Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PE CounterSignatures not parsed correctly in Microsoft signed drivers #2012

Closed
antonioCoco opened this issue Nov 28, 2023 · 3 comments
Closed

PE CounterSignatures not parsed correctly in Microsoft signed drivers #2012

antonioCoco opened this issue Nov 28, 2023 · 3 comments
Labels
bug

Comments

@antonioCoco
Copy link

Describe the bug
When using the "pe" module with the "signatures" array, the "countersignatures" array is not parsed properly for signed drivers by microsoft, e.g. procexp.sys
The "number_of_countersignatures" field is populated correctly, so the module correctly detects a countersignature, but if you try to access any field in the array it will show invalid data, like "sign_time" = 0 and "verified" = 0.
BTW this bug happens with any drivers signed by Microsoft, you can pick any drivers with a signature in the C:\Windows\System32\drivers directory and the same unwanted behavior happens.
The parsing of countersignatures from drivers non-Microsoft signed works properly, e.g. kprocesshacker.sys

To Reproduce
Steps to reproduce the behavior:

Using the following testing yara rule:

import "pe"
import "console"

rule DriversCounterSignature
{
	meta:
		author = "Antonio Cocomazzi"

	condition:
		uint16(0) == 0x5a4d and
		pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size > 0 and
		pe.imports("ntoskrnl.exe") and
		for any signature in pe.signatures : (
			console.log("signature.subject = ", signature.subject) and
			console.log("signature.thumbprint = ", signature.thumbprint) and
			console.log("signature.number_of_countersignatures = ", signature.number_of_countersignatures) and
			console.log("\tsignature.countersignatures[0].sign_time = ", signature.countersignatures[0].sign_time) and
			console.log("\tsignature.countersignatures[0].verified = ", signature.countersignatures[0].verified) and
			false
		)
}

Run the above yara rule on a signed microsoft driver, e.g. procexp.sys:

yara64.exe DriversCounterSignature.yar 440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c.SYS
signature.subject = /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Hardware Compatibility Publisher
signature.thumbprint = 92d7192a7c3180912ff8414f790973a05c28f8b0
signature.number_of_countersignatures = 1
        signature.countersignatures[0].sign_time = 0
        signature.countersignatures[0].verified = 0

As you can observe on the above output, the "sign_time" and "verified" has not been parsed properly for the countersignature.

Expected behavior
The expected behavior is that the array of countersignatures is populated correctly and that the number_of_countersignatures value correctly reflects what to expect in the countersignatures array.

Below an example of a successful parsing of countersignatures on a non-Microsoft signed driver, e.g. kprocesshacker.sys

yara64.exe DriversCounterSignature.yar 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4.sys
signature.subject = /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
signature.thumbprint = 32387aec09eb287f202e98398189b460f4c61a0d
signature.number_of_countersignatures = 1
        signature.countersignatures[0].sign_time = 1459189265
        signature.countersignatures[0].verified = 1
signature.subject = /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
signature.thumbprint = 190d956129dde6972d46f46ef98bd86b982e6633
signature.number_of_countersignatures = 1
        signature.countersignatures[0].sign_time = 1459189265
        signature.countersignatures[0].verified = 1

In the above example you can see that all of the countersignatures contains properly parsed values for "sign_time" and "verified" fields.

Screenshots
When using the "Digital Signatures" tab from explorer in Windows, you can see that it correctly parses the countersignature from Microsoft-signed drivers. Below example for the procexp.sys driver:

image

Please complete the following information:

  • OS: Windows 10 22H2 (build 10.0.19045.2728)
  • YARA version: 4.3.2

Additional context
N/A
@antonioCoco antonioCoco mentioned this issue Nov 29, 2023
Closed
@plusvic
Copy link
Member

plusvic commented Dec 29, 2023

ms_countersig_new is exiting early because the call to d2i_PKCS7 shown below returns NULL.

yara/libyara/modules/pe/authenticode-parser/countersignature.c

Line 217 in 5b6f0f6

PKCS7* p7 = d2i_PKCS7(NULL, &data, size);

It looks like something in the parsing logic is not correct. I've noticed that you already filled an issue at avast/authenticode-parser#16, which is the library used by YARA for authenticode parsing. Let's see if they come up with a solution.

@metthal
Copy link
Contributor

metthal commented Jan 13, 2024

PR for these types of countersignatures have been created in authenticode-parser. Since the issue is not really trivial, it needs more testing before being merged or even integrated into YARA though.

@plusvic
Copy link
Member

plusvic commented Jan 30, 2024

Fixed in #2034

@plusvic plusvic closed this as completed Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@plusvic @metthal @antonioCoco