QuasarApp/LIEF
4
0
Fork 0
mirror of https://github.com/QuasarApp/LIEF.git synced 2025-04-28 05:14:33 +00:00
Code Issues Projects Releases Wiki Activity
673 Commits 13 Branches 13 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Andrew 535623de3a Update the PE Authenticode parsing code 
- Allow UTF8String and IA5String types when parsing the Issuer fields
   (previously only PrintableString types were handled).  Handling these
   three types should be sufficient, based on the default types indicated
   at https://github.com/ARMmbed/mbedtls/blob/master/library/x509_create.c#L52.
   The approach used is similar to what's done in mbedtls's internal
   x509_get_attr_type_value function.

   Examples:
```
     8a364e0881fd7201cd6f0a0ff747451c9b93182d5699afb28ad8466f7f726660:
     SEQUENCE (4 elem)
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
           PrintableString PL
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
           UTF8String Unizeto Technologies S.A.
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
           UTF8String Certum Certification Authority
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
           UTF8String Certum Code Signing CA SHA2

     From a test binary compiled with osslsigncode:
     SEQUENCE (6 elem)
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component)
           PrintableString US
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.8 stateOrProvinceName (X.520 DN component)
           UTF8String State
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.7 localityName (X.520 DN component)
           UTF8String City
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
           UTF8String Cisco Talos
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
           UTF8String Test CA 1704a8ea9e24d8ed
       SET (1 elem)
         SEQUENCE (2 elem)
           OBJECT IDENTIFIER 1.2.840.113549.1.9.1 emailAddress (PKCS #9. Deprecated, use an altName extension instead)
           IA5String rfc2606@example.net
```

 - Allow any order for the AuthenticatedAttributes, and ignore ones that
   aren't recognized. The code was looking for a strict ordering of the
   attributes, but Windows seems to be OK with any order.
   Example:
```
     From f91e258ea71dcbfc82371b2ee3e20852e45bef0cb946223d1141a6ef1dfb793f:
     SEQUENCE (2 elem)
       OBJECT IDENTIFIER 1.3.6.1.4.1.311.2.1.12 spcSpOpusInfo (Microsoft code signing)
       SET (1 elem)
         SEQUENCE (0 elem)
     SEQUENCE (2 elem)
       OBJECT IDENTIFIER 1.2.840.113549.1.9.3 contentType (PKCS #9)
       SET (1 elem)
         OBJECT IDENTIFIER 1.3.6.1.4.1.311.2.1.4 spcIndirectDataContext (Microsoft code signing)
     SEQUENCE (2 elem)
       OBJECT IDENTIFIER 1.3.6.1.4.1.311.2.1.11 spcStatementType (Microsoft code signing)
       SET (1 elem)
         SEQUENCE (1 elem)
           OBJECT IDENTIFIER 1.3.6.1.4.1.311.2.1.21 individualCodeSigning (Microsoft)
     SEQUENCE (2 elem)
       OBJECT IDENTIFIER 1.2.840.113549.1.9.4 messageDigest (PKCS #9)
       SET (1 elem)
         OCTET STRING (20 byte) 7C87D331C6E62C0EC840BC23CA63FBC2CE68586F
```

 - Allow the program name and/or more info to be missing from SpcSpOpusInfo.
   Examples:
```
     8a364e0881fd7201cd6f0a0ff747451c9b93182d5699afb28ad8466f7f726660:
     SEQUENCE (2 elem)
       OBJECT IDENTIFIER 1.3.6.1.4.1.311.2.1.12 spcSpOpusInfo (Microsoft code signing)
       SET (1 elem)
         SEQUENCE (0 elem)

     0059fb3f225c5784789622eeccb97197d591972851b63d59f5bd107ddfdb7a21:
     SEQUENCE (2 elem)
       OBJECT IDENTIFIER 1.3.6.1.4.1.311.2.1.12 spcSpOpusInfo (Microsoft code signing)
       SET (1 elem)
         SEQUENCE (1 elem)
           [0] (1 elem)
             [0] (22 byte) 0047006F0054006F0020004F00700065006E00650072
```

 - I removed the #if 0 ContentInfo from being populated, and the code worked
   with all of the test samples I used... Is there another reason this code
   is commented out?

 - The authenticated_attribytes content_name_ member now gets populated. This
   was commented out with a TODO by it... Is there a reason this field wasn't
   being populated?

 - When the SignerInfo is printed, it will now show 'N/A' if no value was
   parsed out from the executable
2019-07-09 13:51:20 -04:00
.github
Improve Python setup
2019-03-31 10:15:08 +02:00
api
Add notice regarding LIEF imphash implementation
2019-06-26 09:10:35 +02:00
cmake
Bump version for nightly build
2019-05-11 08:08:23 +02:00
doc
Resolve #313
2019-07-08 08:40:10 +02:00
examples
Fix terminal columns
2019-06-23 10:20:21 +02:00
fuzzing
Remove LIEF_SHARED_LIB from cmake
2018-08-29 08:50:56 +02:00
include/LIEF
Remove unecessary file
2019-07-08 08:14:20 +02:00
package
First public release
2017-03-30 16:56:49 +02:00
profiling
Add new formats: OAT, DEX, VDEX, ART
2018-05-04 12:46:28 +02:00
scripts
Add cmake config for Android
2019-02-19 08:28:06 +01:00
src
Update the PE Authenticode parsing code
2019-07-09 13:51:20 -04:00
tests
Adds regression check for Note::dump segfault
2019-06-07 18:04:08 -07:00
third-party
Improve Python setup
2019-03-31 10:15:08 +02:00
.appveyor.yml
Improve Python setup
2019-03-31 10:15:08 +02:00
.dockerignore
First public release
2017-03-30 16:56:49 +02:00
.travis.yml
Improve Python setup
2019-03-31 10:15:08 +02:00
Acknowledgements
Parse the PE Load Configuration structure
2017-10-06 07:55:58 +02:00
AUTHORS
First public release
2017-03-30 16:56:49 +02:00
CHANGELOG
Update CHANGELOG
2017-07-01 18:39:48 +02:00
circle.yml
Refactor some parts of the Architecture:
2018-03-13 16:49:02 +01:00
CMakeLists.txt
Remove unecessary file
2019-07-08 08:14:20 +02:00
LICENSE
First public release
2017-03-30 16:56:49 +02:00
MANIFEST.in
Improve Python setup
2019-03-31 10:15:08 +02:00
README.md
Add coredump support in LIEF
2019-04-18 07:17:46 +02:00
setup.cfg
Remove not unnecessary dependencies
2019-04-15 21:01:35 +02:00
setup.py
Bump version for nightly build
2019-05-11 08:08:23 +02:00

README.md


       

About

The purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.

Main features:

  • Parsing: LIEF can parse ELF, PE, MachO, OAT, DEX, VDEX, ART and provides an user-friendly API to access to format internals.
  • Modify: LIEF enables to modify some parts of these formats
  • Abstract: Three formats have common features like sections, symbols, entry point... LIEF factors them.
  • API: LIEF can be used in C, C++ and Python

Content

Downloads / Install

First make sur to have an updated version of setuptools:

pip install setuptools --upgrade

To install the latest version (release):

pip install lief

To install nightlty build:

pip install [--user] --index-url  https://lief-project.github.io/packages lief

Packages

Linux Windows - x86 Windows - x86-64 OSX
SDK SDK SDK SDK

Python
Linux Windows OSX CentOS Android Documentation
SDK SDK - x86
SDK - x86-64 		SDK SDK SDK - x86-64
SDK - x86
SDK - ARM
SDK - AARCH64 		Sphinx + Doxygen

Python

Here one can find guides to install or integrate LIEF:

Getting started

Python


C++


C


Documentation

Contact

About

Authors

Romain Thomas (@rh0main) - Quarkslab

License

LIEF is provided under the Apache 2.0 license.

Bibtex

@MISC {LIEF,
  author       = "Romain Thomas",
  title        = "LIEF - Library to Instrument Executable Formats",
  howpublished = "https://lief.quarkslab.com/",
  month        = "April",
  year         = "2017",
}

Description
No description provided
Readme Apache-2.0 47 MiB
Languages
C++ 90.3%
Python 4.4%
CMake 2.9%
NASL 0.9%
C 0.7%
Other 0.7%