pkg

package

v0.2.0 Latest Latest Go to latest Published: Jun 23, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ========================================================================

Program certificate_tag manipulates "tags" in Authenticode-signed Windows binaries.

Traditionally we have inserted tag data after the PKCS#7 blob in the file (called an "appended tag" here). This area is not hashed in when checking the signature so we can alter it at serving time without invalidating the Authenticode signature.

However, Microsoft are changing the verification function to forbid that so this tool also handles "superfluous certificate" tags. These are dummy certificates, inserted into the PKCS#7 certificate chain, that can contain arbitrary data in extensions. Since they are also not hashed when verifying signatures, that data can also be changed without invalidating it.

The tool supports PE32 exe files and MSI files.

Index ¶

func FindTag(contents []byte, start int64) (offset, length int64, err error)
func SetSuperfluousCertTag(signedData *signedData, tag []byte) ([]byte, error)
type Binary
- func NewBinary(contents []byte) (Binary, error)
type MSIBinary
- func NewMSIBinary(fileContents []byte) (*MSIBinary, error)
type MSIDirEntry
type MSIHeader
type PE32Binary
- func NewPE32Binary(contents []byte) (*PE32Binary, error)
type SectorFormat

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func FindTag ¶

func FindTag(contents []byte, start int64) (offset, length int64, err error)

findTag returns the offset of the superfluous-cert tag in |contents|, or (-1, 0) if not found. The caller should restrict the search to the certificate section of the contents, if known.

func SetSuperfluousCertTag ¶

func SetSuperfluousCertTag(signedData *signedData, tag []byte) ([]byte, error)

SetSuperfluousCertTag modifies signedData, adding the superfluous cert with the given tag. It returns the asn1 serialization of the modified signedData.

Types ¶

type Binary ¶

type Binary interface {
	AppendedTag() (data []byte, ok bool)
	Asn1Data() []byte

	RemoveAppendedTag() (contents []byte, err error)
	SetAppendedTag(tagContents []byte) (contents []byte, err error)

	SetSuperfluousCertTag(tag []byte) (contents []byte, err error)
	CertificateOffset() int64
	// contains filtered or unexported methods
}

Binary represents a taggable binary of any format.

func NewBinary ¶

func NewBinary(contents []byte) (Binary, error)

NewBinary returns a Binary that contains details of the PE32 or MSI binary given in |contents|. |contents| is modified if it is an MSI file.

type MSIBinary ¶

type MSIBinary struct {
	// contains filtered or unexported fields
}

MSIBinary represents an MSI binary. |headerBytes| and |contents| are non-overlapping slices of the same backing array.

func NewMSIBinary ¶

func NewMSIBinary(fileContents []byte) (*MSIBinary, error)

NewMSIBinary returns a Binary that contains details of the MSI binary given in |contents|. |contents| is modified; the region occupied by the cert section is zeroed out.

func (*MSIBinary) AppendedTag ¶

func (bin *MSIBinary) AppendedTag() (data []byte, ok bool)

AppendedTag is not supported for MSI files.

func (*MSIBinary) Asn1Data ¶

func (bin *MSIBinary) Asn1Data() []byte

func (*MSIBinary) CertificateOffset ¶

func (bin *MSIBinary) CertificateOffset() int64

func (*MSIBinary) RemoveAppendedTag ¶

func (bin *MSIBinary) RemoveAppendedTag() (contents []byte, err error)

RemoveAppendedTag is not supported for MSI files.

func (*MSIBinary) SetAppendedTag ¶

func (bin *MSIBinary) SetAppendedTag(tagContents []byte) (contents []byte, err error)

SetAppendedTag is not supported for MSI files.

func (*MSIBinary) SetSuperfluousCertTag ¶

func (bin *MSIBinary) SetSuperfluousCertTag(tag []byte) (contents []byte, err error)

SetSuperfluousCertTag returns an MSI binary based on bin, but where the superfluous certificate contains the given tag data. The (parsed) bin.signedData is modified; but bin.signedDataBytes, which contains the raw original bytes, is not.

type MSIDirEntry ¶

type MSIDirEntry struct {
	Name              [64]byte
	NumNameBytes      uint16
	ObjectType        uint8
	ColorFlag         uint8
	Left              uint32
	Right             uint32
	Child             uint32
	Clsid             [16]byte
	StateFlags        uint32
	CreateTime        uint64
	ModifyTime        uint64
	StreamFirstSector uint32
	StreamSize        uint64
}

MSIDirEntry represents a parsed MSI directory entry for a stream.

type MSIHeader ¶

type MSIHeader struct {
	Magic                      [8]byte
	Clsid                      [16]byte
	MinorVersion               uint16
	DllVersion                 uint16
	ByteOrder                  uint16
	SectorShift                uint16
	MiniSectorShift            uint16
	Reserved                   [6]byte
	NumDirSectors              uint32
	NumFatSectors              uint32
	FirstDirSector             uint32
	TransactionSignatureNumber uint32
	MiniStreamCutoffSize       uint32
	FirstMiniFatSector         uint32
	NumMiniFatSectors          uint32
	FirstDifatSector           uint32
	NumDifatSectors            uint32
}

MSIHeader represents a parsed MSI header.

type PE32Binary ¶

type PE32Binary struct {
	// contains filtered or unexported fields
}

PE32Binary represents a PE binary.

func NewPE32Binary ¶

func NewPE32Binary(contents []byte) (*PE32Binary, error)

NewPE32Binary returns a Binary that contains details of the PE32 binary given in contents.

func (*PE32Binary) AppendedTag ¶

func (bin *PE32Binary) AppendedTag() (data []byte, ok bool)

AppendedTag returns the appended tag, if any.

func (*PE32Binary) Asn1Data ¶

func (bin *PE32Binary) Asn1Data() []byte

func (*PE32Binary) CertificateOffset ¶

func (bin *PE32Binary) CertificateOffset() int64

func (*PE32Binary) RemoveAppendedTag ¶

func (bin *PE32Binary) RemoveAppendedTag() (contents []byte, err error)

RemoveAppendedTag removes a legacy-style tag from the end of the signedData container.

func (*PE32Binary) SetAppendedTag ¶

func (bin *PE32Binary) SetAppendedTag(tagContents []byte) (contents []byte, err error)

SetAppendedTag adds a legacy-style tag at the end of the signedData container.

func (*PE32Binary) SetSuperfluousCertTag ¶

func (bin *PE32Binary) SetSuperfluousCertTag(tag []byte) (contents []byte, err error)

SetSuperfluousCertTag returns a PE binary based on bin, but where the superfluous certificate contains the given tag data. The (parsed) bin.signedData is modified; but bin.asn1Bytes, which contains the raw original bytes, is not.

type SectorFormat ¶

type SectorFormat struct {
	Size offT // the size of a sector in bytes; 512 for dll v3 and 4096 for v4.
	Ints int  // the number of int32s in a sector.
}

SectorFormat represents parameters of an MSI file sector.

Source Files ¶

View all Source files

certificate_tag.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL