goblin icon indicating copy to clipboard operation
goblin copied to clipboard
verified publisher icon m4b

Validating authenticode of PE File

Open samuel-sqrx opened this issue 1 year ago • 1 comments

Hi, I am trying to validate the authenticode of PE files by computing a hash from the PE file using goblin and then comparing against the authenticode signature in the PKCS7 SignedData.

It's working well for most exe files and the value matches. However, when I am testing it for firefox.exe, the computed value does not match the signature and I am wondering what is the issue.

This is the code I used to compute the authenticode, is there anything I am missing?

let mut xhasher = Hasher::new(MessageDigest::sha256()).unwrap();
let authenticate_data = pe.authenticode_ranges();
for a in authenticode_data.into_iter() {
       xhasher.update(a);
}
let final_hash = xhasher.finish().unwrap();
println!("hash {:?}", hex::encode(final_hash));

The authenticode I computed : ee2d315da52ae04011dca0f89bba6801f81454f437463675b4285742d720076d The actual authenticode : d60710b5d82808bd887e1d8f8cda866ce22eee173adb407b48e2c001456aeff3 (definitely correct, verified using other sources)

firefox.exe : https://www.mozilla.org/en-US/firefox/windows/

samuel-sqrx avatar Jul 24 '24 10:07 samuel-sqrx

there was some work going on here about authenticode, not sure what happened with it: https://github.com/m4b/goblin/issues/355 i don't know much about the topic myself, but if something needs to be fixed on our end, we should do that :)

m4b avatar Jul 28 '24 01:07 m4b