Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PE CounterSignatures not parsed correctly in Microsoft signed drivers #16

Closed
antonioCoco opened this issue Nov 29, 2023 · 3 comments
Closed

PE CounterSignatures not parsed correctly in Microsoft signed drivers #16

antonioCoco opened this issue Nov 29, 2023 · 3 comments

Comments

@antonioCoco
Copy link

Hi,

it seems there is a bug in the library when parsing the countersignatures on Microsoft signed drivers.

If you try to run the authenticode_dumper code from your examples on a Microsoft signed driver, e.g. procexp.sys, you will get the following output:

C:\Users\user\authenticode-parser\examples\build\Debug>authenticode_dumper.exe procexp.sys
Signature count: 1
Signatures: 1
    PKCS7 Signature:
      Version           : 1
      Digest            : c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce
      File Digest       : c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce
      Digest Algorithm  : sha256
      Verify flags      : 0
      Certificate count : 2
      Certificates:

        Certificate 0:
              Version             : 2
              Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Hardware Compatibility Publisher
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
              Serial              : 33:00:00:00:b2:0f:9a:d8:67:94:f3:22:f6:00:00:00:00:00:b2
              Not After           : 1638483330
              Not Before          : 1608070530
              SHA1                : 92d7192a7c3180912ff8414f790973a05c28f8b0
              SHA256              : f437f71e6c0028d7b4e4a371144e746735bdf478a410d9091a3751f2d1c14da0
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfDL4fe7NfjXUg7jEEJhT/FiX2oUbbVl8zrItfdS5vC4FeB3NQ5adsXD+VVRxaP7fVSZ9Rg8yXGuL7JG3ggFEo8fty1YWTJ5DN2AdnctFq8h9ZYmyQ+VEiTVZ6amiQceJWjw/gb2Q3BjvjEpS+AA5Y3tqtWAqL/Zujm97XwlQ5DkgqzdUZuYFk3ZhkGVZf8yiKvzDtd96neBDy3xVsHjnjQ5JysNjxtVn4Mj9a8S7jzD80xdyLT79zNwdvCRkEsWCi1T+tAalU0miwcn5EEUMN91J495zKyBBVtG2v/epuqa106/Nv0t/l8FtTw5wtBispZ8UcZnjmzNCDIDKEcthwIDAQAB
        Certificate 1:
              Version             : 2
              Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
              Serial              : 61:0b:aa:c1:00:00:00:00:00:09
              Not After           : 1808092718
              Not Before          : 1334792918
              SHA1                : 77a10ebf07542725218cd83a01b521c57bc67f73
              SHA256              : 9d08973e4d108da40a1a0b274180e17371134b4dd1621fa5c1f131b739b4b823
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5wwhAmnYy7PCkfw6iT5ozAgD15XMSaBmjEHslDUzmcJCGUKWqVLrtXtEC7npZm1n2gvmItYAqwgtCnEcb0oHKX9PJtk5MXr32ElvPDuaL/Rp8t+KgKBTmRcDFOGeVcZN2G3mPkMoE4iWZv5Gy1nPCc8VpBm4/1/ZX0Phr01R+iKzPTajulqTqunVeyiiR7VM0VTy/med73NLPkFuH90AR3o+xjhQ9EN6arcN2+9/rgP7R1NAUZOCqz8gujsVoMTjjoB7RRkdOpksmYQtmhtyHAAfVBILj1D7uAklcbNjsf9uOSVz91++5VeoQHNQ7EH16Qw7puGGipuwQtZonRviwIDAQAB
      Signer Info:
        Digest       : 16efc5250c4d4a99a00ed2ad9a0e3d8fbc21da5be95ac35ad33b3d9c3f3719a1
        Digest Algo  : sha256
        Program name : Procexp
        Chain size   : 2
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Hardware Compatibility Publisher
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
                Serial              : 33:00:00:00:b2:0f:9a:d8:67:94:f3:22:f6:00:00:00:00:00:b2
                Not After           : 1638483330
                Not Before          : 1608070530
                SHA1                : 92d7192a7c3180912ff8414f790973a05c28f8b0
                SHA256              : f437f71e6c0028d7b4e4a371144e746735bdf478a410d9091a3751f2d1c14da0
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfDL4fe7NfjXUg7jEEJhT/FiX2oUbbVl8zrItfdS5vC4FeB3NQ5adsXD+VVRxaP7fVSZ9Rg8yXGuL7JG3ggFEo8fty1YWTJ5DN2AdnctFq8h9ZYmyQ+VEiTVZ6amiQceJWjw/gb2Q3BjvjEpS+AA5Y3tqtWAqL/Zujm97XwlQ5DkgqzdUZuYFk3ZhkGVZf8yiKvzDtd96neBDy3xVsHjnjQ5JysNjxtVn4Mj9a8S7jzD80xdyLT79zNwdvCRkEsWCi1T+tAalU0miwcn5EEUMN91J495zKyBBVtG2v/epuqa106/Nv0t/l8FtTw5wtBispZ8UcZnjmzNCDIDKEcthwIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
                Serial              : 61:0b:aa:c1:00:00:00:00:00:09
                Not After           : 1808092718
                Not Before          : 1334792918
                SHA1                : 77a10ebf07542725218cd83a01b521c57bc67f73
                SHA256              : 9d08973e4d108da40a1a0b274180e17371134b4dd1621fa5c1f131b739b4b823
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5wwhAmnYy7PCkfw6iT5ozAgD15XMSaBmjEHslDUzmcJCGUKWqVLrtXtEC7npZm1n2gvmItYAqwgtCnEcb0oHKX9PJtk5MXr32ElvPDuaL/Rp8t+KgKBTmRcDFOGeVcZN2G3mPkMoE4iWZv5Gy1nPCc8VpBm4/1/ZX0Phr01R+iKzPTajulqTqunVeyiiR7VM0VTy/med73NLPkFuH90AR3o+xjhQ9EN6arcN2+9/rgP7R1NAUZOCqz8gujsVoMTjjoB7RRkdOpksmYQtmhtyHAAfVBILj1D7uAklcbNjsf9uOSVz91++5VeoQHNQ7EH16Qw7puGGipuwQtZonRviwIDAQAB


      Countersignature:
        Digest           :         Digest Algorithm : (null)
        Signing Time     : 0
        Verify flags     : 1

As you can see the Verify Flags is set to COUNTERSIGNATURE_VFY_CANT_PARSE in the parsed countersignature.
BTW this bug happens with any drivers signed by Microsoft, you can pick any drivers with a signature in the C:\Windows\System32\drivers directory and the same unwanted behavior happens.

When using the "Digital Signatures" tab from explorer in Windows, you can see that it correctly parses the countersignature from Microsoft-signed drivers. Below example for the procexp.sys driver:

286248831-4b06dad9-4de6-4b78-9064-1dc825439fbd

Instead, the parsing of countersignatures from drivers non-Microsoft signed works properly, e.g. kprocesshacker.sys:

C:\Users\user\authenticode-parser\examples\build\Debug>authenticode_dumper.exe kprocesshacker.sys
Signature count: 2
Signatures: 2
    PKCS7 Signature:
      Version           : 1
      Digest            : c2b8c1b34f09a91efe196f646ef7f9a11190fb8e
      File Digest       : c2b8c1b34f09a91efe196f646ef7f9a11190fb8e
      Digest Algorithm  : sha1
      Verify flags      : 0
      Certificate count : 5
      Certificates:

        Certificate 0:
              Version             : 2
              Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
              Serial              : 0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
              Not After           : 1483531200
              Not Before          : 1383091200
              SHA1                : 32387aec09eb287f202e98398189b460f4c61a0d
              SHA256              : e0e85619eef45fce4421e4ba581060e43bbbf25911cd757dd081da425dd1db51
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzC6hUkkJzCLvNEPcQaaYoB8PaRozspKlcyZOHbniq8RG4T75JML2HAB73BzZrlqp5IZR8sD7LRqUy74TqMb3g2MeJxk/lTa/QJg4I1Ky+cfiFG7+MdVvxtEPCkVUnHpsv7QCSDEKwmztSsFpGpv3PgXjAZlKqQ9wNpSjuuUPr3acok+heA7wotXwbZ8MM0zDuab7DbWHAAjxOGsfHbDu6MSNiUPJCBAqkqOH7hcnJKMSGxG8jBWaCIrXOl7tBKDg5u3vNG0sU7+QCd59WR9TnNS3uRlyFpU9/3lw/0ZenDNoSgbT7Gy0x6N9jYSENjwS1Zf77E2HnXPE4q8vhEgYuwIDAQAB
        Certificate 1:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
              Serial              : 61:20:4d:b4:00:00:00:00:00:27
              Not After           : 1618516533
              Not Before          : 1302896733
              SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
              SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB
        Certificate 2:
              Version             : 2
              Subject             : /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
              Serial              : 03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
              Not After           : 1729555200
              Not Before          : 1413936000
              SHA1                : 614d271d9102e30169822487fde5de00a352b01d
              SHA256              : 34bb219c2589b1d7658503e1246b013606d00f6b00310e7a4087ea2098832596
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo2Rd/Hyz4II14OD2xirmSXU7zG7gU6mfH2RZ5nxrf2uMnVX4kuOe1VpjWwJJUNmDzm9m7t3LhelfpfnUh3SIRDsZyeX1kZ/GFDmsJOqoSyyRicxeKPRktlC39RKzc5YKZ6O+YZ+u8/0SeHUOplsU/UUjjoZEVX0YhgWMVYd5SEb3yg6Np95OX+Koti1ZAmGIYXIYaLm4fO7m5zQvMXeBMB+7NgGN7yfj95rwTDFkjePr+hmHqH7P7IwMNlt6wXq4eMfJBi5GEMiN6ARg27xzdPpO2P6qQPGyznBGg+naQKFZOtkVCVeZVjCT88lhzNAIzGvsYkKRrALA76TwiRGPdwIDAQAB
        Certificate 3:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Serial              : 02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
              Not After           : 1770724800
              Not Before          : 1297425600
              SHA1                : e308f829dc77e80af15edd4151ea47c59399ab46
              SHA256              : 007d2c8b15786232bac0eaa31f60aae06dc572921bad0d46c77107d8c2dca4b3
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfkj5pQnxIAUpIAyX0CjjW9wwOU2cXE6daSqGpKUiV6sI3HLTmd9QT+q40u3e76dwag4j2kvOiTpd1kSx2YEQ8INJoKJQBnyLOrnTOd8BRq4/4gJTyY37zqk+iJsiMlKG2HyrhBeb7zReZtZGGDl7im1AyqkzvGDGU9pBXMoCfsiEJMioJAZGkwx8tMr2IRDrzxj/5jbINIJK1TB6v1qg+cQoxJx9dbX4RJ61eBWWs7qAVtoZVvBP1hSM6k1YU4iy4HKNqMSywbWzxtNGH65krkSz0Am2Jo2hbMVqkeThGsHu7zVs94lABGJAGjBKTzqPi3uUKvXHDAGeDylECNnkQIDAQAB
        Certificate 4:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
              Serial              : 06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
              Not After           : 1636502400
              Not Before          : 1163116800
              SHA1                : 19a09b5a36f4dd99727df783c17a51231a56c117
              SHA256              : 425e72c87ff22855d9908b71ab4c64b0d2f248287097690c62fe733f631de38f
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDSnlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2wcTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3+6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwMK5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBdXPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSiCQIDAQAB
      Signer Info:
        Digest       : 9bb6c4bf0a838bf7ea75e48e9e82581deb6d48ed
        Digest Algo  : sha1
        Program name : (null)
        Chain size   : 3
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
                Serial              : 0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
                Not After           : 1483531200
                Not Before          : 1383091200
                SHA1                : 32387aec09eb287f202e98398189b460f4c61a0d
                SHA256              : e0e85619eef45fce4421e4ba581060e43bbbf25911cd757dd081da425dd1db51
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzC6hUkkJzCLvNEPcQaaYoB8PaRozspKlcyZOHbniq8RG4T75JML2HAB73BzZrlqp5IZR8sD7LRqUy74TqMb3g2MeJxk/lTa/QJg4I1Ky+cfiFG7+MdVvxtEPCkVUnHpsv7QCSDEKwmztSsFpGpv3PgXjAZlKqQ9wNpSjuuUPr3acok+heA7wotXwbZ8MM0zDuab7DbWHAAjxOGsfHbDu6MSNiUPJCBAqkqOH7hcnJKMSGxG8jBWaCIrXOl7tBKDg5u3vNG0sU7+QCd59WR9TnNS3uRlyFpU9/3lw/0ZenDNoSgbT7Gy0x6N9jYSENjwS1Zf77E2HnXPE4q8vhEgYuwIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Serial              : 02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
                Not After           : 1770724800
                Not Before          : 1297425600
                SHA1                : e308f829dc77e80af15edd4151ea47c59399ab46
                SHA256              : 007d2c8b15786232bac0eaa31f60aae06dc572921bad0d46c77107d8c2dca4b3
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfkj5pQnxIAUpIAyX0CjjW9wwOU2cXE6daSqGpKUiV6sI3HLTmd9QT+q40u3e76dwag4j2kvOiTpd1kSx2YEQ8INJoKJQBnyLOrnTOd8BRq4/4gJTyY37zqk+iJsiMlKG2HyrhBeb7zReZtZGGDl7im1AyqkzvGDGU9pBXMoCfsiEJMioJAZGkwx8tMr2IRDrzxj/5jbINIJK1TB6v1qg+cQoxJx9dbX4RJ61eBWWs7qAVtoZVvBP1hSM6k1YU4iy4HKNqMSywbWzxtNGH65krkSz0Am2Jo2hbMVqkeThGsHu7zVs94lABGJAGjBKTzqPi3uUKvXHDAGeDylECNnkQIDAQAB
            Certificate 2:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
                Serial              : 61:20:4d:b4:00:00:00:00:00:27
                Not After           : 1618516533
                Not Before          : 1302896733
                SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
                SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB


      Countersignature:
        Digest           : e0e1b26a21dda2a4d57236182a51cd3162e502fa
        Digest Algorithm : sha1
        Signing Time     : 1459189265
        Verify flags     : 0
        Chain size       : 2
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
                Serial              : 03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
                Not After           : 1729555200
                Not Before          : 1413936000
                SHA1                : 614d271d9102e30169822487fde5de00a352b01d
                SHA256              : 34bb219c2589b1d7658503e1246b013606d00f6b00310e7a4087ea2098832596
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo2Rd/Hyz4II14OD2xirmSXU7zG7gU6mfH2RZ5nxrf2uMnVX4kuOe1VpjWwJJUNmDzm9m7t3LhelfpfnUh3SIRDsZyeX1kZ/GFDmsJOqoSyyRicxeKPRktlC39RKzc5YKZ6O+YZ+u8/0SeHUOplsU/UUjjoZEVX0YhgWMVYd5SEb3yg6Np95OX+Koti1ZAmGIYXIYaLm4fO7m5zQvMXeBMB+7NgGN7yfj95rwTDFkjePr+hmHqH7P7IwMNlt6wXq4eMfJBi5GEMiN6ARg27xzdPpO2P6qQPGyznBGg+naQKFZOtkVCVeZVjCT88lhzNAIzGvsYkKRrALA76TwiRGPdwIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
                Serial              : 06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
                Not After           : 1636502400
                Not Before          : 1163116800
                SHA1                : 19a09b5a36f4dd99727df783c17a51231a56c117
                SHA256              : 425e72c87ff22855d9908b71ab4c64b0d2f248287097690c62fe733f631de38f
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDSnlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2wcTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3+6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwMK5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBdXPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSiCQIDAQAB
    PKCS7 Signature:
      Version           : 1
      Digest            : 4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5
      File Digest       : 4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5
      Digest Algorithm  : sha256
      Verify flags      : 0
      Certificate count : 5
      Certificates:

        Certificate 0:
              Version             : 2
              Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
              Serial              : 04:0c:b4:1e:4f:b3:70:c4:5c:43:44:76:51:62:58:2f
              Not After           : 1483531200
              Not Before          : 1383091200
              SHA1                : 190d956129dde6972d46f46ef98bd86b982e6633
              SHA256              : 389084bb9e1f6785a7b7da4cb87872738ab2f92cd88b286f2690bd46e3912bdf
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6jor1kqBfPVDjZm64mVUho73UESY7KBufTQyz3fffWb8VU1wJsKrjn27djaWN2rDsrOst7e8P2dbXcenQWuUeYCJ42kwkMvKwfPBAsAoEZdYRP2o7arvQSz5Lainr2U1pXPKLvZX9z7BixSAD1jbGT4aMoCWh8luBzVr267EWHA9XKXMsFmr0G4e1mw2uVbmyXbVrRE/FJfREA7X7ACN1PRn5aloKVHhxnIPaZbkQUBsdQAlhQxgASK4KajpTIxkjcak4Xasel57Bq7pho0x3CALYrWiTjTjFSuboY9OsVJ1nJ7t5S2a+7w0HARwvCiXdiHXEekfo42KdVkz0l5hQIDAQAB
        Certificate 1:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
              Serial              : 61:20:4d:b4:00:00:00:00:00:27
              Not After           : 1618516533
              Not Before          : 1302896733
              SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
              SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB
        Certificate 2:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Serial              : 0b:7e:10:90:3c:38:49:0f:fa:2f:67:9a:87:a1:a7:b9
              Not After           : 1855828800
              Not Before          : 1382443200
              SHA1                : f7e0f449f1a2594f88856c0758f8e6f627e5f5a2
              SHA256              : c51b83a0de49a201a5fbe947032c04702f8ca7c2d02adf28b73d42c8acd1c362
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEpefQcPQd7E9XYWNr1x/88/T3NLnNEN/krLV1hehRbdAhVUmfCPPC9NAngQaMjYNUs/wfdnzpgcrjO5LR2kClSTxIWi3zWx9fE8p7M0+11IyUbJYkS8SJnrKElTwz2PwA7eNZjpYlHfPWtAYe4EQdrPp1xWltH5TLdEhIeYaeWCuRPmVb/IknCSCjFvf4syq89rWp9ixD7uvu1ZpFN/C/FSiIp7Cmcky5DN7NJNNEyw4bWfnMb2byzN5spTdAGfZzXeOEktzu05RIIZeU4asrX7u3jwSWanz/pclnWSixpy2f9QklPMPsJDMgkahhNpPPuBMjMyZHVzKCYdCDA7BwIDAQAB
        Certificate 3:
              Version             : 2
              Subject             : /C=US/O=DigiCert, Inc./CN=DigiCert SHA2 Timestamp Responder
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
              Serial              : 02:ce:42:94:59:02:a4:f3:c0:40:b0:ff:77:93:d1:4f
              Not After           : 1736208000
              Not Before          : 1450915200
              SHA1                : c636f4dda87cee3d8263bf9a2514b4533468d75e
              SHA256              : 20e260ee55c80a37fca0c7fdeef8577a3a6391bc3e5234b5f3d492d0c37b3a9c
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytybsxHNriB6ZXIsNS/eOfkoJJHRlOWg1B5eaAw4KLd4vZ6f8fKl3hDMoDgBAal6F7CAgS2wwYQCFv0QduxHLE1ulijQZQQRXXjIFx+MTodXHSHr7BznzH80+OGvK6xmrgopN+3WBY+8DdxrmS4chK5ww2q3LlhLEcemUDr7FhvwBjnwmos4IQ9iXiodhej3h8r9xxfYrlgnRxZGdPA7efnBqHMotvkM38WK8c7AnPjLRR9+Gyr8+94epelj3Sp/vJdCIhPwVAvQSlxLCB7s/+det0fbot9TvhmeR82C49Z4NiQGLEI+BuQGb7xcx0/bItXlyKqerRfIz/XT1uR2gQIDAQAB
        Certificate 4:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
              Serial              : 0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
              Not After           : 1925553600
              Not Before          : 1452168000
              SHA1                : 3ba63a6e4841355772debef9cdcf4d5af353a297
              SHA256              : ca8d0f4736454aecbec5deec80998c9ebf41d06c728f3c76cca24151bc62d463
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdAy7kvNj3/dqbqCmcU5VChXtiNKxA4HRTNREH3Q+X1NaH7ntqD0jbOI5Je/YyGQmL8TvFfTw+F+CNZqFAA49y4eO+7MpvYyWf5fZT/gm+vjRkcGGlV+Cyd+wKL1oODeIj8O/36V+/OjuiI+GKwR5PCZA207hXwJ0+5dyJoLVOOoCXFr4M8iEA91z3FyTgqt30A6XLdR4aF5FMZNJCMwXbzsPGBqrC8HzP3w6kfZiFBe/WZuVmEnKYmEUeaC50ZQ/ZQqLKfkdT66mA+Ef58xFNat1fJky3seBdCEGXIX8RcG7z3N1k3vBkL9olMqT4UdxB08r8/arBD13ays6Vb/kwIDAQAB
      Signer Info:
        Digest       : 1939ad5ec9ec5c1ac5b360973aadb5b2308b8e98f36f9684bc874b56b67d6657
        Digest Algo  : sha256
        Program name : (null)
        Chain size   : 3
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
                Serial              : 04:0c:b4:1e:4f:b3:70:c4:5c:43:44:76:51:62:58:2f
                Not After           : 1483531200
                Not Before          : 1383091200
                SHA1                : 190d956129dde6972d46f46ef98bd86b982e6633
                SHA256              : 389084bb9e1f6785a7b7da4cb87872738ab2f92cd88b286f2690bd46e3912bdf
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6jor1kqBfPVDjZm64mVUho73UESY7KBufTQyz3fffWb8VU1wJsKrjn27djaWN2rDsrOst7e8P2dbXcenQWuUeYCJ42kwkMvKwfPBAsAoEZdYRP2o7arvQSz5Lainr2U1pXPKLvZX9z7BixSAD1jbGT4aMoCWh8luBzVr267EWHA9XKXMsFmr0G4e1mw2uVbmyXbVrRE/FJfREA7X7ACN1PRn5aloKVHhxnIPaZbkQUBsdQAlhQxgASK4KajpTIxkjcak4Xasel57Bq7pho0x3CALYrWiTjTjFSuboY9OsVJ1nJ7t5S2a+7w0HARwvCiXdiHXEekfo42KdVkz0l5hQIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Serial              : 0b:7e:10:90:3c:38:49:0f:fa:2f:67:9a:87:a1:a7:b9
                Not After           : 1855828800
                Not Before          : 1382443200
                SHA1                : f7e0f449f1a2594f88856c0758f8e6f627e5f5a2
                SHA256              : c51b83a0de49a201a5fbe947032c04702f8ca7c2d02adf28b73d42c8acd1c362
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEpefQcPQd7E9XYWNr1x/88/T3NLnNEN/krLV1hehRbdAhVUmfCPPC9NAngQaMjYNUs/wfdnzpgcrjO5LR2kClSTxIWi3zWx9fE8p7M0+11IyUbJYkS8SJnrKElTwz2PwA7eNZjpYlHfPWtAYe4EQdrPp1xWltH5TLdEhIeYaeWCuRPmVb/IknCSCjFvf4syq89rWp9ixD7uvu1ZpFN/C/FSiIp7Cmcky5DN7NJNNEyw4bWfnMb2byzN5spTdAGfZzXeOEktzu05RIIZeU4asrX7u3jwSWanz/pclnWSixpy2f9QklPMPsJDMgkahhNpPPuBMjMyZHVzKCYdCDA7BwIDAQAB
            Certificate 2:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
                Serial              : 61:20:4d:b4:00:00:00:00:00:27
                Not After           : 1618516533
                Not Before          : 1302896733
                SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
                SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB


      Countersignature:
        Digest           : 8d2adfc11c43947d5ea6b7e81429acf0429930be60fd70c41c26e8e7c5b17aee
        Digest Algorithm : sha256
        Signing Time     : 1459189265
        Verify flags     : 0
        Chain size       : 2
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=US/O=DigiCert, Inc./CN=DigiCert SHA2 Timestamp Responder
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
                Serial              : 02:ce:42:94:59:02:a4:f3:c0:40:b0:ff:77:93:d1:4f
                Not After           : 1736208000
                Not Before          : 1450915200
                SHA1                : c636f4dda87cee3d8263bf9a2514b4533468d75e
                SHA256              : 20e260ee55c80a37fca0c7fdeef8577a3a6391bc3e5234b5f3d492d0c37b3a9c
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytybsxHNriB6ZXIsNS/eOfkoJJHRlOWg1B5eaAw4KLd4vZ6f8fKl3hDMoDgBAal6F7CAgS2wwYQCFv0QduxHLE1ulijQZQQRXXjIFx+MTodXHSHr7BznzH80+OGvK6xmrgopN+3WBY+8DdxrmS4chK5ww2q3LlhLEcemUDr7FhvwBjnwmos4IQ9iXiodhej3h8r9xxfYrlgnRxZGdPA7efnBqHMotvkM38WK8c7AnPjLRR9+Gyr8+94epelj3Sp/vJdCIhPwVAvQSlxLCB7s/+det0fbot9TvhmeR82C49Z4NiQGLEI+BuQGb7xcx0/bItXlyKqerRfIz/XT1uR2gQIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
                Serial              : 0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
                Not After           : 1925553600
                Not Before          : 1452168000
                SHA1                : 3ba63a6e4841355772debef9cdcf4d5af353a297
                SHA256              : ca8d0f4736454aecbec5deec80998c9ebf41d06c728f3c76cca24151bc62d463
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdAy7kvNj3/dqbqCmcU5VChXtiNKxA4HRTNREH3Q+X1NaH7ntqD0jbOI5Je/YyGQmL8TvFfTw+F+CNZqFAA49y4eO+7MpvYyWf5fZT/gm+vjRkcGGlV+Cyd+wKL1oODeIj8O/36V+/OjuiI+GKwR5PCZA207hXwJ0+5dyJoLVOOoCXFr4M8iEA91z3FyTgqt30A6XLdR4aF5FMZNJCMwXbzsPGBqrC8HzP3w6kfZiFBe/WZuVmEnKYmEUeaC50ZQ/ZQqLKfkdT66mA+Ef58xFNat1fJky3seBdCEGXIX8RcG7z3N1k3vBkL9olMqT4UdxB08r8/arBD13ays6Vb/kwIDAQAB

I debugged a bit the issue and it seems the failure is here --> https://github.com/avast/authenticode-parser/blob/master/src/countersignature.c#L187
It seems that the openssl function d2i_PKCS7 is not able to parse the data from the unauthenticated attribute.

Also, i have a suspect that this bug is causing an issue in the parsing of countersignature in the "pe" module of yara in which i opened already an issue here --> VirusTotal/yara#2012

Thanks,

Antonio Cocomazzi
@plusvic plusvic mentioned this issue Dec 29, 2023
Closed
metthal added a commit that referenced this issue Jan 13, 2024
@metthal
Added support for RFC5652 types of MS countersignatures (#16)
2149edd 
It seems that some (maybe newer) MS countersignatures are not PKCS7 per
RFC2315 but rather CMS structures defined by RFC5652. Unfortunately,
PKCS7_* family of OpenSSL functions is not able to handle it, but there
are CMS_* functions which are. They however do not provide same set of
functions to do the same things as with PKCS7 structures.

This PR adds possibility to fall back to CMS if PKCS7 fails. Some
functions had to be simulated and therefore might not be *that* accurate
but just from testing on a few files, it seems to validate them
correctly. But it might need a tuning in the future if we test it on a
more extensive set of samples.
@metthal
Copy link
Member

metthal commented Jan 13, 2024

Hi. Sorry for the late response. The first working version has been implemented in PR #17. It might need a little bit more extensive testing before merging though. Let me know if you run into any issues with the PR revision if you have a chance to test it out.

@antonioCoco
Copy link
Author

@metthal tested your fix and works well with all MS drivers i was able to test. Well done! 👍

metthal added a commit that referenced this issue Jan 29, 2024
@metthal @HoundThe
Added support for RFC5652 types of MS countersignatures (#16) (#17)
baed94f 
* Added support for RFC5652 types of MS countersignatures (#16)

It seems that some (maybe newer) MS countersignatures are not PKCS7 per
RFC2315 but rather CMS structures defined by RFC5652. Unfortunately,
PKCS7_* family of OpenSSL functions is not able to handle it, but there
are CMS_* functions which are. They however do not provide same set of
functions to do the same things as with PKCS7 structures.

This PR adds possibility to fall back to CMS if PKCS7 fails. Some
functions had to be simulated and therefore might not be *that* accurate
but just from testing on a few files, it seems to validate them
correctly. But it might need a tuning in the future if we test it on a
more extensive set of samples.

* Removed debug prints

* CMake adjustments in hopes to fix Windows build

* Debugging GitHub Workflow issue

* Revert "CMake adjustments in hopes to fix Windows build"

This reverts commit b6b9bf3.

* Revert "Debugging GitHub Workflow issue"

This reverts commit f644da4.

* Include opensslv.h for OPENSSL_VERSION_NUMBER

* Format changes using clang-formatter

* Remove and move openssl to correct folder on Windows build

* Add python scripts for test dev purposes

* Add program name to authenticode dumper

* Add tests for new MS countersignature feature

* Update CI to use expected OpenSSL versions

---------

Co-authored-by: Karel Hájek <[email protected]>
@metthal
Copy link
Member

metthal commented Jan 29, 2024

Fixed with #17

@metthal metthal closed this as completed Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@metthal @antonioCoco