mirror of
https://github.com/QuasarApp/LIEF.git
synced 2025-04-27 04:44:31 +00:00
08d31be932
Part of Authenticode verification consists of: - Comparing the computed Authenticode hash to the digest stored in the ContentInfo section - Comparing hash(ContentInfo) to the digest stored in the AuthenticatedAttributes section - Verifying signed(hash(AuthenticatedAttributes)) using a certificate identified by the issuer and serial number specified in the SignerInfo section This commit makes it so that the raw bytes needed to calculate hash(ContentInfo) and hash(AuthenticatedAttributes) are available for use. ============================================================ Allow missing [0] in SpcSpOpusInfo Some executables have MoreInfo but not a ProgramName (and the documentation lists both as OPTIONAL), so handle this case correctly. Example: ``` 01416b1730218454c99b13592650cb170402b86742b4bab971565903b841829b SEQUENCE(2 elem) OBJECT IDENTIFIER1.3.6.1.4.1.311.2.1.12spcSpOpusInfo(Microsoft code signing) SET(1 elem) SEQUENCE(1 elem) [1](1 elem) [0]http://www.mozilla.com ``` ============================================================ Improve consistency of parsed serial numbers When parsing the issuer serial number, call mbedtls_x509_get_serial instead of parsing it as an integer directly with mbedtls_asn1_get_mpi. These two functions differ in how they treat serial numbers prepended with '00' to prevent them from being negative (the former preserves the '00', and the latter discards it). The embedded certs are parsed via a call to mbedtls_x509_crt_parse_der, which uses mbedtls_x509_get_serial behind the scenes, so there was an inconsistency between lief_obj.signature.signer_info.issuer[1] and lief_obj.signature.certificates[x].serial_number. Example: 8bf57d97dd917c4f823659266caaa33e7398406daf11ba8318e3f7414ee3fb24 ============================================================ Handle SpcLink and SpcString CHOICEs in SpcSpOpusInfo The Authenticode spec doc says that these can be CHOICES, so handle the easy ones and safely skip the others. ============================================================ Allow Authenticode sig to be parsed even if cert parsing fails By default, mbedtls doesn't support MD2 certs, which are fairly common in older signed executables. Ex: 1cb16f94cebdcad7dd05c8537375a6ff6379fcdb08528fc83889f26efaa84e2a ============================================================ Enable mbed TLS MD2 and MD4 support; add Unix debug options By default, mbedtls doesn't support MD2 certs, which are fairly common in older signed executables. Ex: 1cb16f94cebdcad7dd05c8537375a6ff6379fcdb08528fc83889f26efaa84e2a ============================================================ Set MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION flag Some older signed executables use certs with the SpcSpAgencyInfo Critical Extension, which mbed TLS doesn't support, so set MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION to have it skip this extension. Example: 781ca31416ec708a587851dafd90c661b86f244ab8b8475c4185e958e54ff838 ============================================================ Support accessing non-utf8 issuer names via Python For a few signatures where the issuer name contained non-utf8 characters, accessing the issuer name field in Python would raise a UnicodeDecodeError exception. Now this field is handled the same way the names in the individual certs are (I'm not sure if they get represented 100% correctly, but at least they are consistent, which is good enough for me). Example: 048f91b9302c88380fc66adac1e314d82733089ef3a31eadca5f0cb4169b195f
About
The purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
Main features:
- Parsing: LIEF can parse ELF, PE, MachO, OAT, DEX, VDEX, ART and provides an user-friendly API to access to format internals.
- Modify: LIEF enables to modify some parts of these formats
- Abstract: Three formats have common features like sections, symbols, entry point... LIEF factors them.
- API: LIEF can be used in C, C++ and Python
Content
Downloads / Install
First make sure to have an updated version of setuptools:
pip install setuptools --upgrade
To install the latest version (release):
pip install lief
To install nightlty build:
pip install [--user] --index-url https://lief-project.github.io/packages lief
A beta version of LIEF v0.10.0 is also available on PyPI so that Python 3.7 users can use it:
pip install [--user] lief==0.10.0.dev0
Packages
 | |||
| Linux | Windows - x86 | Windows - x86-64 | OSX |
|---|---|---|---|
| SDK | SDK | SDK | SDK |
| |||||
| Linux | Windows | OSX | CentOS | Android | Documentation |
|---|---|---|---|---|---|
| SDK |
SDK - x86
SDK - x86-64 |
SDK | SDK |
SDK - x86-64
SDK - x86 SDK - ARM SDK - AARCH64 |
Sphinx + Doxygen |
Here one can find guides to install or integrate LIEF:
Getting started
Python
C++
C
Documentation
Contact
- Mail: lief at quarkslab com
- Gitter: lief-project
About
Authors
Romain Thomas (@rh0main) - Quarkslab
License
LIEF is provided under the Apache 2.0 license.
Bibtex
@MISC {LIEF,
author = "Romain Thomas",
title = "LIEF - Library to Instrument Executable Formats",
howpublished = "https://lief.quarkslab.com/",
month = "April",
year = "2017",
}
