             /* Raw PKCS7 version */
+    char* digest_alg;        /* name of the digest algorithm */
+    ByteArray digest;        /* File Digest stored in the Signature */
+    ByteArray file_digest;   /* Actual calculated file digest */
+    Signer* signer;          /* SignerInfo information of the Authenticode */
+    CertificateArray* certs; /* All certificates in the Signature including the ones in timestamp
+                                countersignatures */
+    CountersignatureArray* countersigs; /* Array of timestamp countersignatures */
+} Authenticode;
+
+typedef struct {
+    Authenticode** signatures;
+    size_t count;
+} AuthenticodeArray;
+
+/**
+ * @brief Constructs AuthenticodeArray from PE file data. Authenticode can
+ *        contains nested Authenticode signatures as its unsigned attribute,
+ *        which can also contain nested signatures. For this reason the function returns
+ *        an Array of parsed Authenticode signatures. Any field of the parsed out
+ *        structures can be NULL, depending on the input data.
+ *        Verification result is stored in verify_flags with the first verification error.
+ *
+ * @param pe_data PE binary data
+ * @param pe_len
+ * @return AuthenticodeArray*
+ */
+AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, long pe_len);
+
+/**
+ * @brief Constructs AuthenticodeArray from binary data containing Authenticode
+ *        signature. Authenticode can contains nested Authenticode signatures
+ *        as its unsigned attribute, which can also contain nested signatures.
+ *        For this reason the function return an Array of parsed Authenticode signatures.
+ *        Any field of the parsed out structures can be NULL, depending on the input data.
+ *        WARNING: in case of this interface, the file and signature digest comparison is
+ *        up to the library user, as there is no pe data to calculate file digest from.
+ *        Verification result is stored in verify_flags with the first verification error
+ *
+ * @param data Binary data containing Authenticode signature
+ * @param len
+ * @return AuthenticodeArray*
+ */
+AuthenticodeArray* authenticode_new(const uint8_t* data, long len);
+
+/**
+ * @brief Deallocates AuthenticodeArray and all it's allocated members
+ *
+ * @param auth
+ */
+void authenticode_array_free(AuthenticodeArray* auth);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

deps/authenticode-parser/retdec-authenticode-config.cmake

@@ -0,0 +1,4 @@
+
+if(NOT TARGET retdec::deps::authenticode)
+	include(${CMAKE_CURRENT_LIST_DIR}/retdec-authenticode-targets.cmake)
+endif()