Restored "signature present" switch -ti.

BillyONeal · Jul 17, 2013 · 2aee105 · 2aee105
1 parent 805c3df
commit 2aee105
Show file tree

Hide file tree

Showing 8 changed files with 145 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,4 @@ thirdParty/cryptopp562/adhoc.cpp.copied
 UpgradeLog.htm
 UpgradeLog.XML
 thirdParty/cryptopp562/adhoc.cpp
+*.vsp
diff --git a/pevFind.sln b/pevFind.sln
@@ -67,4 +67,7 @@ Global
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		VisualSVNWorkingCopyRoot = .
 	EndGlobalSection
+	GlobalSection(Performance) = preSolution
+		HasPerformanceSessions = true
+	EndGlobalSection
 EndGlobal
diff --git a/pevFind_x64.psess b/pevFind_x64.psess
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<VSPerformanceSession Version="1.00">
+  <Options>
+    <Solution>pevFind.sln</Solution>
+    <CollectionMethod>Instrumentation</CollectionMethod>
+    <AllocationMethod>None</AllocationMethod>
+    <AddReport>true</AddReport>
+    <ResourceBasedAnalysisSelected>true</ResourceBasedAnalysisSelected>
+    <UniqueReport>Timestamp</UniqueReport>
+    <SamplingMethod>Cycles</SamplingMethod>
+    <CycleCount>10000000</CycleCount>
+    <PageFaultCount>10</PageFaultCount>
+    <SysCallCount>10</SysCallCount>
+    <SamplingCounter Name="" ReloadValue="00000000000f4240" DisplayName="" />
+    <RelocateBinaries>false</RelocateBinaries>
+    <HardwareCounters EnableHWCounters="false" />
+    <EtwSettings />
+    <PdhSettings>
+      <PdhCountersEnabled>false</PdhCountersEnabled>
+      <PdhCountersRate>500</PdhCountersRate>
+      <PdhCounters>
+        <PdhCounter>\Memory\Pages/sec</PdhCounter>
+        <PdhCounter>\PhysicalDisk(_Total)\Avg. Disk Queue Length</PdhCounter>
+        <PdhCounter>\Processor(_Total)\% Processor Time</PdhCounter>
+      </PdhCounters>
+    </PdhSettings>
+  </Options>
+  <ExcludeSmallFuncs>true</ExcludeSmallFuncs>
+  <InteractionProfilingEnabled>false</InteractionProfilingEnabled>
+  <JScriptProfilingEnabled>false</JScriptProfilingEnabled>
+  <PreinstrumentEvent>
+    <InstrEventExclude>false</InstrEventExclude>
+  </PreinstrumentEvent>
+  <PostinstrumentEvent>
+    <InstrEventExclude>false</InstrEventExclude>
+  </PostinstrumentEvent>
+  <Binaries>
+    <ProjBinary>
+      <Path>x64\Release\pevFind_x64.exe</Path>
+      <ArgumentTimestamp>01/01/0001 00:00:00</ArgumentTimestamp>
+      <Instrument>true</Instrument>
+      <Sample>true</Sample>
+      <ExternalWebsite>false</ExternalWebsite>
+      <InteractionProfilingEnabled>false</InteractionProfilingEnabled>
+      <IsLocalJavascript>false</IsLocalJavascript>
+      <IsWindowsStoreApp>false</IsWindowsStoreApp>
+      <IsWWA>false</IsWWA>
+      <LaunchProject>true</LaunchProject>
+      <OverrideProjectSettings>false</OverrideProjectSettings>
+      <LaunchMethod>Executable</LaunchMethod>
+      <ExecutablePath>x64\Release\pevFind_x64.exe</ExecutablePath>
+      <StartupDirectory>pevFind\</StartupDirectory>
+      <Arguments>--peinfo C:\*.exe</Arguments>
+      <NetAppHost>IIS</NetAppHost>
+      <NetBrowser>InternetExplorer</NetBrowser>
+      <ExcludeSmallFuncs>true</ExcludeSmallFuncs>
+      <JScriptProfilingEnabled>false</JScriptProfilingEnabled>
+      <PreinstrumentEvent>
+        <InstrEventExclude>false</InstrEventExclude>
+      </PreinstrumentEvent>
+      <PostinstrumentEvent>
+        <InstrEventExclude>false</InstrEventExclude>
+      </PostinstrumentEvent>
+      <ProjRef>{65CF3E7A-9793-44C9-A1B7-735AA0C91F89}|pevFind\pevFind.vcxproj</ProjRef>
+      <ProjPath>pevFind\pevFind.vcxproj</ProjPath>
+      <ProjName>pevFind</ProjName>
+    </ProjBinary>
+  </Binaries>
+  <Reports>
+    <Report>
+      <Path>pevFind_x64130716.vsp</Path>
+    </Report>
+  </Reports>
+  <Launches>
+    <ProjBinary>
+      <Path>:PB:{65CF3E7A-9793-44C9-A1B7-735AA0C91F89}|pevFind\pevFind.vcxproj</Path>
+    </ProjBinary>
+  </Launches>
+</VSPerformanceSession>
diff --git a/pevLib/FILTER.cpp b/pevLib/FILTER.cpp
@@ -241,6 +241,14 @@ unsigned __int32 peFilter::getPriorityClass() const
 {
     return PRIORITY_PE_DATA;
 }
+BOOL hasSig::include(FileData &file) const
+{
+    return file.hasAuthenticodeSignature();
+}
+std::wstring hasSig::debugTree() const
+{
+    return std::wstring(L"+ HASSIGNATURE");
+}
 BOOL isPEFile::include(FileData &file) const
 {
     return file.isPE();

diff --git a/pevLib/FILTER.h b/pevLib/FILTER.h
@@ -197,6 +197,11 @@ struct peFilter : public criterion
 {
     unsigned __int32 getPriorityClass() const;
 };
+struct hasSig : public peFilter
+{
+    BOOL include(FileData &file) const;
+    std::wstring debugTree() const;
+};
 struct isPEFile : public peFilter
 {
     BOOL include(FileData &file) const;

diff --git a/pevLib/consoleParser.cpp b/pevLib/consoleParser.cpp
@@ -536,6 +536,10 @@ void consoleParser::parseTypeString(commandToken& token, std::vector<std::shared
         case L'g':
             results.push_back(std::shared_ptr<criterion>(new sigIsValid()));
             break;
+        case L'I':
+        case L'i':
+            results.push_back(std::shared_ptr<criterion>(new hasSig()));
+            break;
         case L'J':
         case L'j':
             results.push_back(std::shared_ptr<criterion>(new timestampValid()));

diff --git a/pevLib/fileData.cpp b/pevLib/fileData.cpp
@@ -157,12 +157,11 @@ std::wstring FileData::getAttributesString() const
 std::wstring FileData::getPEAttribsString() const
 {
     initPortableExecutable();
-	sigVerify();
     std::wstring result;
     result.reserve(6);
     appendAttributeCharacter(result, L'1', ISPE);
     appendAttributeCharacter(result, L'2', DEBUG);
-    appendAttributeCharacter(result, L'3', SIGVALID);
+    appendAttributeCharacter(result, L'3', SIGPRESENT);
     appendAttributeCharacter(result, L'4', DLL);
     if (peHeaderChecksumIsValid())
         result.append(1, L'5');
@@ -325,6 +324,42 @@ void FileData::initPortableExecutable() const
         //Read headerSum
         if (!ReadFile(hFile.Get(), &headerSum, sizeof(DWORD), &lengthRead, NULL))
             return;
+
+        //Find number of PE data sections
+        DWORD numberOfSections;
+        if (isPEPlus)
+        {
+            if (SetFilePointer(hFile.Get(), 32, NULL, FILE_CURRENT) == INVALID_SET_FILE_POINTER)
+                return;
+        } else
+        {
+            if (SetFilePointer(hFile.Get(), 40, NULL, FILE_CURRENT) == INVALID_SET_FILE_POINTER)
+                return;
+        }
+        //Read NumberOfRvaAndSizes
+        if (!ReadFile(hFile.Get(), &numberOfSections, sizeof(DWORD), &lengthRead, NULL))
+            return;
+
+        //There can be no signature in the file if the number of sections is less than 5,
+        //because the certificate table is the 5th section.
+        if (numberOfSections < 5)
+            return;
+
+        //Check for certificates
+        //Look for "Certificate Table", 32 bytes from the RvaAndSizes
+        if (SetFilePointer(hFile.Get(), 32, NULL, FILE_CURRENT) == INVALID_SET_FILE_POINTER)
+            return;
+
+        //The certificate table pointer is 8 bytes long -- it will be all zeros if the table is not present.
+        DWORD CertVirtualAddress, CertSize;
+        if (!ReadFile(hFile.Get(), &CertVirtualAddress, sizeof(DWORD), &lengthRead, NULL))
+            return;
+        if (!ReadFile(hFile.Get(), &CertSize, sizeof(DWORD), &lengthRead, NULL))
+            return;
+
+        //If the size of the certificate section is not 0, set the sigpresent flag.
+        if (CertSize)
+            bits |= SIGPRESENT;
     }
 
 }

diff --git a/pevLib/fileData.h b/pevLib/fileData.h
@@ -39,6 +39,7 @@ class FileData
         WIN32ENUMD =             0x00000800,
         // END Standard Win32 Attributes
         // Signature Attributes
+        SIGPRESENT =             0x00001000,
         SIGVALID =                 0x00002000,
         // Executable Attributes
         DLL =                     0x00004000,
@@ -172,6 +173,7 @@ class FileData
     inline bool isPEPlus() const;
     inline bool isStrongExecutable() const;
     inline bool peHeaderChecksumIsValid() const;
+    inline bool hasAuthenticodeSignature() const;
     inline bool isDLL() const;
     inline DWORD getPEHeaderCheckSum() const;
     inline DWORD getPECalculatedCheckSum() const;
@@ -374,6 +376,12 @@ inline bool FileData::hasValidDigitalSignature() const
     return (bits & SIGVALID) != 0;
 }
 
+inline bool FileData::hasAuthenticodeSignature() const
+{
+    initPortableExecutable();
+    return (bits & SIGPRESENT) != 0;
+}
+
 inline bool FileData::peHeaderChecksumIsValid() const
 {
     initPortableExecutable();